In April 2025 the CSSF split its outsourcing framework. DORA and Circular CSSF 25/882 now govern ICT third-party services for financial entities in DORA scope, while Circular CSSF 22/806 (as amended by Circular CSSF 25/883) keeps business process outsourcing — and everything for entities outside DORA. This tool qualifies one arrangement: the governing regime, whether it is critical or important, and the obligations that follow — ending in a printable qualification memo.
Entity status (inside or outside DORA scope) and service nature (ICT or not). The map fills in as you answer below.
The footnote that decides most cases: the three 22/806 cells apply only if the arrangement qualifies as outsourcing. The DORA cell has no such test — any contractual arrangement for ICT services counts, outsourcing or not. Investment fund managers are the exception on the non-ICT side: delegation rules (Circular CSSF 18/698) take over there, not 22/806.
The EBA has consulted on Guidelines on the sound management of third-party risk (EBA/CP/2025/12, published 8 July 2025; consultation closed 8 October 2025; final publication was signalled for around April 2026 — check the EBA website for the current status). Once adopted and taken up by the CSSF, expect a further rework of 22/806:
This page summarises regulatory requirements for orientation. It is informational, not legal advice. Verify the outcome against the source texts before relying on it.