I need to bring my Luxembourg organisation into compliance with recital 67 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 67 DORA — Recital 67

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 67

Digital Operational Resilience Act · UE 2022/2554

(67)

To address the systemic impact of ICT third-party concentration risk, this Regulation promotes a balanced solution by means of taking a flexible and gradual approach to such concentration risk since the imposition of any rigid caps or strict limitations might hinder the conduct of business and restrain the contractual freedom. Financial entities should thoroughly assess their envisaged contractual arrangements to identify the likelihood of such risk emerging, including by means of in-depth analyses of subcontracting arrangements, in particular when concluded with ICT third-party service providers established in a third country. At this stage, and with a view to striking a fair balance between the imperative of preserving contractual freedom and that of guaranteeing financial stability, it is not considered appropriate to set out rules on strict caps and limits to ICT third-party exposures. In the context of the Oversight Framework, a Lead Overseer, appointed pursuant to this Regulation, should, in respect to critical ICT third-party service providers, pay particular attention to fully grasp the magnitude of interdependences, discover specific instances where a high degree of concentration of critical ICT third-party service providers in the Union is likely to put a strain on the Union financial system’s stability and integrity and maintain a dialogue with critical ICT third-party service providers where that specific risk is identified.

Luxembourg specificity

circulaire CSSF 22/806 sur les arrangements d'externalisation, version revisee DORA

In Luxembourg, the CSSF is the competent authority for DORA supervision of financial entities, and CSSF circular 22/806 on ICT outsourcing (revised to align with DORA) details expectations on concentration analysis before any outsourcing arrangement covering a critical or important function. The Luxembourg financial centre shows a strong structural concentration on a few local hosters (eBRC, LuxConnect, POST) and two hyperscalers (AWS, Azure), which makes the concentration analysis exercise even more sensitive.

Luxgap practice: prepare your register of information in the ESAs ITS format and keep available for the CSSF a specific file on critical functions hosted at the same provider or in the same cloud region, with a testable exit plan within 12 months.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 67 explains why DORA does not set a numerical cap on exposure to a single ICT provider: Brussels refused a rigid quota to preserve contractual freedom. But this flexibility comes with a hidden cost: the CSSF expects each financial entity to run its own concentration diagnosis, documented and defensible. CSSF inspections penalise entities that relied on a static Excel vendor list without genuine assessment of interdependences, cascading subcontracting and third-country sub-processor locations.

What this recital concretely requires in your mapping

The recital directly shapes the interpretation of DORA articles 28 and 29 (preliminary assessment and concentration risk assessment). To pass a CSSF review, your framework must demonstrate:

A quantitative concentration analysis: how many critical functions rely on the same ICT provider, the same group, the same cloud region (eu-west-1, eu-central-1).
A qualitative interdependence analysis: does your core banking SaaS sit on the same hyperscaler as your mail, KYC, data warehouse.
A mapping of cascading subcontracting, especially when a tier-2 or tier-3 sub-processor is established outside the EU (USA, India, post-Brexit UK).
A documented dialogue with critical providers designated by the ESAs, traced and timestamped.
A written justification of why you consider the concentration level acceptable, despite the absence of a legal threshold.

How Luxgap automates this risk

Our Luxgap Concentration Radar turns the absence of a numerical threshold in recital 67 into a concentration score defensible before the CSSF. The tool continuously ingests your DORA register of information, your Odoo invoices, your Azure AD logs and AWS Organizations, and reconstructs the full graph of ICT dependences down to tier-3 subcontracting, without chasing vendor questionnaires.

Computes a concentration score per critical function (payments, KYC, NAV valuation) weighted by regulatory criticality and inability to substitute within 90 days.
Automatically detects hidden colocations: two seemingly independent SaaS hosted on the same AWS Frankfurt region or the same eBRC datacenter.
Maps cascading subcontracting by querying public Trust Centers (AWS Artifact, Azure STP, Google CASA) and vendor DPAs.
Alerts in real time via Teams or Slack whenever a tier-2 sub-processor of a critical provider changes location to a third country.
Produces a timestamped, cryptographically sealed PDF report, opposable to the CSSF, evidencing the thorough analysis required by DORA articles 28 and 29.
Predicts the 12-month probability that a provider crosses the ESAs criticality threshold by cross-referencing public revenue, HIBP incidents and expiring certifications.

Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your actual register of information, with a free white audit within 48h to materialise your concentration score before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 67

They trust us

Before we chat