IddiLabs · Tools · Outsourcing & ICT Third-Party Risk · Luxembourg

22/806 or DORA?

In April 2025 the CSSF split its outsourcing framework. DORA and Circular CSSF 25/882 now govern ICT third-party services for financial entities in DORA scope, while Circular CSSF 22/806 (as amended by Circular CSSF 25/883) keeps business process outsourcing — and everything for entities outside DORA. This tool qualifies one arrangement: the governing regime, whether it is critical or important, and the obligations that follow — ending in a printable qualification memo.

Browser-only No data leaves this page Six questions at most Not legal advice
The regime map

Two axes decide everything

Entity status (inside or outside DORA scope) and service nature (ICT or not). The map fills in as you answer below.

ICT service
Non-ICT service
DORA entity
DORA + 25/882Register of Information, Art. 30 clauses, CIF notification
22/806 · BPOBusiness process outsourcing chapter only
Non-DORA entity
22/806 · Part I + IIFull circular incl. ICT and cloud chapters
22/806 · Part IGeneral outsourcing requirements

The footnote that decides most cases: the three 22/806 cells apply only if the arrangement qualifies as outsourcing. The DORA cell has no such test — any contractual arrangement for ICT services counts, outsourcing or not. Investment fund managers are the exception on the non-ICT side: delegation rules (Circular CSSF 18/698) take over there, not 22/806.

Qualify one arrangement
What changes next
Horizon — the non-ICT side gets the DORA treatment

The EBA has consulted on Guidelines on the sound management of third-party risk (EBA/CP/2025/12, published 8 July 2025; consultation closed 8 October 2025; final publication was signalled for around April 2026 — check the EBA website for the current status). Once adopted and taken up by the CSSF, expect a further rework of 22/806:

  • "Outsourcing" is replaced by the much wider concept of a third-party arrangement — services the entity would never perform itself come into scope.
  • The outsourcing register becomes a third-party arrangement register, aligned with — and mergeable into — the DORA Register of Information.
  • DORA-style contract clause sets apply to non-ICT critical or important functions, including exit strategies and subcontracting conditions.
  • A two-year transition is signalled for existing arrangements once the guidelines apply.
Sources
  • Regulation (EU) 2022/2554 (DORA), in particular Articles 3(21), 3(22), 28, 29 and 30 — EUR-Lex
  • Circular CSSF 22/806 on outsourcing arrangements, as amended by Circular CSSF 25/883 — CSSF
  • Circular CSSF 25/882 on the use of ICT third-party services for financial entities subject to DORA — see the CSSF communiqué of 9 April 2025 — CSSF
  • Commission Delegated Regulation (EU) 2017/565 — the "critical or important" reading directed by footnote 4 of the circular, together with the BRRD "critical functions" concept
  • Circular CSSF 18/698 — the delegation framework for investment fund managers; non-ICT delegation by IFMs sits there, not in 22/806
  • Implementing Regulation (EU) 2024/2956 — templates for the Register of Information
  • EBA consultation paper EBA/CP/2025/12 on the sound management of third-party risk — EBA

This page summarises regulatory requirements for orientation. It is informational, not legal advice. Verify the outcome against the source texts before relying on it.