I need to bring my Luxembourg organisation into compliance with recital 95 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 95 sheds light on an underestimated point: oversight of critical ICT third-party providers will be conducted by multidisciplinary examination teams pooling ESAs, the Lead Overseer, NIS 2 competent authorities on a voluntary basis, and national supervisors (CSSF in Luxembourg). In practice, a supervised financial entity preparing only for a classic CSSF review will be caught off guard: the general investigation or inspection will be carried out by a cross-disciplinary team with sharp technical profiles (cloud, cryptography, operational resilience) that will cross-reference your contractual evidence, your logs and your TLPT results. The classic trap is to provide generic legal answers when the team expects enforceable technical artifacts.What this recital concretely changes for LU financial entitiesCTPPs will be audited by teams that share findings across authorities: a finding made by EBA flows to CSSF and vice versa.CSSF may contribute to the examination team of a CTPP used by your Luxembourg peers and reuse the findings during your own article 30 inspections.Your article 28(3) registers of information must align with the ESAs ITS format, because these teams compare them transversally across entities.NIS 2 cooperation (ILR in Luxembourg) being voluntary but encouraged, expect DORA/NIS 2 cross-checks on shared providers (eBRC, LuxConnect, POST datacenters).Follow-ups (recommendations, article 35 sanctions) will be coordinated: a recommendation issued to the CTPP can trigger a remediation obligation at your level within 6 months.How Luxgap automates this riskOur Luxgap Oversight Readiness Cockpit turns your DORA supervision dossier into enforceable evidence mobilizable within 4 hours when a multidisciplinary examination team (ESAs + CSSF + Lead Overseer) launches an investigation on one of your CTPPs. The tool continuously aggregates the artifacts expected by these cross-disciplinary teams by cross-referencing your Odoo/Ironclad contracts, your Microsoft Sentinel logs, your ServiceNow tickets, your TLPT reports and your providers' public certifications (ISO 27001, SOC 2 Type II, PCI-DSS, C5).Automatically detects which of your providers are classified CTPP by the ESAs and alerts as soon as an official designation appears in the EU Official Journal.Generates the article 28(3) register of information in the exact ESAs ITS format, ready to be transmitted to CSSF without manual reprocessing.Maps cascading dependencies (your CTPPs, their subcontractors, the eBRC/LuxConnect datacenters) and flags risk concentrations visible to the examination team.Produces a timestamped and cryptographically sealed inspection dossier, structured along the ESAs examination grid, enforceable during a joint inspection.Synchronises recommendations issued by the Lead Overseer to the CTPP with your internal remediation plan and alerts on article 42 compliance deadlines.Predicts, based on expiring certifications and public incidents of your providers,...

Recital 95 DORA — Recital 95

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 95

Digital Operational Resilience Act · UE 2022/2554

(95)

To leverage the specific competences, technical skills and expertise of staff specialising in operational and ICT risk within the competent authorities, the three ESAs and, on a voluntary basis, the competent authorities under Directive (EU) 2022/2555, the Lead Overseer should draw on national supervisory capabilities and knowledge and set up dedicated examination teams for each critical ICT third-party service provider, pooling multidisciplinary teams in support of the preparation and execution of oversight activities, including general investigations and inspections of critical ICT third-party service providers, as well as for any necessary follow-up thereto.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2024 portant mise en oeuvre du reglement (UE) 2022/2554 (DORA)

In Luxembourg, the CSSF is the DORA competent authority and will participate in the multidisciplinary examination teams covered by this recital. The law of 1 August 2024 implementing the DORA Regulation designates CSSF and the Commissariat aux Assurances (CAA) as competent authorities depending on the entity type, and organises their cooperation with ILR (NIS 2 authority) on typically Luxembourg shared providers (eBRC, LuxConnect, POST Telecom Cloud).

Luxgap practice: prepare a single inspection dossier usable both by CSSF (DORA angle) and ILR (NIS 2 angle) on your shared providers, because both authorities will share findings.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 95 sheds light on an underestimated point: oversight of critical ICT third-party providers will be conducted by multidisciplinary examination teams pooling ESAs, the Lead Overseer, NIS 2 competent authorities on a voluntary basis, and national supervisors (CSSF in Luxembourg). In practice, a supervised financial entity preparing only for a classic CSSF review will be caught off guard: the general investigation or inspection will be carried out by a cross-disciplinary team with sharp technical profiles (cloud, cryptography, operational resilience) that will cross-reference your contractual evidence, your logs and your TLPT results. The classic trap is to provide generic legal answers when the team expects enforceable technical artifacts.

What this recital concretely changes for LU financial entities

CTPPs will be audited by teams that share findings across authorities: a finding made by EBA flows to CSSF and vice versa.
CSSF may contribute to the examination team of a CTPP used by your Luxembourg peers and reuse the findings during your own article 30 inspections.
Your article 28(3) registers of information must align with the ESAs ITS format, because these teams compare them transversally across entities.
NIS 2 cooperation (ILR in Luxembourg) being voluntary but encouraged, expect DORA/NIS 2 cross-checks on shared providers (eBRC, LuxConnect, POST datacenters).
Follow-ups (recommendations, article 35 sanctions) will be coordinated: a recommendation issued to the CTPP can trigger a remediation obligation at your level within 6 months.

How Luxgap automates this risk

Our Luxgap Oversight Readiness Cockpit turns your DORA supervision dossier into enforceable evidence mobilizable within 4 hours when a multidisciplinary examination team (ESAs + CSSF + Lead Overseer) launches an investigation on one of your CTPPs. The tool continuously aggregates the artifacts expected by these cross-disciplinary teams by cross-referencing your Odoo/Ironclad contracts, your Microsoft Sentinel logs, your ServiceNow tickets, your TLPT reports and your providers' public certifications (ISO 27001, SOC 2 Type II, PCI-DSS, C5).

Automatically detects which of your providers are classified CTPP by the ESAs and alerts as soon as an official designation appears in the EU Official Journal.
Generates the article 28(3) register of information in the exact ESAs ITS format, ready to be transmitted to CSSF without manual reprocessing.
Maps cascading dependencies (your CTPPs, their subcontractors, the eBRC/LuxConnect datacenters) and flags risk concentrations visible to the examination team.
Produces a timestamped and cryptographically sealed inspection dossier, structured along the ESAs examination grid, enforceable during a joint inspection.
Synchronises recommendations issued by the Lead Overseer to the CTPP with your internal remediation plan and alerts on article 42 compliance deadlines.
Predicts, based on expiring certifications and public incidents of your providers, which ones are likely to be targeted by a general investigation within 12 months.

Available as part of a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request your demonstration and our teams will prepare a free white audit within 48h on your ICT provider portfolio to materialise your real exposure to a DORA examination team investigation before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 95

They trust us

Before we chat