Update to CSSF circulars: ICT risk management and use of ICT third parties/ICT outsourcing

On 9 April 2025, the Commission de Surveillance du Secteur Financier (CSSF) published a press release announcing important updates to CSSF circulars that concern not only entities falling in the scope of DORA and supervised by the CSSF (DORA entities), but also other entities supervised by the CSSF (non-DORA entities) in relation to ICT risk management, use of ICT third parties and ICT outsourcing. The CSSF also published a new notification form for financial entities subject to DORA for the purpose of notifying the CSSF in a timely manner about any planned contractual arrangements involving the use of ICT services supporting critical or important functions, as well as when a function has become critical or important.

Overview of the new circulars

The new circulars published by the CSSF (CSSF Circulars) provide clarity on how DORA overlaps with Circular CSSF 20/750 on ICT and security risk management and Circular CSSF 22/806 on outsourcing arrangements. The clarifications are outlined below:

Circular CSSF 25/880 on relationship management of payment service users and Payment Service Providers (PSP) ICT assessment:

Circular CSSF 25/880 is applicable to all PSPs, whether DORA entities or non-DORA entities, and implements the recently updated EBA guidelines 2025/02 on ICT and security risk management, in addition to implementing the reporting requirement of Article 105-1(2) of the Law of 10 November 2009 on payment services (LPS) for PSPs (PSP ICT assessment), which was previously part of Circular CSSF 20/750.

Circular CSSF 25/881 amending Circular CSSF 20/750 on requirements regarding information and communication technology (ICT) and security risk management:

Circular CSSF 25/881 narrows the scope of Circular CSSF 20/750 to non-DORA entities and removes the specific elements only applicable to PSPs, which are regrouped in the new dedicated Circular CSSF 25/880 on relationship management of payment service users and PSP ICT assessment.

Circular CSSF 25/882 on requirements on the use of ICT third-party services for financial entities subject to DORA:

Circular CSSF 25/882 is applicable to all DORA entities and complements the DORA Regulation. It provides a number of clarifications, and in particular:

• describes in detail the in-scope entities, encompassing credit institutions, investment firms, Chapter 15 and Chapter 16 management companies incorporated under Luxembourg law, Luxembourg branches of Chapter 17 investment fund managers, investment companies which did not designate a management company, alternative investment fund managers, as well as internally managed alternative investment funds, all of which are in scope of Circular CSSF 25/882.
• reiterates certain important principles, such as the requirement to ensure that for any arrangement on the use of ICT services provided by ICT third-party service providers which are not supervised by the CSSF/CAA/ECB and not subject to professional secrecy obligations, access to data covered by professional secrecy shall be granted in compliance with Article 41(2a) of the Law of the Financial Sector (LFS) or Article 30(2a) of the Law of 10 November 2009 on payment services, where applicable.
• introduces specific requirements relating to back-up and storage location for financial entities outsourcing accounting systems to service providers located outside of Luxembourg.introduces the new form and instructions to be used to inform the CSSF in a timely manner about any planned contractual arrangements regarding the use of ICT services supporting critical or important functions, as well as when a function has become critical or important.reiterates that the register of information for subsequent year n is to be submitted between 28 February and 31 March of year n+1 at the latest. As an exception, for the first year of collection (2025), the register is to be submitted between 1 April 2025 and 15 April 2025. However, the CSSF mentions that it reserves the right to request the register of information at any time outside the official submission period.
• provides the definition of cloud computing and cloud services and reminds entities that the resource operator must designate among its employees one “cloud officer having sufficient competences to take on its function, and who may already have other functions within the ICT department”.

Circular CSSF 25/883 amending Circular CSSF 22/806 on outsourcing arrangements:

Circular CSSF 25/883 reflects the entry into application of DORA and needs to be read in conjunction with Circular CSSF 25/882. Circular CSSF 22/806 as amended by Circular CSSF 25/883 remains applicable to DORA entities only for business process outsourcing, while it remains fully applicable to non-DORA entities for business process outsourcing and ICT outsourcing, and applicable to Chapter 16 management companies for ICT outsourcing only.

Clarification on the definition of “ICT services”

The CSSF also directs supervised entities to the ESAs’ answer in their joint Q&As to the question on what types of services should be considered “ICT services” based on the definition in DORA Article 3(21), and further clarifies that financial services provided by professionals of the financial sector other than those covered by Articles 29-3 to 29-6 of the LFS are not to be considered an ICT service within the meaning of DORA.

Notification of an ICT third-party arrangement supporting a critical or important function under DORA

The new notification form released by the CSSF for entities subject to DORA is to be used to notify in a timely manner:

• any planned contractual arrangement regarding the use of ICT services supporting critical or important functions; or
• when a function has become critical or important.

The new form is to be used as of 9 April 2025 and the CSSF reiterates that previously notified ICT outsourcing arrangements under Circular CSSF 22/806 are not required to be re-submitted. Additionally, contractual arrangements on the use of ICT services that have already been deemed not critical or important are not required to be notified to the CSSF.

Supervised entities not subject to DORA must continue to submit notifications in line with the previous slightly updated form, in line with the requirements of Circular CSSF 22/806, as amended by Circular CSSF 25/883.

Next steps

The CSSF Circulars apply with immediate effect.

With regard to the new notification form, in order to not penalise entities that are well ahead in preparing a notification based on the previous template, the CSSF has granted a transitional period of until 10 May 2025 to submit notifications under the previous form.