DORA Update

Below is an overview of a few key Luxembourg updates in relation to the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (“DORA”) as addressed by the Luxembourg supervisory authority of the financial sector (“CSSF”).

1. Annual submission of DORA register of information (“DORA Register”)

According to Article 28(3) of DORA, Luxembourg financial entities, including investment fund managers (“IFMs”), subject to DORA (“DORA Entities”) must maintain and update at entity level, and at sub-consolidated and consolidated levels, a DORA Register in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

As announced by the CSSF in its Communiqué of 11 February 2026, for this second-year submission, Luxembourg DORA Entities are required to submit their DORA Register with the CSSF via eDesk between 11 February 2026 and 31 March 2026 at the latest, with a reference date set to 31 December 2025. 

The CSSF will check the submission of the DORA Register based on the validation rules and technical checks defined by the ESAs that have not changed since the first-year submission exercise, which is positive. However, these checks will be applied to more data fields of the DORA Register in order to increase the quality of the received data, which means that a DORA Register that was accepted last year, may be rejected this year by the CSSF.

The CSSF has issued additional guidance this year to help Luxembourg DORA Entities to complete and submit their DORA Register by describing the issues and errors most encountered during last year’s check and validation process, and recommends that DORA Entities submit their DORA Register as soon as possible to have sufficient time to make any necessary corrections before the end of March 2026. 

The CSSF has also stressed publicly that Luxembourg DORA Entities must maintain their DORA Register on an ongoing basis throughout the year, and not only for the annual submission with the CSSF.

2. New DORA questions in CSSF self-assessment questionnaire for IFMs (“CSSF IFM SAQ”)

According to CSSF Circular 21/789, Luxembourg IFMs must complete the CSSF IFM SAQ in order to carry out a self-assessment of their compliance with applicable legal and regulatory requirements, and file it annually via eDesk within 4 months of the IFM’s financial year end.

For the 2026 filing, the “Information Technology” section of the CSSF IFM SAQ has been completed with new DORA questions, which reflect the CSSF’s latest expectations as regards key elements such as the IFM’s ICT organisation, ICT training for employees, senior management and board, and DORA policies and procedures as implemented by the IFM.

When completing the CSSF IFM SAQ, IFMs should ensure that their answers to DORA questions are consistent and fully aligned with their ICT risk management framework and with the information previously provided to the CSSF, and accurately reflect their implementation of DORA, as the CSSF will assess the IFMs’ level of preparedness and progress in implementing DORA based on these answers.

Should you wish to receive more information in respect of the above, please feel free to reach out to your usual contact persons at Elvinger Hoss Prussen.