DORA and the practical implications of the new CSSF circulars

In June 2025, Derisk Advisory joined forces with DSM Avocats à la Cour to host a webinar on DORA and the practical implications of the new CSSF circulars.

Our principal consultant’s intervention focused on strategies for adapting outsourcing policies in light of recent CSSF circulars (e.g., 25/882) and pivotal European Commission Q&A clarifying the definition of ‘ICT services.’ Particular emphasis was placed on establishing distinct policies for Business Process Outsourcing and the Use of ICT Third-Party Providers, alongside integrating critical Luxembourg-specific requirements such as professional secrecy and broadened ex-ante CSSF notification procedures.

Furthermore, the presentation provided clarity on the CSSF’s evolving supervisory approach, including risk-based methodologies and enforcement considerations, coupled with rising expectations for the DORA Register of Information. Key interpretation challenges, such as the practical application of the principle of proportionality and the classification of software licenses under DORA, were addressed, offering prudent considerations based on recent NCA guidance to help ensure your compliance framework is both robust and defensible in the current regulatory landscape.

Watch the replay for actionable guidance on navigating DORA’s complexities in Luxembourg and strengthening your operational resilience framework.