Recital 82
Digital Operational Resilience Act · UE 2022/2554
| (82) | The requirement to set up a subsidiary in the Union should not prevent the critical ICT third-party service provider from supplying ICT services and related technical support from facilities and infrastructure located outside the Union. This Regulation does not impose a data localisation obligation as it does not require data storage or processing to be undertaken in the Union. |
In Luxembourg, the CSSF is the DORA competent authority for the financial sector and applies in parallel CSSF circular 22/806 on outsourcing arrangements, which requires prior notification and a hosting jurisdiction analysis for any critical or important cloud outsourcing. The law of 1 June 2023 implementing certain sectoral provisions complements the framework without contradicting the absence of a DORA localisation obligation, but article 41 of the LSF (banking professional secrecy) retains primacy for client data of Luxembourg credit institutions.
Luxgap practice: for any CSSF-supervised entity, we systematically document the dual DORA / circular 22/806 compliance and treat LSF professional secrecy as a de facto localisation constraint, even where DORA remains silent.