Luxembourg Financial Regulatory News:
This article explains Circular CSSF 25/897, which updates the regulatory framework for Long Form Reports (LFR) submitted by credit institutions in Luxembourg. This update modifies a self-assessment questionnaire by introducing new modules for UCI administration and EMIR, while relocating technology-related readiness into the broader IT risk section. The circular establishes a comprehensive reporting structure that includes this annual questionnaire alongside separate reports from statutory auditors regarding anti-money laundering and the protection of client assets. These requirements are designed to align banking disclosures with current supervisory priorities and risk-based oversight strategies. To ensure compliance, institutions must submit their digital evaluations within three months of the financial year-end, followed by auditor reports within five months. Ultimately, the framework serves to provide the CSSF with accurate data to monitor legal adherence and institutional stability across the financial sector.
| Topic or Requirement | Effective Date | Submission Deadline | Frequency | Related Regulation or Circular |
| Self-assessment questionnaire (SAQ) accessibility | 31 December 2025 | within three months before the closure of the financial year | Annual | Circular CSSF 22/821 (as amended by Circular CSSF 25/897) |
| Submission of Self-assessment questionnaire (SAQ) (All modules except IFRS 9) | 31 December 2025 | within three months after the closure of the financial year | Annual | Circular CSSF 22/821 (as amended by Circular CSSF 25/897) |
| REA – The reports prepared by the REA must be transmitted by the institution to the CSSF in electronic form via a CSSF digital solution | 31 December 2025 | within five months after the closure of the financial year | Annual | Circular CSSF 22/821 (as amended by Circular CSSF 25/897); CSSF Regulation No 12-02 |
Regulatory Evolution: 5 Impactful Shifts in Luxembourg’s Long Form Report Framework
1. Introduction: The Shifting Sands of Banking Supervision under Circular CSSF 25/897 for Credit Institutions in Luxembourg
The Luxembourg regulatory landscape is defined by its ability to pivot in the face of emerging financial complexities. In this evolving environment, Circular CSSF 25/897 represents much more than a routine administrative update; it is a strategic realignment of how credit institutions report their operational health and risk profiles.
By amending the Long Form Report (LFR) framework established in Circular CSSF 22/821, the Commission de Surveillance du Secteur Financier (CSSF) is signaling a transition toward a more integrated, risk-based, and digital-first supervisory model. This post distills the five most significant shifts from the latest amendments, offering the strategic insight necessary for institutions to navigate this new reporting reality. This is the first major shift under Circular CSSF 25/897 related to annual self-assessment questionnaire (SAQ) and the reports prepared by the REA (Réviseurs d’Entreprises Agréés).
2. DORA: From “Preparedness” to “Business as Usual” for Credit Institutions in Luxembourg
The removal of the standalone “DORA preparedness” module from the Self-Assessment Questionnaire (SAQ) marks a pivotal moment in digital supervision. Far from being deprioritized, the Digital Operational Resilience Act (DORA) requirements have been synthesized into the broader “IT risk” modules.
From a strategic perspective, this integration signals that digital resilience has moved from a “one-off” project to a permanent feature of the supervisory “business as usual” landscape. For institutions, this necessitates a structural shift: IT and Compliance departments must now merge their reporting workflows. Treating digital resilience as a siloed exercise is no longer viable; it must be managed as a fundamental, integrated component of standard IT risk management. This is the second major shift under Circular CSSF 25/897 related to annual self-assessment questionnaire (SAQ) and the reports prepared by the REA (Réviseurs d’Entreprises Agréés).
3. Broadening the Horizon: The Inclusion of UCI and EMIR for Credit Institutions in Luxembourg
To better align the SAQ with current “supervisory points of focus,” the CSSF has introduced two brand-new modules:
- UCI Administration
- European Market Infrastructure Regulation (EMIR)
While the SAQ generally covers domains where both the CSSF and the European Central Bank (ECB) may have interests, compliance strategists must note a critical jurisdictional nuance: modules covering MiFID, PSD 2, UCI depositaries, and the new EMIR module fall under the exclusive competence of the CSSF. This distinction is vital for understanding data oversight. The inclusion of these modules reflects the regulator’s sharpened focus on fund administration and derivatives reporting as critical pillars of Luxembourg’s financial stability. This is the third major shift under Circular CSSF 25/897 related to annual self-assessment questionnaire (SAQ) and the reports prepared by the REA (Réviseurs d’Entreprises Agréés).
4. The End of the Static List: Moving to a Digital-First Repository for Credit Institutions in Luxembourg
In a move toward true “RegTech” integration, the CSSF has removed the static list of SAQ modules and their descriptions from the Circular itself. This information is now housed in a dynamic digital repository on the CSSF website.
This is a masterstroke of regulatory agility. By decoupling the questionnaire’s substance from the legal text of the Circular, the CSSF can now update the questionnaire annually to reflect market shifts without the legal friction of issuing new Circulars. This transition is summarized in the framework’s core logic:
“The individual modules of the self-assessment questionnaire and their level of application as well as the applicable exemptions are directly recorded in the CSSF’s digital solution.” This is the fourth major shift under Circular CSSF 25/897 related to annual self-assessment questionnaire (SAQ) and the reports prepared by the REA (Réviseurs d’Entreprises Agréés).
5. Streamlining the Audit: Proportionality and Positive Assurance for Credit Institutions in Luxembourg
The revised framework emphasizes “proportionality,” specifically adapting content according to the nature of a bank’s activities to reduce the reporting burden. This has led to the removal of the “Credit risk – IFRS 9” module and the continued exclusion of “Agreed Upon Procedure” (AUP) reports.
However, a reduction in volume does not mean a reduction in rigor. The Approved Statutory Auditor (REA) now focuses on two core, separate reports: AML/CFT and the Protection of Financial Instruments/Funds. Crucially, the CSSF has increased its expectations for the REA’s qualitative output. For the AML/CFT report, auditors are now required to provide a “positive assessment” for each area. The regulator has explicitly rejected “imprecise negative formulations”—such as “we did not encounter serious weaknesses”—demanding instead a transparent, methodology-backed confirmation of compliance. This is the fifth major shift under Circular CSSF 25/897 related to annual self-assessment questionnaire (SAQ) and the reports prepared by the REA (Réviseurs d’Entreprises Agréés).
6. Timeline for Compliance: The December 2025 Deadline for Credit Institutions in Luxembourg
The revised framework officially takes effect on December 31, 2025. Institutions must be mindful of the specific submission windows established in sections 4.1 and 4.2 of the updated framework:
- SAQ Submission: Must be transmitted within three months after the financial year-end.
- REA Reports Submission: The separate reports prepared by the auditor have a five-month window for transmission after year-end.
Institutions will be able to access the relevant questionnaires via the CSSF digital solution three months prior to their financial year-end. Actionable Guidance: Given that the new UCI and EMIR modules represent the most likely points of friction, institutions should begin internal “mapping” of these requirements immediately to ensure data structures are ready for the 2025 cycle.
7. Conclusion: Toward a More Agile Regulatory Future for Credit Institutions in Luxembourg
The shifts introduced by Circular CSSF 25/897 underscore the CSSF’s transition into an agile, RegTech-oriented regulator. By integrating digital resilience into core IT risk management, expanding oversight into EMIR and UCI administration, and adopting a digital-first repository, the regulator is prioritizing focused, high-quality data over-redundant reporting.
This evolution benefits the institution by reducing clutter, but it demands a higher standard of internal accuracy and cross-functional integration. As regulatory requirements become more agile and data-driven, how is your institution evolving its internal data structures to keep pace with a regulator that is increasingly digital-first?
This news related to CSSF CSSF Circular 25/897 can be considered beneficial under CSSF-Circulars, Credit Institutions News and Must Read. The pre-filled example templates for many CSSF Circulars should be available at https://ratiofy.lu/templates/ from the summer of 2026.
