CSSF updates on ICT risk management and outsourcing obligations for financial professionals
In the beginning of April 2025, the Commission de Surveillance du Secteur Financier (CSSF) published several important updates that modify Luxembourg’s regulatory framework for ICT risk management and outsourcing, in line with the provisions of the Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (known as DORA).
These updates not only affect entities falling under DORA and supervised by the CSSF but also those that are not, aiming to remove overlaps and bring greater clarity and coherence to the regulatory landscape.
Among the newly issued circulars, the Circular CSSF 25/880 is particularly relevant for payment service providers (PSPs). It applies to both DORA and non-DORA entities and implements the revised EBA Guidelines 2025/02 on ICT and security risk management. This circular consolidates PSP-specific obligations previously covered under Circular CSSF 20/750, streamlining the rules and aligning them more closely with European requirements.
In parallel, Circular CSSF 25/881 amends Circular CSSF 20/750 by narrowing its scope. It now applies only to non-DORA entities and removes all PSP-specific requirements, which are instead addressed under the new Circular 25/880. This update marks a clear distinction between the treatment of DORA and non-DORA entities and reflects the CSSF’s attempt to avoid duplication and confusion.
As for the use of ICT third-party services and outsourcing, two other circulars bring further clarification. The Circular CSSF 25/882 addresses DORA entities specifically and complements DORA by detailing the requirements applicable to financial entities using ICT services provided by third-party providers. The circular highlights obligations such as safeguarding professional secrecy, complying with back-up and storage requirements when outsourcing accounting systems abroad, and designating a “cloud officer” in cloud computing scenarios. It also introduces a new form that must be used to notify the CSSF about any planned or updated contractual arrangements supporting critical or important functions.
The Circular CSSF 25/883 amends the Circular CSSF 22/806 to reflect the entry into application of DORA. The amended version of Circular 22/806 now continues to apply to DORA entities only for business process outsourcing, as ICT outsourcing by these entities falls within the remit of the Circular 25/882. However, for non-DORA entities, the Circular 22/806 remains fully applicable, covering both business process and ICT outsourcing.
The new notification form introduced by the CSSF is mandatory as of 9 April 2025 for all DORA entities. It must be used to inform the authority of any new ICT outsourcing arrangements that support critical or important functions, or if an existing function becomes critical or important. To ease the transition, until 10 May 2025 submissions using the previous form are still being accepted.
All the new circulars entered into force upon publication.
