# DORA Reporting in Luxembourg: CSSF Guide for Financial Entities Source: https://www.cyadviso.com/dora-luxembourg-cssf Last reviewed: 2026-05-01 Country: Luxembourg (LU) Tags: DORA, Luxembourg CSSF — Luxembourg's DORA competent authority for banks, investment firms, payment firms / EMIs, fund managers and CASPs: scope, ICT reporting and evidence pack. --- ## Short answer In Luxembourg, the CSSF supervises banks, investment firms, payment / e-money institutions, fund managers and MiCA-authorised CASPs that fall in DORA scope. The Commissariat aux Assurances (CAA) supervises (re)insurance undertakings and acts as the relevant DORA competent authority for those entities. ## Competent authorities - **Commission de Surveillance du Secteur Financier (CSSF)** (CSSF) — https://www.cssf.lu/en/ - **Commissariat aux Assurances (CAA)** (CAA) — https://www.caa.lu/en/the-caa ## Entities in scope - Credit institutions (banks) - Payment institutions and electronic money institutions (PIs / EMIs) - Investment firms - Crypto-asset service providers (CASPs) authorised under MiCA - Insurance and reinsurance undertakings, where supervised in this jurisdiction - Other financial entities listed in DORA Article 2 ## Jurisdictional nuances - Luxembourg's financial centre concentration makes ICT third-party risk and intra-group outsourcing arrangements a recurring CSSF supervisory theme. - The CSSF operates established ICT-risk circulars (e.g. Circular 22/806 on outsourcing arrangements) that DORA implementation builds on directly — much of the operating evidence already exists. - Insurance undertakings file with CAA, not CSSF — the supervisor depends on the licence type. ## Primary sources - CSSF — homepage — https://www.cssf.lu/en/ - CSSF Circular 22/806 — Outsourcing arrangements — https://www.cssf.lu/en/Document/circular-cssf-22-806/ - Commissariat aux Assurances — https://www.caa.lu/en/the-caa - Regulation (EU) 2022/2554 — DORA, EUR-Lex — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554 - European Banking Authority — Digital Operational Resilience Act (DORA) — https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act --- Canonical HTML: https://www.cyadviso.com/dora-luxembourg-cssf Authored by Andrey Gubarev — CISO for EU fintechs (CISM, CDPSE, SABSA). CyAdviso · DORA / ICT risk / vCISO programmes for EU-licensed fintechs.