Luxembourg Financial Regulatory News:
Basis and Inspiration for the Circular CSSF 25/881:
The Circular CSSF 25/881 is based on the Digital Operational Resilience Act (DORA) and the new EBA Guidelines (EBA/GL/2025/02). It was inspired by the need to avoid an overlap between DORA and the existing ICT and security risk management framework, ensuring that entities not covered by DORA still fulfill their obligations.
Read more at the official link at: https://www.cssf.lu/en/Document/circular-cssf-25-881/
Scope of Applicability:
This Circular CSSF 25/881 applies to:
- Professionals of the financial sector (PFS and specialised PFS) as defined in the Law of April 5, 1993, on the financial sector (LFS), that are not in scope of DORA.
- POST Luxembourg governed by the Law of December 15, 2000, on postal financial services.
- Branches in Luxembourg of credit institutions, investment firms, payment institutions, and e-money institutions incorporated in a third country.
Exemptions:
This Circular CSSF 20/750 no longer applies to financial entities that are subject to the DORA regulation and supervised by the CSSF, as these entities are now directly subject to DORA’s requirements.
Date of Applicability:
This circular applies with immediate effect as of its publication date, April 9, 2025.
Main Subjects and Domains Covered:
The Circular CSSF 25/881 amends Circular CSSF 20/750 by:
- Narrowing its scope to apply only to “non-DORA entities.”
- Removing specific sections that are now covered by the new Circular CSSF 25/880 (e.g., relationship management of payment service users and PSP ICT assessment).
- Integrating requirements from the EBA Guidelines directly into the text of Circular CSSF 20/750.
High-Level Requirements:
Non-DORA entities under CSSF supervision must continue to comply with the updated Circular CSSF 20/750. The Circular CSSF 25/881 details requirements for:
- ICT and security risk management frameworks.
- Information security and ICT operations management.
- Business continuity management.
Main Concerned Functions under Circular CSSF 25/881:
The primary functions concerned are those responsible for ICT and security risk management within the financial entities. In summary, CSSF Circular 25/881, effective immediately on April 9, 2025, amends Circular CSSF 20/750 to streamline ICT risk management requirements in Luxembourg. It specifically narrows the scope of Circular CSSF 20/750 to “non-DORA entities” while removing requirements now covered by the new DORA regulation and Circular CSSF 25/880. The purpose is to avoid regulatory overlap and ensure that entities not subject to DORA, such as certain PFS and third-country branches, continue to meet the CSSF’s expectations for ICT and security risk management.
This news related to Circular CSSF 25/881 can be considered beneficial under CSSF-Circulars, Credit Institutions News, Investment Firms News, Must Read, Payment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs News, PFS/PSF News
The pre-filled example templates for Circular CSSF 25/881 should be available at https://ratiofy.lu/templates/ from Christmas 2025.
