Financial Entities must align with the new CSSF Circulars 22/806 on outsourcing

At a glance
 

The CSSF published two Circulars and new notification forms following DORA’s entering into force in January 2025. This update reshapes Outsourcing requirements for financial entities in Luxembourg.

These updates provide harmonization and more legal clarity to the market in the context of the DORA regulation. Firms must reassess if they qualify as a “DORA entity” or a “non-DORA entity,” and align their third-party risk management/outsourcing to the applicable requirements.

A closer look

On 9 April 2025, the Commission de Surveillance du Secteur Financier (CSSF) published two new circulars clarifying and refining the regulatory framework on outsourcing. As anticipated by many market participants, these updates mark an important step in aligning Luxembourg’s regulatory framework with the Digital Operational Resilience Act (DORA). Organizations must understand if they qualify as a “DORA entity” or a “non-DORA entity” to ensure compliance with the relevant circulars. These circulars apply as of 9 April 2025.

What This Means for You

The updates distinctly separate requirements for DORA and non-DORA entities:

• DORA entities:
  • Financial entities as defined in Regulation EU 2022/2554 (DORA) under Article 2, including credit/payment institutions, investment firms, crypto providers, trading venues, fund managers, CSDs, and CCPs.
  • Action required: Ensure alignment with Circular CSSF 25/882, particularly regarding new DORA reporting (Register of Information - RoI), notification for ICT Services supporting Critical or Important Functions (CIFs), IT Operations and Cloud specific requirements – learn more below.
  • Action required: Ensure continued compliance with new Circular CSSF 25/883 on Business Process Outsourcing.
• Non-DORA entities:
  • Supervised entities not subject to DORA, including specialised and support professionals of the financial sector, POST Luxembourg, Luxembourg branches of third-country institutions, and UCITS management companies authorized under Article 125-1 of Chapter 16 of the UCITS Law.
  • Action required: Ensure continued compliance with new Circular CSSF 25/883 (only for IT Outsourcing in the case of management companies authorized under Article 125-1 of Chapter 16 of the UCITS Law).

What are the key changes to the requirements on outsourcing?

Updates to Circular CSSF 22/806

• Circular CSSF 25/882 – Tailored exclusively for DORA entities, defining compliance steps in line with DORA:
  • Defines practical reporting requirements under DORA, including the Register of Information (RoI) on ICT third-party contracts and prior notifications for CIF-related third-party arrangements (respectively three months and one month when the provider is a support PFS).
  • For DORA entities, ICT outsourcing is now officially fully replaced by ICT Third-party risk management under DORA.
  • Circular CSSF 25/882 still preserves certain requirements on ICT Cloud Computing from Circular CSSF 22/806 that DORA does not cover, such as designation of a Cloud Officer for Cloud Services.
  • Circular CSSF 25/882 still preserves requirements on using a third-party for ICT operation services as well as back-up of accounting positions in the EU.
• Circular CSSF 25/883 (amending Circular CSSF 22/806):
  • For DORA entities: Remains applicable only for Business Process Outsourcing (BPO). ICT Outsourcing (ITO) requirements are now repealed as they entirely fall under DORA’s ICT Third-party risk management and the new Circular CSSF 25/882.
  • For non-DORA entities : Remains fully applicable for both BPO and ITO (expect for chapter 16 UCITS management companies which are under only the ITO requirements).
     

Updates to notification form on ICT third-party arrangements:

• For DORA entities:
  • The CSSF published the new notification form to be submitted at least three months before implementing a new ICT third-party arrangement, or one month in advance when resorting to a Luxembourg support PFS.
  • This notification form is also to be used to notify without undue delay when a function has become critical or important.
• For non-DORA entities:
  • The requirements of Circular CSSF 22/806, as amended by Circular CSSF 25/883, remain applicable. The previous notification form should be used to notify critical or important ICT outsourcing.

Definition of “ICT services”

The CSSF also formally clarified the definition of “ICT services” in the context of DORA:

• Financial services provided by PFS under Articles 29-3 to 29-6 must be considered as an ICT service in the meaning of DORA Article 3(21).
• All other financial services provided by PFS should not be considered as an ICT service, meaning that they should not be subject to the DORA requirements on ICT Third-party risk management, such as additional contractual requirements or being filled in the Register of Information.

We recommend reviewing your current ICT services and outsourcing arrangements to confirm they meet these updated standards. For DORA entities, this is especially important as you prepare for the new reporting obligations.

How Deloitte can help

Deloitte’s specialists and dedicated services can help you tackle not only the compliance challenges but also the opportunities arising from ambitious new circulars and regulations.

We can support you in the following critical areas:

• Reviewing your third-party risk management and outsourcing frameworks
• Performing regulatory and operational gap analysis
• Refining vendor due diligence processes with regulatory expectations
• Designing a resilient and compliant framework

At Deloitte Luxembourg, we are actively supporting our clients in navigating this shift, assessing their outsourcing frameworks, refining vendor due diligence processes, and aligning with evolving regulatory expectations.

If you are a DORA-regulated entity unsure about the implications of these amendments, or a non-DORA regulated entity seeking to ensure that your outsourcing framework remains fit for purpose, reach out to us.