A comparative analysis of CSSF Circular 22/806 and DORA contractual provisions

Magdalena Mihalcea,
Sabika Ishaq
insight featured image
In the rapidly evolving financial landscape, regulatory compliance is more than just a checkbox; it’s a fundamental pillar ensuring the stability and integrity of financial markets. Two key regulations governing outsourcing and third-party ICT services in financial entities are CSSF CIRCULAR 22/806 and DORA (Digital Operational Resilience Act). While they share a number of similarities, the unique features of DORA offer some important benefits.

Common contractual ground: The intersection points

Before delving into what sets DORA apart, it’s valuable to note the commonalities between the two regulatory frameworks:

  1. Written agreement: Both emphasize the critical need for a written contract that outlines each party's rights and responsibilities.
  2. Service description: A detailed depiction of the services to be provided is mandatory in both regulations.
  3. Locations: Both require explicit information about where the services and data storage are located.
  4. Data security: Security protocols for data, including its integrity and accessibility, are emphasized in both frameworks.
  5. Performance monitoring: A clause for ongoing scrutiny of the service provider's adherence to performance metrics is required by both.
  6. Reporting obligations: Service providers are mandated to report any incidents or conditions that may adversely affect the service quality.
  7. Authority cooperation: Both regulations necessitate cooperation with governing or competent authorities.
  8. Termination rights: Conditions for terminating agreements are clearly stipulated in both sets.


The DORA difference: Unique contractual features and their value

While both sets of regulations are comprehensive, DORA brings several unique features that add value to its framework.


Exit strategies

In an ever-changing technology landscape, the ability for financial entities to adapt is critical. DORA explicitly mandates the establishment of exit strategies, including a mandatory adequate transition period. This proactive requirement ensures that financial entities have a well-defined plan for reducing the risk of disruptions when changing service providers. It also grants the flexibility to revert to on-premises solutions or switch providers without undue complexity or risk.


ICT incident assistance

DORA stands out in its specific requirement for ICT third-party service providers to assist in case of an ICT incident. This assistance must be provided either at no additional cost or at a cost determined in advance. In today's cyber-threat landscape, where incidents are not a matter of ‘if’ but ‘when’, this provision is invaluable. It assures that during an emergency, the focus will be on problem-solving and recovery rather than negotiating assistance costs.


Involvement of ICT third-party vendors in the financial firms' security awareness initiatives

One of DORA's standout provisions centers on the conditions under which ICT third-party service providers participate in financial entities' ICT security awareness programs. This clause offers multifaceted benefits. Firstly, it ensures that both the financial entity and its ICT provider are on the same page regarding security protocols, thereby reducing potential vulnerabilities and mismatches in system safeguards. Secondly, it fosters a collaborative environment, strengthening the relationship between the two entities, which is crucial for swift and effective response in times of digital threats or operational disruptions. Moreover, this mutual training approach ensures a consistent level of knowledge and skills across the board, reducing the chances of security breaches caused by human error.


Additional contractual requirements related to ICT services

DORA emphasizes several additional key elements for contractual arrangements related to ICT services underpinning critical or important functions:

  • Comprehensive descriptions of service levels, inclusive of updates and revisions, containing clear quantitative and qualitative performance goals.
  • Notice periods and reporting obligations of the ICT third-party service provider to the financial entity.
  • Requirements for the ICT third-party service provider to implement and test business contingency plans.
  • The obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT (threat-led penetration testing).
  • Exit strategies, emphasizing the need for a compulsory suitable transition timeframe.


Why these unique points matter?

DORA's unique features do more than just supplement existing regulatory requirements; they address areas that are often overlooked but are pivotal in ensuring robust operational standards. Here's a more in-depth look at why these unique points are so valuable.

Enhancing decision-making & reducing complexity

The requirement for well-defined exit strategies not only allows for agility but also enhances decision-making by making the risks and processes clear. It pushes financial entities to consider the entire lifecycle of an outsourcing relationship, from initiation to potential termination. By doing so, it fosters a culture of holistic risk assessment and planning, reducing complexities that often arise during unplanned terminations or transitions. This can save financial entities both time and resources in the long run.

Future-proofing business operations

Exit strategies aren't just for the here and now; they're a form of future-proofing. As technological landscapes evolve and business objectives shift, the capability to change ICT providers with a minimal operational hiccup is invaluable. DORA ensures that financial entities are not locked into technology that may become obsolete, inadequate, or excessively costly. This is particularly relevant in the current era of rapid technological innovation, where committing to a single vendor for an extended period can lead to missed opportunities or create vulnerabilities.

Rapid response and minimized disruption

DORA's insistence on mandatory ICT incident assistance facilitates a rapid and well-coordinated response in crisis situations. When the clock is ticking, and every moment can translate to financial losses or reputational damage, a clear and predetermined plan for crisis management can be a lifesaver. By ensuring that service providers assist promptly and effectively, DORA eliminates possible bottlenecks and enables financial entities to recover more swiftly from ICT incidents.

Shifting the financial burden

In addition, by stipulating that the service provider must assist at no additional cost or at a predetermined cost, DORA shifts part of the financial burden of incident resolution away from the financial entities. This ensures that costs are predictable and helps financial entities better budget for and manage operational risks. It also ensures that financial entities can allocate their resources more efficiently, focusing on their core competencies and strategic initiatives rather than unexpected crises.


Unique contractual features of CSSF Circular 22/806

CSSF Circular 22/806 also has its own unique elements that address some critical areas of concern in outsourcing contracts.

For instance, it explicitly stipulates that the outsourcing agreement must mention the start and end dates, which provides both parties with a clear time-bound framework for their collaboration. The Circular additionally outlines the necessity of defining the parties' financial obligations, making for transparent and predictable financial planning. Perhaps most importantly, it calls for the agreement to specify its governing law, thereby preempting any legal ambiguities that could arise in cross-border relationships. Another noteworthy feature is the provision that service providers should have mandatory insurance against certain risks, specifying the required level of insurance cover. This is particularly useful in mitigating financial risks and ensuring that both parties are adequately protected in case of unforeseen eventualities.

These unique features make CSSF Circular 22/806 a comprehensive regulatory guide that complements DORA in ensuring a secure and stable financial services ecosystem.



CSSF CIRCULAR 22/806 and DORA both offer comprehensive frameworks to navigate the intricacies of outsourcing and third-party services in financial entities. However, DORA goes a step further with its unique provisions for exit strategies and ICT incident assistance. These additions make DORA a particularly robust framework, providing both strategic adaptability and operational resilience for financial entities in a volatile, uncertain, complex, and ambiguous world.



In any case of questions, please contact our Chief Information Security Officer Sabika Ishaq, or our Senior Information Security Manager, Magdalena Mihalcea.