Cloud computing infrastructure
- Articles and memoranda
- Posted 21.05.2019
On 27 March 2019, the CSSF issued Circular 19/714 ("Circular") which amends CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (CSSF Circular 17/654 as amended by the Circular is referred to as the "Cloud Computing Circular"). The key changes introduced by the Circular are as follows:
- it is no longer obligatory to notify the CSSF in case of outsourcing to a cloud computing infrastructure of non-material activities and there is a possibility to rely on the proportionality principle in order to disapply some requirements provided by the Circular (these are exhaustively enumerated in the Circular). The proportionality principle does not, however, include the possibility for the related entity to waive requirement to appoint a cloud officer within the resource operator even in case of outsourcing of non-material activities;
- investment fund managers subject to CSSF Circular 18/698 ("IFMs") which have outsourced IT relying on a cloud computing infrastructure before the publication of the Circular do not need to file an authorisation request or to notify such cloud infrastructure to the CSSF. Any new outsourcing relying on a cloud computing infrastructure must however comply with the Cloud Computing Circular;
- introduction of a register of cloud computing infrastructure outsourcing (a specific form is available on the CSSF website). The register must be established and completed (i) within 6 months from the publication of the Circular for credit institutions, professionals of the financial sector, payment institutions and electronic money institutions and (ii) within one year for IFMs; and
- publication by the CSSF of new forms, which simplify the authorisation process. Those forms must be completed and filed with the CSSF inter alia in case of (i) prior notification of outsourcing to a cloud computing infrastructure supporting a material activity and use of a Luxembourg-based support PFS1 (which is the only remaining case where a notification to the CSSF is required) and (ii) authorisation request to host material activity on a cloud computing not provided by a support PFS.
In addition, and in order to help the industry to better understand the requirements provided by the Circular, two FAQs were published by the CSSF's concomitantly with the Circular: the first is on the concept of materiality and the second is more general and includes questions on the requirements provided by the Cloud Computing Circular.
1 | "PFS" means Professional of the Financial Sector. | |||