Luxembourg Financial Regulatory News:
Circular CSSF 25/883, effective April 9, 2025, amends Circular CSSF 22/806 to prevent overlapping regulations following the entry into force of DORA. For financial entities subject to DORA, the circular repeals the section on ICT outsourcing from Circular CSSF 22/806, leaving its requirements applicable only to non-ICT outsourcing. Conversely, for entities not in DORA’s scope, Circular CSSF 22/806 remains fully in force. This amendment ensures regulatory clarity, standardizing rules for ICT outsourcing under DORA while maintaining oversight for other arrangements and entities.
Read more at the official link at: https://www.cssf.lu/en/Document/circular-cssf-25-883/
Basis and Inspiration for the Circular:
The Circular CSSF 25/883 is inspired by the Digital Operational Resilience Act (DORA), specifically Regulation (EU) 2022/2554. Its purpose is to avoid duplication of requirements between DORA and the existing Circular CSSF 22/806 on outsourcing, providing legal clarity to the market.
Scope of Applicability:
This Circular CSSF 25/883 applies to:
- Credit institutions and professionals of the financial sector (PFS) within the meaning of the Law of April 5, 1993, on the financial sector (LFS).
- Payment institutions and electronic money institutions within the meaning of the Law of November 10, 2009, on payment services (LPS).
- Investment fund managers subject to Circular CSSF 18/698.
- Undertakings for collective investment in transferable securities (UCITS) subject to Part I of the UCITS Law.
- Central counterparties (CCPs), approved publication arrangements (APAs), and authorized reporting mechanisms (ARMs).
- Market operators operating a trading venue.
- Central securities depositories (CSDs).
- Administrators of critical benchmarks.
Exemptions:
The Circular CSSF 25/883 removes the following from the scope of Circular CSSF 22/806:
- Part II of Circular CSSF 22/806 (related to ICT outsourcing) for financial entities subject to DORA.
- Certain financial entities that previously only had to comply with Circular CSSF 22/806 for ICT outsourcing.
Date of Applicability:
This Circular CSSF 25/883 applies with immediate effect as of its publication date, April 9, 2025.
Main Subjects and Domains Covered:
The Circular CSSF 25/883’s main subject is the amendment of Circular CSSF 22/806 to reflect the relatively new DORA regulation. The main domains covered are:
- Outsourcing arrangements, particularly the distinction between ICT and non-ICT outsourcing.
- The scope of application of the original circular, now adjusted for DORA.
- Contractual clauses for cloud computing providers.
High-Level Requirements under Circular CSSF 25/883:
- For DORA-subject financial entities, Circular CSSF 22/806 remains applicable for non-ICT outsourcing arrangements (Part I).
- For entities not subject to DORA, Circular CSSF 22/806 remains applicable in its entirety (both Part I and Part II).
- Specific contractual requirements for cloud computing providers, which were previously defined in Circular CSSF 22/806, have been repealed to align with DORA.
Main Concerned Functions under Circular CSSF 25/883:
The primary functions concerned are those related to outsourcing, ICT risk management, and legal/regulatory compliance.
This news for Circular CSSF 25/883 can be considered beneficial under CSSF-Circulars, Central Securities Depositories (CSDs) News, Credit Institutions News, Crowdfunding service providers (CSPs) News, Crypto-Assets Service Providers (CASPs) and Virtual Asset Service Providers (VASPs) News, Data Reporting Service Providers (DRSPs) News, IFMs (AIFMs, ManCos) News, Investment Firms News, Issuers of Tokens (EMTs, ARTs) News, Must Read, Payment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs News, Pension funds News, PFS/PSF News, Undertakings for collective investment (UCIs).
The pre-filled example templates for CSSF 25/883 Circular should be available at https://ratiofy.lu/templates/ from Christmas 2025.
