New rules on material IT outsourcing in the financial sector

Effective 15 October 2021, financial institutions must notify the CSSF of any planned outsourcing of material IT activities. This notification obligation replaces the prior authorisation requirement. 

On 14 October 2021, the Luxembourg financial regulatory authority, the Commission de Surveillance du Secteur Financier ("CSSF"), issued a new circular (Circular 21/785) replacing the prior authorisation obligation for material IT outsourcing with a prior notification obligation (the "Circular"). The Circular also modifies certain contractual requirements applicable to cloud outsourcing, which should allow for more flexibility within corporate groups. 

It is furthermore expected that the CSSF will issue in the near future a new, overarching circular on outsourcing to implement the 2019 EBA guidelines on outsourcing arrangements, which are applicable to all supervised entities falling within the scope of the Financial Sector Act of 5 April 1993 (FSA) and the Payment Services Act of 10 November 2009 (PSA) (the "new outsourcing circular"). The provisions of the new outsourcing circular on IT-related outsourcing will also apply to investment fund management companies. 

This newsflash briefly summarises the main changes introduced by the Circular.

Scope of the circular

The Circular is addressed to all credit institutions, financial sector professionals ("FSPs") and other FSA-regulated entities, payment institutions and e-money institutions within the meaning of the PSA, as well as investment fund managers subject to CSSF Circular 18/698. 

The new notification obligation applies to material IT outsourcing and most cloud outsourcing arrangements. The Circular modifies

  • CSSF Circular 12/552 on central administration, internal governance and risk management, as amended, applicable to credit institutions, as amended;
  • CSSF Circular 17/656 on administrative and accounting organisation and IT outsourcing, applicable to FSPs, payment institutions and e-money institutions;
  • CSSF Circular 20/758 on central administration, internal governance and risk management, applicable to investment firms; and
  • CSSF Circular 17/654 on cloud outsourcing, as amended. 

IT outsourcing means an arrangement of any form between a supervised entity and a service provider (including an affiliate) whereby the service provider is responsible for performing an IT process, service or activity that would otherwise be performed by the supervised entity itself. The covered processes, services and activities are exclusively IT related. The Circular applies only to pure IT outsourcing, thus not business process outsourcing. 

For other material outsourcing arrangements, the prior authorisation obligation remains applicable for the time being. In the context of cloud outsourcing, support FSPs authorised under Article 29-3 or 29-4 of the FSA are still obliged to obtain a prior authorisation in certain circumstances, but the new outsourcing circular will probably extend the notification obligation to non-IT-related material outsourcing arrangements. 

New notification obligation

Effective 15 October 2021, financial institutions need no longer obtain a prior authorisation for the outsourcing of a material IT activity. Instead, it is sufficient for the financial institution to notify the CSSF of its outsourcing project at least three months prior to the time at which it will become effective. This period is reduced to one month if the financial institution uses a support FSP within the meaning of Articles 29-3 to 29-6 of the FSA, i.e., primary IT systems operators, secondary IT systems and communications networks operators, dematerialisation service providers and conservation service providers within the meaning of the E-archiving Act of 25 July 2015. 

In the absence of a response from the CSSF by the end of the abovementioned three- or one-month period, the institution can proceed with the outsourcing arrangement. 

The notification form - available in English on the CSSF's website - must be submitted in an editable Word version as well as in pdf and covers:

  • the identification of the project and details of the supervised entity;
  • details of the IT service provider (including information on the resource operator for cloud outsourcing);
  • a description of the IT outsourcing project, including a comparison of the current IT set-up (“as is”) and the planned IT set-up (“to be”) and information on data centre providers;
  • outsourcing governance, including the name of the "cloud officer" in the case of cloud outsourcing;
  • contractual arrangements;
  • information security; and
  • business continuity. 

The CSSF has issued FAQ (last updated in March 2021) to help assess the materiality of an IT outsourcing arrangement. It should be noted that the new outsourcing circular will replace the concept of "material activity" with that of "critical or important function" in keeping with the 2019 EBA guidelines on outsourcing arrangements. 

Additional changes for cloud outsourcing 

With respect to the contractual requirements applicable to cloud outsourcing, the Circular provides more flexibility for corporate groups. Thus, if the outsourcing agreement is a group contract and also group entities outside the European Union will be able to benefit from the cloud computing services,

the contract may also be made subject to the law of the country of the signing (group) entity, even if this country is outside the European Union; and
resiliency of the cloud computing services within the European Union is no longer required, but should be considered in the institution's risk analysis. 

Entry into force and transitional measures 

The Circular entered into force on 15 October 2021. Thus, financial institutions can notify any planned material IT outsourcing as from this date. 

Applications for the authorisation of the outsourcing of material IT activities submitted to the CSSF before 15 October 2021 are subject to transitional measures, set out in a separate communication. 

Financial institutions that applied for an outsourcing authorisation before 31 August 2021 inclusive will receive from the CSSF feedback on their applications in the form of a request for additional information, a notice of no objection, a conditional notice of no objection or a refusal, in accordance with the procedures and deadlines in place before 15 October 2021. 

For financial institutions that applied for an outsourcing authorisation between 1 September 2021 and 14 October 2021 inclusive, the following applies: 

The CSSF may respond to the application (by way of a request for additional information or a partial or complete objection to the project) no later than 15 January 2022. In its response, the CSSF will provide the financial institution concerned with details of the follow-up of the application.
In the absence of a response from the CSSF to the application by 15 January 2022, the financial institution may proceed with the proposed outsourcing. 


The Circular is intended to bridge the transition period until issuance of the new outsourcing circular. It is expected that the new outsourcing circular will apply to all supervised entities under the FSA and the PSA (as well as to fund management companies) and extend the notification regime to all types of critical or important (i.e. material) outsourcing. 

A draft of the new outsourcing circular was sent to stakeholders for consultation and feedback last summer. It remains unclear, however, when the final version will be issued. In any event, it should be shortly, as the deadline for implementation of the 2019 EBA guidelines on outsourcing arrangements into the Luxembourg financial regulatory framework is 31 December 2021. We will be sure to keep you posted.

Zie ook : Nautadutilh Avocats Luxembourg Sàrl ( Mr. Vincent Wellens ,  Mrs. Josée Weydert ,  Ms. Carmen Schellekens ,  Mr. Luc Courtois )

[+ http://www.nautadutilh.com]

Mr. Vincent Wellens Mr. Vincent Wellens
[email protected]
Mrs. Josée Weydert Mrs. Josée Weydert
Managing Partner
[email protected]
Ms. Carmen Schellekens Ms. Carmen Schellekens
[email protected]
Mr. Luc Courtois Mr. Luc Courtois
[email protected]

Laatste artikels van Mr. Vincent Wellens

Data protection notices after the Whatsapp case: what's the message?

A few months ago, the Irish Data Protection Commission imposed an administrative fine of EUR 225 million on WhatsApp Irela...

Read more

Why all companies should care about the UN's cybersecurity & software update regulations – less...

Not in the automotive sector? It doesn't matter: two Regulations adopted by UNECE (a United Nations body) on cybersecu...

Read more

Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere

On 26 April 2021, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) handed down its first fine specif...

Read more

Regulatory changes in the audiovisual media sector

The Act of 26 February 2021 and certain grand ducal regulations have transposed into Luxembourg law the Audiovisual Media ...

Read more

Laatste artikels van Mrs. Josée Weydert

Applicability of law on financial collateral agreements to insolvency proceedings

The law of 5 August 2005 on financial collateral agreements, as amended (the 2005 law), provides an attractive legal frame...

Read more

Bill amending the Luxembourg Securitisation Act published

Bill No 7825 (the Bill), which aims, amongst other things, to amend the Act of 2 March 2004 on securitisation, as ame...

Read more

New bill brings Luxembourg to the forefront of distributed ledger technology

On 22 January 2021 Parliament approved Bill 7637, which modified:  the Law of 5 April 1993 on the financial sec...

Read more

New CSSF platform for submission of prospectuses and related documents

Submissions of documents under the EU Prospectus Regulation (2017/1129, as amended) and the Law of 16 July 2019 on prospec...

Read more

Laatste artikels van Ms. Carmen Schellekens

Europe proposes first-ever statutory framework for AI

Following its White Paper on AI in 2020, the European Commission released in April of this year a proposal for a regulatio...

Read more

GDPR: CNPD Releases Black List of Processing Operations Subject to a Data Protection Impact Asse...

Further to Article 35(4) and (6) GDPR, the competent supervisory authority, i.e. the CNPD in Luxembourg, must establish a ...

Read more

Brexit and broadcasting: Luxembourg as the ideal gateway to provide audiovisual media services th...

Since the UK Parliament has rejected the Withdrawal Agreement between the EU and the UK on 15 January 2019, a so-called &q...

Read more

Luxembourg anticipates the GDPR - Abolition of authorisation for several critical data processin...

On 31 August 2016 a law proposal was submitted to the Luxembourg Parliament in order to abolish several authorisation regi...

Read more

Laatste artikels van Mr. Luc Courtois

Introduction of a New eDesk Module – ePassporting

Following the publication on 12 May 2022 of CSSF Circular 22/810 on pre-marketing and cross-border marketing notification ...

Read more

CSSF Circular 22/811 - Authorisation and Organisation of Entities Acting as UCI Administrators

On 16 May 2022, the Luxembourg financial regulator (the "CSSF") released Circular 22/811 on the authorisation an...

Read more

CSSF Circular 22/810 - Pre-marketing and Cross-border Marketing Notification Procedures

On 12 May 2022, the CSSF published Circular 22/810 on the procedures to be followed by Luxembourg-based undertakings for c...

Read more

CSSF communiqués of 29 November and 2 December 2021 - prepare for a green holiday season

The EU Regulation on the establishment of a framework to facilitate sustainable investment (the "Taxonomy Regulation&...

Read more

LexGO Network