CSSF Circular 22/806

CSSF 22/806 Readiness — DORA-Aligned

CSSF Circular 22/806 — ICT Risk Management for Luxembourg financial institutions. OneComply supports CSSF-focused governance, outsourcing readiness, circular evidence, and DORA alignment with explicit review boundaries.

Apply to DP program View Pricing

What is CSSF 22/806?

CSSF Circular 22/806 is the Luxembourg financial regulator's (Commission de Surveillance du Secteur Financier) circular on ICT risk management. It sets out requirements for how financial institutions supervised by the CSSF must manage their ICT risks.

The circular applies to all CSSF-supervised entities including banks, investment firms, payment institutions, and management companies operating in Luxembourg. It is closely aligned with DORA, so OneComply highlights reusable evidence and the CSSF-specific items that still need review.

Non-compliance can result in CSSF supervisory actions, administrative sanctions, and requirements for corrective measures. The circular requires annual ICT risk self-assessments and periodic CSSF reporting.

Controls

Sections

DORA

DORA Overlap

DORA Alignment With CSSF Review

CSSF 22/806 closely mirrors DORA ICT risk-management principles, but the overlap should not be treated as automatic legal compliance. OneComply maps reusable evidence and highlights the CSSF-specific requirements for customer and compliance review.

Shared with DORA

CSSF-specific only

Workflow acceleration examples

Before vs After — Operational Lift

Example improvements when CSSF governance, ICT outsourcing, evidence, and DORA alignment are managed in one workspace. Actual timelines depend on customer data quality and review process.

Workflow	Manual Process	With OneComply	Time Saved
ICT Risk Framework Documentation	2–4 weeks (policy drafting)	Guided CSSF template draft	Faster first draft
ICT Outsourcing Assessment	1–2 weeks per provider	15 minutes (automated assessment)	95%
Governance Structure Mapping	1–2 weeks (org chart + roles)	30 minutes (guided wizard)	95%
ICT Change Management Audit	3–5 days per audit cycle	10 minutes (automated tracking)	97%
CSSF Reporting Readiness	1–2 weeks (manual compilation)	Source-data gap checks	Lower rework
ICT Incident Classification	2–4 hours per incident	Instant (automated engine)	100%
Business Continuity Testing	2–3 weeks (planning + execution)	2 hours (guided framework)	90%
ICT Asset Inventory	1–3 weeks (manual cataloguing)	30 minutes (import + auto-classify)	95%

What We Automate

Scoped coverage of CSSF 22/806 sections with 35 mapped controls, ICT risk evidence, outsourcing readiness gates, and CSSF reporting preparation.

Section 3

ICT Risk Management Framework

8 mapped controls

ICT risk identification & assessment
Risk appetite & tolerance definition
Risk mitigation tracking
Board-level risk reporting

Section 4

ICT Governance & Organisation

6 mapped controls

Three lines of defence mapping
ICT committee structure
Key function holder tracking
Competency & training management

Section 5

ICT Operations & Security

7 mapped controls

ICT asset management & classification
Access control & identity management
Network security monitoring
Vulnerability & patch management

Section 6

ICT Project Management

4 mapped controls

ICT project risk assessment
Change management controls
Testing & validation requirements
Post-implementation review

Section 7

ICT Outsourcing

6 mapped controls

Outsourcing risk assessment
Due diligence questionnaires
Contract clause compliance
Sub-outsourcing chain monitoring

Sections 8–9

ICT Incident & Continuity

4 mapped controls

ICT incident classification & reporting
Business continuity planning
Disaster recovery testing
Crisis communication procedures

Start your CSSF 22/806 compliance journey

Manage Luxembourg ICT risk evidence, outsourcing readiness, and CSSF-aligned review workflows in one workspace.

Apply to DP program View Pricing