Update of several CSSF circulars related to ICT risk management and use of ICT third parties / ICT outsourcing

The CSSF is hereby informing all supervised entities of important updates concerning the provisions of several CSSF circulars, following the entry into application of DORA¹. It must be noted that the updates not only concern entities falling in the scope of DORA and supervised by the CSSF² (“DORA entities”), but also other entities supervised by the CSSF (“non-DORA entities”).

As Circular CSSF 20/750 on ICT and security risk management and Circular CSSF 22/806 on outsourcing arrangements were overlapping partially or entirely with DORA regulation, these updates were necessary to provide enhanced clarity and transparency to the market.

DORA has introduced, inter alia, harmonised requirements for information and communication technology (ICT) risk management framework.

With a view to reducing the overlap with the DORA regulation, the European Banking Authority (“EBA”) reviewed its existing Guidelines on ICT and security risk management EBA/GL/2019/04 (“old EBA Guidelines”) and decided that an amendment was needed. Consequently, the EBA issued EBA GL 2025/02 amending EBA GL/2019/04 on ICT and security risk management (“new EBA Guidelines”).

The CSSF decided to adopt these new guidelines which are addressed only to Payment Service Providers (“PSPs”), and to add to this implementation the reporting requirement of Article 105-1(2) of the Law of 10 November 2009 on payment services (“LPS”) for PSPs.

On the other hand, the requirements of Circular CSSF 20/750 which were also applicable to non-DORA entities, remain applicable to them.

To provide a coherent update, the CSSF has taken the approach to publish a new circular transposing the new EBA Gudelines and update Circular CSSF 20/750 as depicted below:

DORA has introduced harmonised requirements on the use of ICT third-party services, including ICT outsourcing services, which are also in the scope of Circular CSSF 22/806 on outsourcing. In order to remove this overlap, the CSSF has decided to:

1. Amend Circular CSSF 22/806 on outsourcing arrangements regarding the provisions related to ICT outsourcing³, which are largely replaced by the DORA provisions on ICT third-party risk management:

• The scope of application has been modified and the amended Circular CSSF 22/806 will:
  • be applicable to DORA entities only for business process outsourcing. The ICT outsourcing requirements are repealed as they are now covered by the DORA provisions on ICT third-party risk management and a new circular, as explained under point 2 below.
  • remain fully applicable to non-DORA entities for business process outsourcing and ICT outsourcing.
  • remain applicable, for ICT outsourcing, to management companies authorised only under Article 125-1 of Chapter 16 of the Law of 17 December 2010 relating to undertakings for collective investment.
• The requirement of specific contractual clauses for cloud computing service providers (contract subject to the law of one of the Member States of the EEA and a resilience of the cloud computing services provided in the EEA) have been repealed to align the requirements between non-DORA and DORA entities.

2. Create a new Circular CSSF 25/882 on requirements on the use of ICT third-party services for DORA entities, which contain practical modalities regarding the reporting obligations for new critical or important ICT third party arrangements and for the register of information, as well a as a specific chapter on the use of ICT services which retains some elements from Circular CSSF 22/806 that are not covered in DORA but are still relevant and necessary to confirm to entities.

The approach can be depicted as follows:

For any further questions please contact: ictrisksupervision@cssf.lu.

Please note that the web pages ICT Risk and Digital Operational Resilience Act (DORA) are currently under review and will be updated shortly. The update will include a mapping of these circulars.