I need to bring my Luxembourg organisation into compliance with recital 92 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 92 DORA — Recital 92

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 92

Digital Operational Resilience Act · UE 2022/2554

(92)

The Oversight Framework should not replace, or in any way or for any part substitute for, the requirement for financial entities to manage themselves the risks entailed by the use of ICT third-party service providers, including their obligation to maintain an ongoing monitoring of contractual arrangements concluded with critical ICT third-party service providers. Similarly, the Oversight Framework should not affect the full responsibility of financial entities for complying with, and discharging, all the legal obligations laid down in this Regulation and in the relevant financial services law.

Luxembourg specificity

Circulaire CSSF 22/806 sur les arrangements de sous-traitance

In Luxembourg, the CSSF is the competent authority designated under Article 46 of DORA for credit institutions, PSFs, payment institutions, EMIs and investment funds. CSSF Circular 22/806 on outsourcing, read jointly with DORA, already requires ongoing and documented monitoring of agreements with ICT providers, including those not designated as critical by the ESAs. The CAA remains competent for insurance undertakings.

Luxgap practice: never classify a provider as 'already supervised by the ESAs, so nothing to do' in the CSSF register. Maintain a dedicated 'entity residual actions' column for each CTPP, reviewed quarterly by the risk committee.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 92 locks down a dangerous illusion: believing that because the ESAs now directly oversee critical ICT third-party providers (Microsoft, AWS, Google Cloud), the financial entity can relax its own contractual vigilance. The CSSF sanctions exactly the opposite: European oversight does not dilute the board's responsibility under Article 5 of DORA, nor the ongoing monitoring obligation under Article 28. A PSF invoking 'but Azure is already overseen by EBA' to justify the absence of monitoring on its own contractual relationship faces direct sanction.

The dual responsibility this recital clarifies

Supervised responsibility: ESAs oversee the critical third-party provider at EU level (recommendations, information requests, on-site inspections at the provider).
Retained responsibility: each financial entity must continue to exercise its own risk management on its own contractual relationship (Article 30 clauses, audit rights, exit plans, BIA).
No liberating effect: no ESA recommendation addressed to the critical provider releases the financial entity from acting if residual risk on its perimeter remains high.
Ongoing monitoring: contractual monitoring must be continuous (SLA, incidents, certifications, cascading sub-contractors) and not occasional at renewal time.
Financial law unchanged: MiFID II, CRR, Solvency II, AIFMD continue to apply in parallel, without interference with DORA oversight.

How Luxgap automates this risk

Our Luxgap Oversight Delta Tracker makes it impossible to confuse European oversight with the financial entity's residual responsibility. The tool continuously ingests recommendations published by the ESAs under Chapter V of DORA for each designated critical third-party provider, correlates them with your Article 28(3) information register and automatically identifies the risk delta YOU still need to address, independently of any oversight action.

Synchronises daily the official list of CTPPs designated by the ESAs with your CSSF information register and alerts as soon as one of your providers shifts to critical status.
Analyses each public ESA recommendation via an LLM agent and automatically generates the list of residual actions your entity must conduct on its own (Article 30 clauses to strengthen, exit plan to update, BIA to revise).
Detects grey zones where the financial entity wrongly believes itself covered by European oversight (cascading sub-contractors not covered, services outside the critical perimeter, cloud regions not audited).
Produces a quarterly timestamped report, enforceable before the CSSF during an ICAAP or SREP inspection, demonstrating the clear separation between European oversight actions and internal risk management measures.
Generates the board dashboard required by Article 5 of DORA, proving that management has not delegated its responsibility to the oversight framework.

Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your perimeter. Request a personalised quote and our teams will prepare a demonstration on your actual critical third-party providers, with a free blank audit within 48h to measure the gap between your current register and DORA's residual requirements.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 92

They trust us

Before we chat