On 9 April 2025, the CSSF released four circulars and two communiqués in relation to DORA, which concern all entities supervised by the CSSF, regardless of whether or not they fall within the scope of DORA.
1. Update of Circular CSSF 20/750 on ICT and security risk management and publication of a new circular
Due to the overlap of Circular CSSF 20/750 on ICT and security risk management with DORA, some updates have been made to this Circular.
As a result, the scope of Circular CSSF 20/750 is amended, leading to the deletion of some parts of Circular CSSF 20/750 by Circular CSSF 25/881 and their introduction in a new CSSF Circular 25/880.
Thus, from now on, Circular CSSF 20/750 as amended by Circular CSSF 25/881 applies to i.a. all support and specialised professionals of the financial sector, and third-country branches of (i) credit institutions, (ii) investment firms, (iii) payment institutions and (iv) electronic money institutions. The requirements set out in Circular CSSF 20/750 remain largely unchanged for such entities, except those only applicable to payment service providers (PSPs), which are removed and regrouped into Circular CSSF 25/880.
Circular CSSF 25/880 on relationship management of payment service users and PSPs ICT assessment is applicable to all PSPs (DORA entities and non-DORA entities), such as credit institutions, payment institutions, electronic money institutions and their branches that are PSPs. It describes the relationship management of the payment service users and the requirements on PSP ICT assessment notably on the provision to the CSSF of an updated and comprehensive PSP ICT assessment.
2. Update of Circular CSSF 22/806 on outsourcing arrangements and publication of a new circular
The scope of Circular CSSF 22/806 is amended by a new Circular CSSF 25/883 to apply, partially or entirely, to entities subject or not subject to DORA (i.e. credit institutions and professionals of the financial sector, payment institutions and electronic money institutions) and certain management companies of collective funds, regarding (i) all outsourcing arrangements, (ii) business process outsourcing or only ICT outsourcing arrangements. The requirement of specific contractual clauses for cloud computing service providers has been repealed.
A new Circular CSSF 25/882 on requirements on the use of third-party ICT services for DORA entities including their branches as specified under their respective laws describes (i) the arrangements on the use of a third-party for ICT operation services and the backup of accounting positions, (ii) DORA reporting obligations, i.e. notification of planned contractual arrangements regarding the use of ICT services supporting critical or important functions and register of information and (iii) clarifications on the definition of cloud computing and cloud services in case of use of ICT third-party cloud computing services. Chapter (ii) does not apply to branches in Luxembourg of the financial entities that are part of a legal entity whose head office is located in a different Member State of the European Union and to significant credit institutions, for which the European Central Bank is the competent authority for the prudential supervision.
3. Further clarifications and notifications
The CSSF stresses on the broad definition of "ICT services" encompassing digital and data services provided through ICT systems on an ongoing basis, as stated in the Question & Answer 30 of the European Commission. Therefore, services provided by professionals of the financial sector other than IT systems and communication networks operators of the financial sector, dematerialisation services providers of the financial sector and conservation service providers of the financial sector (the "Other Entities") are qualified as "financial services" while services provided by the Other Entities are considered as "ICT service" in the meaning of DORA in all cases.
The CSSF published a new notification form regarding an ICT third-party arrangement supporting a critical or important function under DORA regulation, together with specifications on its application period. Finally, the CSSF released an amended form on notification of a critical or important ICT-outsourcing for entities not subject to DORA to reflect the amendments to Circular CSSF 22/806.
Should you have any questions on the above, do not hesitate to contact one of our experts of the regulatory team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.