I need to bring my Luxembourg organisation into compliance with recital 98 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 98 DORA — Recital 98

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 98

Digital Operational Resilience Act · UE 2022/2554

(98)

In order to further quantify and qualify the criteria for the designation of ICT third-party service providers as critical and to harmonise oversight fees, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to supplement this Regulation by further specifying the systemic impact that a failure or operational outage of an ICT third-party service provider could have on the financial entities it provides ICT services to, the number of global systemically important institutions (G-SIIs), or other systemically important institutions (O-SIIs), that rely on the ICT third-party service provider in question, the number of ICT third-party service providers active on a given market, the costs of migrating data and ICT workloads to other ICT third-party service providers, as well as the amount of the oversight fees and the way in which they are to be paid. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (22). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States’ experts, and their experts should systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

Luxembourg specificity

Circulaire CSSF 22/806 relative aux arrangements d'externalisation

In Luxembourg, the CSSF is the competent authority for monitoring financial entities subject to DORA and oversees the integration of Commission delegated acts into its sectoral circulars, in particular CSSF Circular 22/806 on ICT outsourcing arrangements, which predated DORA and is being progressively aligned with the Regulation. Any change in CTPP criteria from a delegated act is typically relayed through a CSSF circular update or FAQ that your compliance teams must integrate without delay.

Luxgap practice: we configure CTPP Radar to monitor the OJEU and CSSF publications (circulars, FAQs, communiques) simultaneously, so your internal thresholds stay aligned with both EU law and Luxembourg prudential doctrine.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 98 announces that the European Commission will supplement DORA through delegated acts further specifying the criteria for designating critical ICT third-party providers and harmonising oversight fees. The trap for Luxembourg financial entities supervised by the CSSF is to read this recital as a formality: it actually means that the list of CTPPs and their scope will evolve over time, through successive regulatory layers. A private bank that froze its vendor mapping on the initial version of the Regulation will mechanically fall out of compliance as soon as a delegated act refines the thresholds.

What this recital concretely changes for you

The systemic impact criteria will be refined: failure impact, number of G-SII and O-SII clients, market concentration, migration cost.
Your cloud providers, banking SaaS and core-banking vendors may shift to CTPP status between two reporting cycles, triggering direct application of the ESA-led oversight regime.
CTPP oversight fees will be harmonised: your contracts must anticipate the potential pass-through of those costs.
Your ICT vendor mapping must be living, not an annual Excel: a provider's critical status can change mid-year.
Your DORA Article 28(3) register of information must be built to absorb the new criteria the Commission will publish without disruption.

How Luxgap automates this risk

Our Luxgap CTPP Radar turns DORA regulatory watch into operational signal: the tool continuously monitors delegated acts published in the OJEU and CTPP lists designated by the ESAs, then automatically re-scores every ICT provider in your register against the criteria in force. Concretely, a specialised LLM agent reads each new Commission delegated act on publication, extracts the new quantitative thresholds (concentration, migration cost, number of SII clients) and recomputes the criticality score of your vendors without manual CISO intervention.

Scans in real time the OJEU and EBA, ESMA, EIOPA websites to detect any new CTPP designation or delegated act supplementing DORA.
Automatically re-evaluates each line of your DORA Article 28(3) register against the updated criteria, with Teams or email alerts as soon as a provider tips into the critical zone.
Cross-references your Azure, AWS, M365, Salesforce and core-banking data (Temenos, Avaloq, OLYMPIC) to materialise the real concentration of your ICT workloads at a single provider.
Computes a predictive migration cost score per vendor, based on data volume hosted, APIs in use and the availability of alternatives on the Luxembourg market (eBRC, LuxConnect, POST Telecom Cloud).
Produces a timestamped PDF report opposable to the CSSF, demonstrating that your ICT register is kept up to date in line with the Commission's latest specifications.

Available as a complement to a Luxgap CISO mandate or as a standalone SaaS brick depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real ICT register, with a free 48h blank audit to measure your concentration exposure before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 98

They trust us

Before we chat