I need to bring my Luxembourg organisation into compliance with recital 77 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 77 DORA — Recital 77

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 77

Digital Operational Resilience Act · UE 2022/2554

(77)

The Oversight Framework should apply only to critical ICT third-party service providers. There should therefore be a designation mechanism to take into account the dimension and nature of the financial sector’s reliance on such ICT third-party service providers. That mechanism should involve a set of quantitative and qualitative criteria to set the criticality parameters as a basis for inclusion in the Oversight Framework. In order to ensure the accuracy of that assessment, and regardless of the corporate structure of the ICT third-party service provider, such criteria should, in the case of a ICT third-party service provider that is part of a wider group, take into consideration the entire ICT third-party service provider’s group structure. On the one hand, critical ICT third-party service providers, which are not automatically designated by virtue of the application of those criteria, should have the possibility to opt in to the Oversight Framework on a voluntary basis, on the other hand, ICT third-party service providers, that are already subject to oversight mechanism frameworks supporting the fulfilment of the tasks of the European System of Central Banks as referred to in Article 127(2) TFEU, should be exempted.

Luxembourg specificity

loi luxembourgeoise du 1er juin 2023 portant mise en oeuvre du reglement (UE) 2022/2554 (DORA) et circulaire CSSF 22/806

In Luxembourg, the CSSF is the competent authority for DORA supervision of financial entities, cooperating with the ESAs Joint Oversight Forum on designated critical ICT providers. The law of 1 June 2023 implementing the DORA regulation clarifies the CSSF's powers over the ICT outsourcing chain, complementing circular CSSF 22/806 on outsourcing arrangements which remains applicable for the scope not covered by DORA.

Luxgap practice: on the Luxembourg financial centre, heavily concentrated on a few hyperscalers and Tier IV data centres (LuxConnect, eBRC), we recommend systematic cross-checking between your DORA register and your circular 22/806 outsourcing register, to avoid blind spots and anticipate ESAs designations on local providers.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 77 clarifies a point often misunderstood by Luxembourg financial entities supervised by the CSSF: the DORA Oversight Framework applies only to critical ICT third-party providers designated by the ESAs, but that designation considers the entire group structure of the provider. The result: a bank contracting with the Luxembourg subsidiary of a hyperscaler may see that provider designated critical at group level, even if the LU entity looks modest. The classic mistake is to assess providers entity by entity rather than on a consolidated group basis when mapping ICT dependencies under Article 28.

What this recital concretely changes for your vendor contracts

The Article 28 mapping must climb up to the consolidated group of the provider, not just the Luxembourg contracting entity.
A provider not automatically designated may opt in voluntarily: check this status, it changes your residual exposure.
Providers already supervised under ESCB tasks (Article 127(2) TFEU) are exempted: avoid duplicating diligence on TARGET2, T2S or ECB-supervised CCPs.
Quantitative and qualitative criteria (market share, substitutability, critical functions supported) must be traceable in your ICT register to justify the criticality classification before the CSSF.
The list of designated critical providers is published by the ESAs: your register must be reconciled with that list at each update.

How Luxgap automates this risk

Our Luxgap Critical Provider Radar solves the group-level criticality puzzle: the tool automatically rebuilds the corporate tree of each of your ICT providers by cross-referencing GLEIF LEI, European trade registers, ESAs data and Open Corporates, telling you in real time whether your contract with a LU subsidiary actually exposes you to a group likely to be designated critical by the ESAs under DORA.

Reconciles each entry of your Article 28 ICT register with the official ESAs list of critical providers, updated daily.
Rebuilds the group tree (UBO, parent, sister subsidiaries) of each provider via GLEIF LEI and trade registers to apply the group criterion of recital 77.
Computes a forward-looking criticality score based on DORA quantitative criteria (number of financial entity clients, substitutability, critical functions supported) before official ESAs designation.
Automatically detects providers already supervised under ESCB tasks (TARGET2, T2S, ECB CCPs) to avoid redundant diligence.
Alerts via Teams or email as soon as one of your providers switches to critical status or opts in voluntarily to the Oversight Framework.
Produces a timestamped PDF report enforceable before the CSSF during inspection, demonstrating the rigour of your Articles 28 and 31 criticality assessment.

Available as a complement to a Luxgap CISO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real ICT register, with a free 48h scan to identify providers likely to be designated critical before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 77

They trust us

Before we chat