I need to bring my Luxembourg organisation into compliance with recital 65 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 65 DORA — Recital 65

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 65

Digital Operational Resilience Act · UE 2022/2554

(65)

The conduct of such monitoring should follow a strategic approach to ICT third-party risk formalised through the adoption by the financial entity’s management body of a dedicated ICT third-party risk strategy, rooted in a continuous screening of all ICT third-party dependencies. To enhance supervisory awareness of ICT third-party dependencies, and with a view to further supporting the work in the context of the Oversight Framework established by this Regulation, all financial entities should be required to maintain a register of information with all contractual arrangements about the use of ICT services provided by ICT third-party service providers. Financial supervisors should be able to request the full register, or to ask for specific sections thereof, and thus to obtain essential information for acquiring a broader understanding of the ICT dependencies of financial entities.

Luxembourg specificity

circulaire CSSF 22/806 du 22 avril 2022 relative aux arrangements d'externalisation

In Luxembourg, the CSSF is the competent authority for DORA and anticipated these requirements through CSSF circular 22/806 on outsourcing arrangements, which already required a register of ICT outsourcing agreements. The circular remains applicable and stacks with DORA: Luxembourg financial entities must therefore reconcile their existing 22/806 register with the 15 templates of the ESAs RTS (delegated regulation 2024/1773), to avoid inconsistent dual reporting.

Luxgap practice: we systematically perform a cross-mapping between your current CSSF 22/806 register and the target DORA format, to avoid duplication and ensure consistency across both filings.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 65 sheds light on DORA articles 28 and 29: signing ICT contracts is not enough, you need a formal strategy adopted by the management body AND a register of information enforceable before the CSSF. In practice, the CSSF already requests this register during its thematic reviews on ICT outsourcing, and Luxembourg financial entities discover that they only have a partial Excel file, lacking the granularity required by the ESAs RTS (critical function, cascading subcontracting, data location). The trap is not the contract, it is the inability to produce the complete register within 5 business days.

What recital 65 concretely requires from your governance

A written, dated ICT third-party risk strategy, signed by the board or executive committee, reviewed annually.
Continuous screening (not annual) of all ICT dependencies, including subcontractors of your subcontractors (underlying cloud, CDN, log hosting).
A register of information aligned with the ESAs RTS (regulation 2024/1773): 15 templates, LEI and EUID identifiers, critical or important function classification.
The ability to extract all or part of the register at the CSSF's request, in the required machine-readable format.
Traceability of strategic decisions: why a given vendor was selected despite concentration risk, why a given critical function remains single-sourced.

How Luxgap automates this risk

Our Luxgap DORA Register Sentinel turns the declarative obligation of recital 65 into a living register, continuously fed by your real systems and ready to be transmitted to the CSSF in one click. Instead of asking your procurement team to fill in 15 Excel templates, the tool plugs an AI agent into your sources of truth (Active Directory, Azure AD, SharePoint or Odoo contracts, Sage BOB 50 vendor invoices, Defender for Cloud Apps flows) and rebuilds the complete cartography of your ICT dependencies, including cascading subcontractors down to level 3.

Automatically detects each new ICT provider as soon as an invoice, SSO access or network flow appears in your connected systems, with no manual entry.
Classifies each relationship according to DORA criteria (critical or important function, support, non-ICT) based on the ESAs RTS and CSSF circular 22/806.
Generates the 15 register templates compliant with delegated regulation 2024/1773, exportable as machine-readable CSV for CSSF transmission.
Alerts on Teams or Slack as soon as a subcontractor changes location (UK or US transfer), loses an ISO 27001 certification or appears in an HIBP breach.
Produces the ICT third-party risk strategy as a board-ready document, with concentration dashboards, single-source dependencies and exit plans per critical vendor.
Generates a cryptographically sealed timestamped PDF at each quarterly review, enforceable during a CSSF inspection.

Available as an add-on to a Luxgap CISO mandate or as a dedicated SaaS module depending on your perimeter. Request a tailored quote and our teams will prepare a demonstration on your actual ICT providers, with a free 48h blank audit to measure the gap between your current register and CSSF expectations before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 65

They trust us

Before we chat