I need to bring my Luxembourg organisation into compliance with recital 82 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 82 DORA — Recital 82

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 82

Digital Operational Resilience Act · UE 2022/2554

(82)

The requirement to set up a subsidiary in the Union should not prevent the critical ICT third-party service provider from supplying ICT services and related technical support from facilities and infrastructure located outside the Union. This Regulation does not impose a data localisation obligation as it does not require data storage or processing to be undertaken in the Union.

Luxembourg specificity

circulaire CSSF 22/806 et loi du 1er juin 2023, lue en combinaison avec l'article 41 de la loi modifiee du 5 avril 1993 relative au secteur financier

In Luxembourg, the CSSF is the DORA competent authority for the financial sector and applies in parallel CSSF circular 22/806 on outsourcing arrangements, which requires prior notification and a hosting jurisdiction analysis for any critical or important cloud outsourcing. The law of 1 June 2023 implementing certain sectoral provisions complements the framework without contradicting the absence of a DORA localisation obligation, but article 41 of the LSF (banking professional secrecy) retains primacy for client data of Luxembourg credit institutions.

Luxgap practice: for any CSSF-supervised entity, we systematically document the dual DORA / circular 22/806 compliance and treat LSF professional secrecy as a de facto localisation constraint, even where DORA remains silent.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

This recital opens a door that many Luxembourg financial entities misread: yes, the critical ICT third-party provider may continue to host and process your data outside the EU even after ESAs designation, but this in no way relieves you from your own transfer risk analysis. The CSSF, during its reviews of cloud outsourcing arrangements, regularly sanctions entities that confuse absence of a DORA localisation obligation with absence of a Schrems II analysis. The GDPR continues to apply in parallel, and CSSF circular 22/806 still requires a geographical assessment of the data processed.

The DORA / GDPR / circular 22/806 articulation: three regimes, one reality

Recital 82 creates an asymmetry you must understand to avoid cross-cutting sanctions:

DORA imposes no EU localisation of data or processing, even for designated critical ICT providers.
The GDPR requires a transfer basis (article 46), a documented TIA and compliance with the Data Privacy Framework for US transfers.
CSSF circular 22/806 requires a pre-outsourcing analysis covering the hosting jurisdiction and government access risks (FISA 702, CLOUD Act).
Recital 82 does NOT neutralise sectoral requirements: data covered by banking professional secrecy (article 41 LSF) remains subject to its own regime.
No localisation obligation does not mean no traceability obligation: you must know, at all times, where your data is actually processed.

How Luxgap automates this risk

Our Luxgap Data Residency Radar definitively closes the topic of geographical traceability of ICT processing by turning your static flow map into continuous surveillance, region by region, datacenter by datacenter. The tool connects to the native APIs of your hyperscalers (AWS Config, Azure Resource Graph, GCP Asset Inventory), your M365 stack (Multi-Geo, Customer Lockbox logs) and your CMDB to reconstruct in real time the actual geography of your critical workloads, not the one declared in contracts.

Detects any workload or data movement towards an unauthorised region via AWS CloudTrail, Azure Activity Log and GCP Cloud Audit Logs webhooks, with Teams alert under 5 minutes.
Cross-references each critical ICT processing with its GDPR transfer basis (SCC 2021/914, BCR, article 49 derogation) and flags missing or expired bases.
Automatically generates the Schrems II Transfer Impact Assessment per destination country, including FISA 702, EO 12333, CLOUD Act analysis and the provider's Data Privacy Framework status.
Produces the outsourcing register compliant with CSSF circular 22/806 with the actual geography of cascading sub-processors (your SaaS hosted on AWS Frankfurt replicating to AWS Dublin backing up to AWS US-East).
Issues a timestamped and cryptographically sealed PDF report, enforceable against the CSSF during a SREP review or a thematic cloud inspection, demonstrating continuous control of data residency.

Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your perimeter. Request a tailored quote and our teams will prepare a demonstration on your actual workloads, with a free 48h scan to map the effective geography of your critical ICT processing before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 82

They trust us

Before we chat