Key Updates on CSSF Circulars on ICT Risk Management and ICT Outsourcing/Use of ICT Third Parties

On 9 April, the CSSF issued four new circulars:

• Circular CSSF 25/880 on relationship management of payment service users and PSP ICT assessment
• Circular CSSF 25/881 amending Circular CSSF 20/750 on information and communication technology (ICT) and security risk management
• Circular CSSF 25/882 setting out requirements for the use of ICT third-party services by financial entities falling under the scope of the Digital Operational Resilience Act (DORA)
• Circular CSSF 25/883 amending Circular CSSF 22/806 on outsourcing arrangements

As highlighted in the CSSF’s communiqué of the same date, these new circulars introduce key changes to existing frameworks, aligning with the entry into force of DORA. They affect not only financial entities subject to DORA, but also other entities supervised by the CSSF.

Circular CSSF 25/882 – applicable immediately – outlines new obligations related to the use of ICT third-party services for entities within DORA’s scope, including:

• some elements go beyond DORA. Notably, the CSSF has decided to keep the distinction between cloud and non-cloud ICT services, as well as the concepts of resource operator and cloud officer
• reiteration of CSSF expectations of backup of accounting positions now applicable to all financial entities in scope of DORA creating de facto a new requirement for investment fund managers
• practical considerations for the reporting obligations for new critical or important ICT third-party arrangements and for the DORA register of information

Circular CSSF 25/883 updates Circular CSSF 22/806 on outsourcing: ICT outsourcing provisions are now repealed for DORA-covered entities (only business process outsourcing remains in scope) but remain fully applicable to other entities supervised by the CSSF. The obligation to subject cloud service contracts to EEA law and ensure EEA-based cloud service resilience has been lifted for all entities – offering greater flexibility for Luxembourg-based financial entities.

Updated notification forms are now available for both DORA and non-DORA entities when declaring ICT services supporting critical or important functions. While the new forms should be used as of today, submissions using the previous format will still be accepted until 10 May 2025. Notification timelines remain unchanged (i.e. three months, or one month in advance for Luxembourg support PFS under Articles 29-3, 29-5 or 29-6 of the Law of 5 April 1993).

Circular CSSF 25/881 updates Circular CSSF 20/750 in line with the new EBA’s Guidelines GL 2025/02 amending the previous EBA Guidelines on ICT and security risk management. The revised guidelines now apply exclusively to Payment Service Providers. Non-DORA entities under CSSF supervision remain subject to the original requirements of Circular CSSF 20/750.

Clarification on the definition of ICT services: in another communiqué dated 9 April, the CSSF refers to the European Commission’s response to DORA question DORA030 and clarifies the definition of ICT services for Luxembourg based financial entities.

How we can help? 

We are here to help you assess the impact of these developments on your current DORA or ICT outsourcing setup and future projects. Feel free to reach out.