Luxembourg Financial Regulatory News:
Circular CSSF 26/904 amends the existing reporting framework under Circular CSSF 24/853 for investment firms and Luxembourg branches of non-EU investment firms to better align the self-assessment questionnaire (SAQ) with current supervisory priorities. The update introduces four new thematic modules to the SAQ, specifically covering ICT organization, the ICT risk control environment, UCI administration, and the marketing, distribution, or sale of contracts for differences (CFDs) to retail clients. Furthermore, the circular updates some existing modules to ensure proportionality and streamlines the regulatory text by moving the full list and descriptions of the SAQ modules directly to the CSSF website rather than keeping them within the circular itself.
1. Introduction: Circular CSSF 26/904 updating Circular CSSF 24/853 on the Long Form Report concerning the SAQ to be submitted by investment firms
For decades, the “Long Form Report” (LFR) has been the bane of compliance departments—a static, paper-heavy marathon that often felt more like a box-ticking exercise than a strategic risk assessment. That era has officially ended. The Commission de Surveillance du Secteur Financier (CSSF) has undertaken a “thorough reconsideration” of its supervisory objectives, pivoting toward a risk-based, digital-first philosophy. This evolution, part of the broader “CSSF 4.0” digital strategy, replaces generic reporting with a streamlined diagnostic framework. For the executive suite, this represents a shift from “reporting on the past” to managing data in a way that aligns directly with the regulator’s modern points of focus.
2. Takeaway 1: The “Smart” Questionnaire: Reporting is No Longer One-Size-Fits-All
The centerpiece of the revised LFR is the digital Self-Assessment Questionnaire (SAQ). Moving away from the tradition of universal checklists, the SAQ utilizes a “General information” section to filter relevance from the outset. By applying the principle of proportionality, the system activates only the thematic modules—such as internal governance or MiFID-specific arrangements—that correspond to a firm’s specific business model and size.
From a strategic perspective, this eliminates the noise of redundant data entry. It transforms the reporting burden into a targeted diagnostic tool, ensuring firms only provide information that is incremental to what has already been reported through other channels.
The revision of the long form report is the result of a thorough reconsideration of its objective, scope and content in order to realign it with the supervisory and prudential points of focus of the CSSF.
3. Takeaway 2: CSSF 4.0: The End of the Paper Trail Circular CSSF 26/904 updating Circular CSSF 24/853 on the Long Form Report concerning the SAQ to be submitted by investment firms
In line with the CSSF’s digital strategy, the entire LFR process has moved to the eDesk portal. This is not merely a change in medium; it is a fundamental shift in how data is maintained. All submissions now require electronic signatures from authorized management and the réviseurs d’entreprises agréés (REA).
Crucially, the digital solution introduces “roll-forward” functionality. This transforms the annual reporting hurdle into a continuous data-maintenance exercise. Instead of rebuilding reports from scratch every January, firms update their previous year’s data, allowing the CSSF to perform sophisticated, year-over-year trend analysis. This digital-first approach marks a significant leap in regulatory efficiency, requiring firms to treat their SAQ as a living document rather than a once-a-year filing.
4. Takeaway 3: ICT, DORA, and UCI: Technology is the New Compliance Frontier under Circular CSSF 26/904 updating Circular CSSF 24/853 on the Long Form Report concerning the SAQ to be submitted by investment firms
With the issuance of Circular CSSF 26/904, the regulator has officially elevated Information and Communication Technology (ICT) from a sub-topic of governance to a primary pillar of risk. The CSSF has essentially gutted the old Section 8 (IT function) of the governance module to populate more rigorous, dedicated modules: “ICT organisation” and “ICT risk control environment.”
This move signals strict alignment with the Digital Operational Resilience Act (DORA). Notably, the “ICT risk control environment” module applies to Class 2 and Class 3 investment firms but respects DORA’s proportionality by exempting microenterprises. Furthermore, a new “UCI administration” module has been introduced for firms providing registrar functions, NAV calculation, or accounting services. This structural change confirms that in the eyes of the regulator, ICT risk and specialized administration are now equal in importance to traditional financial governance.
5. Takeaway 4: The Auditor’s Three-Year Odyssey under Circular CSSF 26/904 updating Circular CSSF 24/853 on the Long Form Report concerning the SAQ to be submitted by investment firms
The mission of the réviseur d’entreprises agréés (REA) has been fundamentally restructured. The revised LFR now consists of four distinct pillars: the SAQ, the AUP Report, the MiFID Report, and the AML/CFT Report. The REA’s role is now centered on “Agreed-Upon Procedures” (AUP) performed under the ISRS 4400 standard.
To balance oversight with cost, the CSSF utilizes a “three-year-cycle” for the AUP report, ensuring full MiFID coverage over time rather than one exhaustive annual audit. However, there is a vital “need-to-know” for smaller players: Partial Scope Investment Firms are exempted from submitting the AUP report for the cycle starting 31 December 2024. While the REA does not “validate” the SAQ itself, they are required to contact the CSSF if they identify material errors that impact their work—a nuance that demands high-quality internal data before the auditors even arrive.
In this context, the REA shall… verify and ensure that these elements are correct and adequate; assess the appropriateness of the description provided by the investment firm; and perform appropriate control procedures to corroborate assertions set forth by the investment firm in the SAQ.
6. Takeaway 5: Specialized Scrutiny: CFDs and Client Safeguards under Circular CSSF 26/904 updating Circular CSSF 24/853 on the Long Form Report concerning the SAQ to be submitted by investment firms
The CSSF is increasingly using its digital modules to apply granular scrutiny to high-risk retail sectors. Circular 26/904 introduced a specific module for the “marketing, distribution or sale of contracts for differences (CFDs) to retail clients.”
This specialized focus is reinforced by the requirement for a separate “MiFID report” dedicated specifically to the protection of financial instruments and funds belonging to clients. By carving out these niches, the CSSF ensures that firms engaged in high-risk distribution or the safeguarding of client assets are subject to more intensive, standalone oversight than those with simpler business models.
7. Conclusion: A Provocative Look Ahead under Circular CSSF 26/904 updating Circular CSSF 24/853 on the Long Form Report concerning the SAQ to be submitted by investment firms
The transition to a digital, risk-based LFR represents a “hard pivot” for the Luxembourg financial sector. By 2026, firms still relying on legacy paper-based controls will find themselves increasingly out of step with a regulator that now operates through “smart” questionnaires and multi-year data trends.
As we approach the new deadlines, boards must ask themselves: Is our internal ICT governance robust enough to withstand the granular scrutiny of the new modules? And perhaps more importantly, is this move toward digital data management the final step before the CSSF shifts from annual filings to real-time regulatory monitoring?
This news related to Circular CSSF 26/904 can be considered beneficial under CSSF-Circulars, and Investment Firms News.
The pre-filled example templates for many CSSF Circulars should be available at https://ratiofy.lu/templates/ from the summer of 2026.
