Recital 95

Recital 95

Digital Operational Resilience Act · UE 2022/2554

(95)

To leverage the specific competences, technical skills and expertise of staff specialising in operational and ICT risk within the competent authorities, the three ESAs and, on a voluntary basis, the competent authorities under Directive (EU) 2022/2555, the Lead Overseer should draw on national supervisory capabilities and knowledge and set up dedicated examination teams for each critical ICT third-party service provider, pooling multidisciplinary teams in support of the preparation and execution of oversight activities, including general investigations and inspections of critical ICT third-party service providers, as well as for any necessary follow-up thereto.

Luxembourg specificity
loi luxembourgeoise du 1er aout 2024 portant mise en oeuvre du reglement (UE) 2022/2554 (DORA)

In Luxembourg, the CSSF is the DORA competent authority and will participate in the multidisciplinary examination teams covered by this recital. The law of 1 August 2024 implementing the DORA Regulation designates CSSF and the Commissariat aux Assurances (CAA) as competent authorities depending on the entity type, and organises their cooperation with ILR (NIS 2 authority) on typically Luxembourg shared providers (eBRC, LuxConnect, POST Telecom Cloud).

Luxgap practice: prepare a single inspection dossier usable both by CSSF (DORA angle) and ILR (NIS 2 angle) on your shared providers, because both authorities will share findings.