I need to bring my Luxembourg organisation into compliance with recital 90 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 90 DORA — Recital 90

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 90

Digital Operational Resilience Act · UE 2022/2554

(90)

Competent authorities should duly include the task of verifying substantive compliance with recommendations issued by the Lead Overseer in their functions with regard to prudential supervision of financial entities. Competent authorities should be able to require financial entities to take additional measures to address the risks identified in the Lead Overseer’s recommendations, and should, in due course, issue notifications to that effect. Where the Lead Overseer addresses recommendations to critical ICT third-party service providers that are supervised under Directive (EU) 2022/2555, the competent authorities should be able, on a voluntary basis and before adopting additional measures, to consult the competent authorities under that Directive in order to foster a coordinated approach to dealing with the critical ICT third-party service providers in question.

Luxembourg specificity

loi du 1er aout 2024 portant transposition de la directive (UE) 2022/2555 (NIS 2) et loi du 5 avril 1993 relative au secteur financier (cadre CSSF DORA)

In Luxembourg, the CSSF is the DORA competent authority for almost the entire financial sector (banks, PFS, fintechs, AIFMs, UCITS, investment firms), while the CAA covers insurance and reinsurance undertakings. For critical ICT providers also covered by NIS 2, the ILR is the Luxembourg NIS 2 competent authority, and the voluntary coordination foreseen in recital 90 materialises through a CSSF-ILR or CAA-ILR dialogue.

Luxgap practice: in your DORA register of information, tag for each critical provider whether it also qualifies as an essential or important entity under Luxembourg NIS 2, in order to anticipate joint CSSF-ILR action when a Lead Overseer recommendation lands.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 90 creates a sharp leverage point: recommendations issued by the Lead Overseer (one of the ESAs designated to oversee a critical ICT third-party provider) are not mere opinions, they become a prudential supervision item for the CSSF. In practice, if your bank, fintech, AIFM, insurance undertaking or e-money institution uses a cloud provider designated as critical under DORA, the CSSF will verify during inspections whether you have substantively taken those recommendations into account, and can require additional measures on your side, even if the provider itself has not moved.

What this recital changes in practice

Lead Overseer recommendations are not directly enforceable against the critical provider, but failure by the financial entity to factor them in becomes a CSSF prudential grievance.
The financial entity must document how it integrated each recommendation: contractual review, reinforced exit plan, compensating control, escalation to the risk committee.
The action deadline is set by CSSF notification, not by DORA itself. Anticipate rather than wait for the letter.
For providers covered by both DORA and NIS 2 (Directive EU 2022/2555), a voluntary coordination exists between CSSF and ILR. It does not lift your own obligation to act.
The argument we asked the vendor, they refused is not enough: DORA expects compensating controls or activation of the exit strategy.

How Luxgap automates this risk

Our Luxgap Lead Overseer Tracker turns the flow of ESA recommendations on critical ICT providers into a CSSF-defensible roadmap, automatically projected onto your real vendor map. The tool continuously harvests EBA, ESMA, EIOPA publications and the official register of designated critical providers, cross-checks them with your DORA register of information and your Odoo or SAP Ariba contracts, then flags every recommendation hitting a vendor you actually use, within 24 hours of publication.

Detects every new Lead Overseer recommendation and maps it automatically onto your active ICT vendors, with no manual entry.
Generates a pre-filled action plan per recommendation: contract review, compensating control, partial exit strategy trigger, risk committee escalation.
Tracks execution of each measure with timestamp and documentary evidence, defensible during a CSSF inspection under DORA article 28.
Alerts the CISO and DPO via Teams or Slack as soon as a recommendation impacts a vendor classified as critical in your register.
Identifies providers also covered by NIS 2 and prepares a CSSF-ILR coordination file ready to file.
Produces a quarterly cryptographically sealed report, evidencing the substantive compliance required by recital 90.

Available as a complement to a Luxgap CISO or DPO mandate or as a standalone SaaS brick depending on your scope. Request a tailored quote and our teams will run a demonstration on your real DORA register of information, with a free 48h white audit to measure your exposure to current recommendations before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 90

They trust us

Before we chat