I need to bring my Luxembourg organisation into compliance with recital 53 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 53 DORA — Recital 53

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 53

Digital Operational Resilience Act · UE 2022/2554

(53)

While all financial entities should be required to carry out incident reporting, that requirement is not expected to affect all of them in the same manner. Indeed, relevant materiality thresholds, as well as reporting timelines, should be duly adjusted, in the context of delegated acts based on the regulatory technical standards to be developed by the ESAs, with a view to covering only major ICT-related incidents. In addition, the specificities of financial entities should be taken into account when setting timelines for reporting obligations.

Luxembourg specificity

loi luxembourgeoise du 1er juin 2023 portant mise en oeuvre du reglement (UE) 2022/2554 (DORA)

In Luxembourg, notification of major ICT-related incidents under DORA is made to the CSSF via the eDesk portal, the competent authority designated by the law of 1 June 2023 implementing the DORA regulation. The CSSF has clarified in its application circular that the thresholds of Delegated Regulation 2024/1772 apply strictly, with no additional de minimis threshold for small entities, and that the initial notification must be submitted in French, English or German.

Luxgap practice: pre-configure your Incident Severity Engine with the CSSF eDesk templates and formally designate a CISO/Compliance Officer pair responsible for validating the qualification within 4 hours, with written traceability.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 53 sheds light on a critical point of DORA articles 17 to 19: all financial entities must report, but not with the same thresholds or timelines. In practice, many Luxembourg entities (small support PFS, sub-threshold AIFMs, insurance intermediaries) underestimate their obligation by thinking the RTS thresholds do not concern them. The CSSF on the contrary sanctions the absence of an incident qualification process, regardless of size: not knowing whether an incident is major is in itself a breach of article 17.

What this recital concretely imposes

Recital 53 guides the reading of the RTS adopted by the ESAs (notably Delegated Regulation 2024/1772 on classification and thresholds). Three operational obligations follow:

Calibrate your own internal qualification thresholds mirroring the RTS criteria: clients affected, downtime, data loss, economic impact, reputation, criticality of service.
Adapt your internal escalation timelines to meet regulatory windows: initial notification within 4 hours after major classification (and no later than 24h after detection), intermediate report within 72h, final report within 1 month.
Document the specificity of your entity (size, business model, critical ICT services) to justify your calibration to the CSSF in case of inspection.

The main trap: mechanically applying RTS thresholds without contextualising them to your profile. Recital 53 on the contrary calls for reasoned and documented proportionality.

How Luxgap automates this risk

Our Luxgap Incident Severity Engine turns ICT incident qualification, a subjective and often late exercise, into an automatic timestamped decision aligned with DORA RTS. The tool plugs an AI agent into your telemetry sources (Microsoft Defender, Sentinel, CrowdStrike, Wazuh, Splunk, ServiceNow ITSM) and your business systems (core banking, AIFM platform, insurance CRM) to compute in real time the materiality score against the seven criteria of Delegated Regulation 2024/1772, with no human intervention at the critical moment.

Detects automatically each ICT incident raised by your EDR, SIEM and ITSM tools and qualifies it against the seven RTS criteria in under 60 seconds.
Computes the regulatory window applicable to your entity (4h, 24h, 72h, 1 month) and triggers timestamped Teams or Slack alerts to the CISO, DPO and executive committee.
Pre-fills the CSSF eDesk form with mandatory fields extracted from your systems (clients impacted, services affected, measured downtime).
Documents your threshold calibration specific to your entity profile with written justification opposable to the CSSF.
Produces an incident dossier cryptographically sealed (eIDAS timestamp) covering the full detection-qualification-notification chain, opposable during an on-site inspection.
Retroactively simulates your last 24 months of incidents to identify those that should have been notified but were not.

Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real incidents, with a free 48h blank audit to measure your reporting exposure before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 53

They trust us

Before we chat