Luxembourg: CSSF aligns with DORA – Key updates on ICT and outsourcing rules

In short

On 9 April 2025, the Fee de Surveillance du Secteur Financier (CSSF) issued a number of new circulars associated to data and communication applied sciences (ICT) danger administration and the usage of ICT third events, aiming to align current circulars and practices with the Digital Operational Resilience Act (DORA). 

Key adjustments embrace amendments to Round CSSF 20/750 on ICT and safety danger administration and Round CSSF 22/806 on outsourcing preparations, together with the introduction of New Round CSSF 25/882 and Round CSSF 25/880.

These updates intention to scale back regulatory overlap, improve readability, and guarantee compliance with DORA, impacting ICT danger administration and outsourcing follow for each DORA and non-DORA entities supervised by the CSSF.

DORA entered into drive on 17 January 2025 and since then has been immediately relevant beneath Luxembourg legislation.

DORA enhances the monetary sector’s digital operational resilience by imposing new obligations on monetary entities and ICT service suppliers. It requires sturdy measures to handle and mitigate ICT dangers, structured round 5 key pillars: ICT danger administration and governance, ICT incident administration and reporting, digital operational resilience testing, technique for ICT third-party danger, and knowledge and intelligence sharing. 

On 2 July 2024, the Luxembourg legislation (“Regulation“) implementing DORA was printed within the Official Journal of the Grand Duchy of Luxembourg, designating the CSSF and the Commissariat aux Assurances (CAA) because the competent Luxembourgish authorities liable for its utility by the in-scope entities beneath their supervision.

ICT and safety danger administration

• New Round CSSF 25/880: This round is addressed to all fee service suppliers (PSPs), each DORA and non-DORA entities. It adopts the brand new EBA Tips on ICT and safety danger administration, which intention to harmonize and supply the necessities for PSPs’ ICT evaluation. It additionally implements the reporting requirement on operational and safety dangers outlined within the Regulation of 10 November 2009 on fee companies.
• Round CSSF 20/750: The Round CSSF 20/750 on ICT and safety danger administration stays relevant to non-DORA entities, with solely minor updates being made. The time period “PSPs” has been refined to be restricted to specialised PSPs, help PSPs, POST Luxembourg and third nation branches. DORA entities are explicitly out of scope of this round.

Outsourcing

• Round CSSF 22/806: This round gives a complete framework for outsourcing preparations, together with ICT outsourcing. DORA has launched harmonized necessities for the usage of ICT third-party companies, together with ICT outsourcing, which overlap with Round CSSF 22/806.

To take away overlaps with DORA, Round CSSF 22/806 has been amended to use to DORA entities just for enterprise course of outsourcing, whereas ICT outsourcing necessities are already ruled by DORA. The amended round stays absolutely relevant to non-DORA entities for each enterprise course of and ICT outsourcing, and to administration corporations regarding undertakings for collective funding. Moreover, particular contractual clauses for cloud computing service suppliers have been repealed to align necessities between DORA and non-DORA entities.

• New Round CSSF 25/882: The CSSF has launched Round CSSF 25/882, detailing necessities for the usage of ICT third-party companies for DORA entities. This round outlines necessities for the usage of ICT third-party companies, together with reporting obligations and sustaining a register of data. It additionally retains some components from Round CSSF 22/806 that aren’t lined by DORA however stay essential for compliance.

To totally adjust to the CSSF updates, in-scope entities beneath its supervision should do the next:

• Assessment and replace ICT Threat Administration procedures to make sure alignment with the brand new EBA Tips and the necessities set out in Round CSSF 25/880.
• Adjust to the applied reporting necessities outlined in Article 105-1(2) of the Regulation of 10 November 2009 on fee companies.
• Assessment and amend outsourcing agreements to adjust to the up to date necessities in Round CSSF 22/806 and the brand new Round CSSF 25/882, notably for ICT outsourcing.