DORA and ICT Circulars: Navigating digital operational resilience six months post-implementation

CSSF ICT Circulars: Navigating the new regulatory framework 

Overview of the four circulars 

On 9 April 2025, the CSSF published four circulars that significantly clarified and enhanced the DORA implementation framework in Luxembourg. These circulars address the intersection between Luxembourg's domestic ICT supervisory framework and the directly applicable DORA rules while maintaining specific provisions relevant at the national level. 

• CSSF Circular 25/880 establishes a standalone regime applicable exclusively to payment service providers (PSPs), implementing the revised EBA Guidelines on ICT and security risk management. This Circular consolidates ICT risk and reporting frameworks applicable to PSPs in Luxembourg while integrating reporting requirements under Article 105-1(2) of the Law of 10 November 2009 on payment services
• CSSF Circular 25/881 amends Circular CSSF 20/750 by narrowing its scope to apply only to non-DORA entities. This creates a cleaner separation of regulatory regimes, ensuring that entities outside DORA's scope remain subject to appropriate ICT risk management requirements while avoiding regulatory overlap
• CSSF Circular 25/882 applies to all DORA entities and provides crucial clarifications for the use of ICT third-party services. This Circular has the highest impact on fund managers as it introduces specific requirements for professional secrecy compliance, cloud officer designation, and comprehensive reporting obligations
• CSSF Circular 25/883 reflects DORA's entry into application by amending Circular CSSF 22/806 on outsourcing arrangements. For DORA entities, this Circular now applies only to business process outsourcing, while maintaining full applicability for non-DORA entities across both business process and ICT outsourcing

Later, on 28 May 2025, the CSSF complemented it legal framework by issuing two additional circulars: 

• CSSF Circular 25/892 requires financial entities to, upon request, make available to the CSSF an estimation of aggregated annual costs and losses of major ICT-related incidents. This estimation must be done in line with the Guidelines and submitted by using the “reporting template for gross costs and losses and financial recoveries in the reference year” as defined in the Annex I of the Guidelines
• CSSF Circular 25/8931 provides further clarifications in terms of ICT-related incident notification reporting, including that: 
  • No aggregated report is permitted when it comes to major ICT-related incident notifications  
  • Financial entities subject to DORA are required to comply with DORA obligations, including RTS and ITS 
  • Financial entities that have outsourced the reporting obligations remain fully responsible for the fulfilment of incident reporting requirements within the applicable timeline and for the whole content of the notification forms 

Specific impact on fund managers 

Fund managers face particularly complex compliance requirements under the new regulatory framework. Luxembourg management companies, alternative investment fund managers, and internally managed alternative investment funds fall squarely within DORA's scope and must navigate multiple overlapping regulatory requirements. 

The most significant impact stems from CSSF Circular 25/882, which requires fund managers to ensure that any arrangement for ICT services provided by third-party service providers complies with professional secrecy obligations under Article 41(2a) of the Law of the Financial Sector. This requirement creates substantial operational complexity for fund managers who rely heavily on outsourced ICT services for portfolio management, risk management, and administrative functions. 

Fund managers must also designate a "cloud officer" when utilizing cloud computing services, ensuring adequate competencies within the organization for managing and securing cloud-based resources.  

Register of information and reporting obligations 

CSSF Circular 25/882 introduces detailed requirements for maintaining and submitting registers of information regarding all contractual arrangements for ICT services provided by third-party service providers. Fund managers must submit these registers annually between 28 February and 31 March, with the first submission period occurring between 1 April and 31 May 2025. 

The register must contain comprehensive information about all arrangements contracted during the reporting year and must be maintained at entity, sub-consolidated, and consolidated levels as appropriate. The CSSF reserves the right to request register information at any time outside the official submission period, requiring fund managers to maintain real-time data accuracy. 

Practical implications and strategic considerations 

Operational transformation requirements 

Fund managers must undertake comprehensive operational transformations to achieve sustainable DORA compliance. The regulation requires implementing robust ICT risk management frameworks that integrate with overall risk management strategies and encompass identification, protection, detection, response, and recovery measures. 

Board-level governance assumes critical importance under DORA, with management bodies bearing ultimate responsibility for defining, approving, overseeing, and remaining accountable for ICT risk management frameworks. This requires significant investment in board education and the development of specialized ICT risk expertise at the governance level. 

Contract renegotiation with ICT service providers represents one of the most resource-intensive compliance activities. Fund managers must ensure that all contractual arrangements include specified key provisions related to business continuity, incident response, exit strategies, and regulatory access rights. The complexity increases significantly when dealing with critical or important functions, which require three-month advance notification to the CSSF. 

Risk management priorities and resource allocation 

The analysis of fund manager requirements reveals distinct priority levels and implementation complexities that require strategic resource allocation. 

Critical priority areas include ICT risk management framework development, third-party service provider oversight, and professional secrecy compliance. These areas demand immediate attention and substantial resource investment due to their foundational importance and high implementation complexity. 

Third-party service provider oversight presents the highest implementation complexity, requiring comprehensive due diligence processes, enhanced monitoring capabilities, and sophisticated vendor management systems. Fund managers must develop capabilities to assess and monitor the digital operational resilience of their service providers while maintaining clear accountability for compliance obligations. 

Digital resilience testing requirements add another layer of operational complexity, mandating annual testing of all critical ICT applications and systems. Larger fund managers may face additional requirements for advanced threat-led penetration testing, requiring specialized technical capabilities and ongoing investment in testing infrastructure. 

Cost implications and efficiency considerations

Implementation costs vary significantly based on firm size, current technological infrastructure, and existing compliance frameworks. Mid-sized fund managers report disproportionately higher relative impacts across all compliance areas, suggesting that economies of scale play a significant role in managing DORA compliance costs. 

Many fund managers are exploring outsourcing strategies to achieve compliance efficiency while maintaining regulatory accountability. Specialized service providers offering DORA-compliant platforms and operational support can provide cost-effective alternatives to building internal capabilities, particularly for smaller organizations. 

The ongoing nature of DORA compliance requires sustainable operational models rather than one-time implementation efforts. Fund managers must invest in continuous monitoring systems, ongoing staff training, regular testing programs, and dynamic risk management capabilities to maintain compliance over time. 

Six months after DORA's implementation, the financial sector continues navigating a complex and evolving compliance landscape. The introduction of CSSF Circulars 25/880 through 25/883 has provided necessary clarification while adding layers of operational complexity, particularly for fund managers operating in Luxembourg's regulatory environment. 

The compliance challenges facing financial institutions reflect the ambitious scope and transformative nature of DORA's requirements. Success requires sustained commitment to operational transformation, significant investment in technological infrastructure and human capabilities, and sophisticated approaches to third-party risk management. 

Fund managers must view DORA compliance not as a regulatory burden but as an opportunity to enhance operational resilience, improve risk management capabilities, and strengthen competitive positioning in an increasingly digital financial services environment. The institutions that successfully integrate DORA requirements into their strategic planning and operational frameworks will emerge stronger and more resilient in the evolving regulatory landscape. 

The regulatory environment will continue evolving as European authorities refine implementation guidance and address practical challenges identified during the initial compliance period. Fund managers must maintain adaptive compliance strategies that can respond to ongoing regulatory developments while building sustainable operational resilience capabilities for long-term success.

How EY can help

EY offers five crucial EY services:

DORA Assessment and Internal Audit: Quickly evaluate your current state of compliance and identify gaps to ensure you meet DORA requirements.

Third Party Risk Management: Manage and mitigate risks associated with third-party service providers to ensure compliance and enhance your operational resilience. 

Training and Education: Equip your teams with the necessary knowledge and skills through comprehensive training programs focused on DORA compliance and resilience best practices. 

DORA DORT:  Implement and manage the Digital Operational Resilience Testing (DORT) framework to ensure your systems and processes are resilient against operational disruptions. 

Digital Solutions Adoption: Embrace digitalization by adopting cutting-edge solutions that streamline compliance efforts and enhance your operational resilience.