Luxembourg Financial Regulatory News:
Basis and Inspiration for the Circular:
The circular CSSF 25/880: PSP ICT and User Relationship Assessment is based on the new EBA Guidelines (EBA/GL/2025/02) which amend the previous EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). It was inspired by the need to avoid overlap with the Digital Operational Resilience Act (DORA) and to ensure that Payment Service Providers (PSPs) not covered by DORA still fulfill their obligations under national requirements.
Read more at the official link at: https://www.cssf.lu/en/Document/circular-cssf-25-880/
Scope of Applicability:
This circular CSSF 25/880 applies to:
- All Payment Service Providers (PSPs) as defined in Article 1(37) of the Law of November 10, 2009, on payment services (LPS).
- Branches in Luxembourg of PSPs incorporated in a third country.
- POST Luxembourg, within the scope of the LPS.
Exemptions
- Luxembourg branches of financial entities whose head office is in another EU Member State and which offer payment services.
- Institutions whose business model does not include the provision of payment services.
Date of Applicability:
This circular CSSF 25/880 applies with immediate effect as of its publication date, April 9, 2025.
Main Subjects and Domains Covered:
The circular CSSF 25/880 covers two main subjects:
- Relationship management of payment service users (PSUs): This includes requirements for PSPs to provide assistance, guidance, and security-related information to their users.
- PSP ICT Assessment: This section specifies the requirements for the annual submission of a standardized risk assessment form related to payment services.
High-Level Requirements
- PSU Relationship Management: PSPs must establish processes to enhance user awareness of security risks, provide guidance, and offer options such as disabling specific payment functionalities or receiving transaction alerts.
- PSP ICT Assessment: PSPs must submit a standardized, comprehensive ICT assessment annually, validated by a member of their management body, exclusively via the CSSF’s eDesk portal. The assessment should cover the previous calendar year.
Main Concerned Functions:
The primary concerned functions are those responsible for ICT and security risk management, regulatory reporting, and relationship management with payment service users within the PSP.
List of Required Documents to be Prepared:
Institutions must prepare and submit one key document:
- The standardized PSP ICT Assessment form.
In summary, CSSF Circular 25/880, effective immediately on April 9, 2025, applies to all Payment Service Providers (PSPs) in Luxembourg. It transposes new EBA guidelines to ensure PSPs not under DORA still comply with national requirements. The circular has two main focuses: ensuring PSPs provide guidance to users on security risks and mandating the annual submission of a standardized PSP ICT Assessment. This assessment, which must be validated by a member of the management body, is required for all PSPs and their foreign branches in Luxembourg and must be submitted electronically via the CSSF’s eDesk portal by March 31st each year.
This news related to Circular CSSF 25/880 can be considered as beneficial under CSSF-Circulars, Must Read, Payment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs News.
The pre-filled example templates for CSSF 25/880 Circular should be available at https://ratiofy.lu/templates/ from Christmas 2025.
