LINARI LAW

CSSF updates on ICT risk management and outsourcing obligations for financial professionals

In the beginning of April 2025, the Commission de Surveillance du Secteur Financier (CSSF) published several important updates that modify Luxembourg’s regulatory framework for ICT risk management and outsourcing, in line with the provisions of the Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (known as DORA).

 

These updates not only affect entities falling under DORA and supervised by the CSSF but also those that are not, aiming to remove overlaps and bring greater clarity and coherence to the regulatory landscape.

Among the newly issued circulars, the Circular CSSF 25/880 is particularly relevant for payment service providers (PSPs). It applies to both DORA and non-DORA entities and implements the revised EBA Guidelines 2025/02 on ICT and security risk management. This circular consolidates PSP-specific obligations previously covered under Circular CSSF 20/750, streamlining the rules and aligning them more closely with European requirements.

In parallel, Circular CSSF 25/881 amends Circular CSSF 20/750 by narrowing its scope. It now applies only to non-DORA entities and removes all PSP-specific requirements, which are instead addressed under the new Circular 25/880. This update marks a clear distinction between the treatment of DORA and non-DORA entities and reflects the CSSF’s attempt to avoid duplication and confusion.

As for the use of ICT third-party services and outsourcing, two other circulars bring further clarification. The Circular CSSF 25/882 addresses DORA entities specifically and complements DORA by detailing the requirements applicable to financial entities using ICT services provided by third-party providers. The circular highlights obligations such as safeguarding professional secrecy, complying with back-up and storage requirements when outsourcing accounting systems abroad, and designating a “cloud officer” in cloud computing scenarios. It also introduces a new form that must be used to notify the CSSF about any planned or updated contractual arrangements supporting critical or important functions.

The Circular CSSF 25/883 amends the Circular CSSF 22/806 to reflect the entry into application of DORA. The amended version of Circular 22/806 now continues to apply to DORA entities only for business process outsourcing, as ICT outsourcing by these entities falls within the remit of the Circular 25/882. However, for non-DORA entities, the Circular 22/806 remains fully applicable, covering both business process and ICT outsourcing.

The new notification form introduced by the CSSF is mandatory as of 9 April 2025 for all DORA entities. It must be used to inform the authority of any new ICT outsourcing arrangements that support critical or important functions, or if an existing function becomes critical or important. To ease the transition, until 10 May 2025 submissions using the previous form are still being accepted.

All the new circulars entered into force upon publication.

PREVIOUS
Linari Law Firm advises Argan Capital on successful continuation fund for Polon-Alfa
NEXT
Investing in Nigeria: Unlocking opportunities through strategic legal partnerships

Related posts

Browse All
Wishing you a wonderful summer break!

Wishing you a wonderful summer break!

With the peak of summer finally here, we would like to take a moment to wish you a restful and pleasant break. This season is a great time to recharge and enjoy quality moments with those who matter most.
Carried interest tax reform in Luxembourg: A new era for AIF managers

Carried interest tax reform in Luxembourg: A new era for AIF managers

Luxembourg has introduced significant tax reforms impacting carried interest for Alternative Investment Fund (AIF) managers. The changes align domestic rules with international tax standards, offering greater clarity and competitiveness. These reforms define eligible beneficiaries and apply favorable tax treatment under specific conditions. AIF managers must now reassess their structures to…
Luxembourg increases “Bëllegen Akt” tax credit to €40,000 to boost homeownership

Luxembourg increases “Bëllegen Akt” tax credit to €40,000 to boost homeownership

Luxembourg has permanently increased the “Bëllegen Akt” tax credit from €30,000 to €40,000 per buyer, effective from 1 July 2025. The measure aims to support homeownership by reducing notarial and registration fees for individuals buying a primary residence. Couples can benefit from up to €80,000 when purchasing jointly.
Career opportunity: WE ARE HIRING!

Career opportunity: WE ARE HIRING!

We are currently seeking a qualified and experienced Avocat à la Cour with a strong background in regulatory, investment funds, and/or corporate law to join our team.
Collective bargaining: unions retain exclusive negotiating power

Collective bargaining: unions retain exclusive negotiating power

After months of tension, the government and social partners have resumed talks on labour issues. Unions secured confirmation of their exclusive right to negotiate collective bargaining agreements. This key agreement restores trust and paves the way for further discussions. Challenges remain, but dialogue has now been re-established.
Data protection reform: EU to streamline cross-border GDPR enforcement

Data protection reform: EU to streamline cross-border GDPR enforcement

The EU has reached a key agreement to simplify how cross-border GDPR cases are handled, making enforcement faster, more transparent, and more consistent across member states. The new rules introduce clearer procedures, tighter deadlines, and enhanced rights for individuals and organizations involved. This reform aims to strengthen cooperation between national…
Browse All

A LEGACY OF LAW. A FUTURE OF INNOVATION.
25 years of legal excellence – the journey continues.

Contact Info

+352 27 11 60 10

info@linari-law.lu

128 Rue du Cimetière, L-8018 Strassen
Luxembourg

UP