In April 2025, Luxembourg’s Commission de Surveillance du Secteur Financier (CSSF) published several new circulars on information and communication technologies (ICT) risk management and outsourcing to align its regulatory framework with the EU’s Digital Operational Resilience Act (DORA). These updates seek to eliminate regulatory overlaps, enhance clarity on the obligations of supervised entities and establish a clear distinction between entities governed by DORA and those outside its scope.  

Significant changes include amendments to Circular CSSF 20/750, which enhances ICT and security risk management, and updates to Circular CSSF 22/806, addressing outsourcing arrangements. Additionally, the introduction of New Circular CSSF 25/882 and Circular CSSF 25/880 further reinforces compliance measures to the regulatory landscape.  

What are the CSSF updates?

The amended and new circulars issued by the CSSF are set out below:  

ICT and security risk management

• New Circular CSSF 25/880: This circular focuses on ICT assessment for payment service providers (PSPs) and applies to both DORA and non-DORA entities. It implements the updated European Banking Authority (EBA) Guidelines 2025/02 on ICT and security risk management. This circular also integrates the reporting requirement on operational and security risks previously outlined in Circular CSSF 20/750.  
  
  Changes with the new Circular CSSF 25/880 include a new annual reporting requirement for PSP ICT risk assessments and submission of a notification form to the CSSF regarding contractual arrangements involving ICT services supporting critical functions. 

• Circular CSSF 20/750 (amended by CSSF Circular 25/881): The scope of Circular CSSF 20/750 on ICT and security risk management now only applies to non-DORA entities. By clearly differentiating the regulatory treatment of DORA and non-DORA entities, this update demonstrates CSSF’s effort to avoid regulatory overlap and potential confusion.  
  
  Key changes include clarification of ICT risk requirements for financial entities that are not subject to DORA, the removal of provisions related to PSPs, which are now addressed under the new Circular 25/880 and updated compliance obligations for non-DORA entities.  

Outsourcing

• Circular CSSF 22/806 (amended by circular CSSF 25/883): The amended Circular 22/806 remains applicable to DORA entities solely for business process outsourcing, while ICT outsourcing by these entities now falls under Circular 25/882. For non-DORA entities, Circular CSSF 22/806 remains applicable for both business process and ICT outsourcing.  
   
  A key change in this amended circular is the removal of specific contractual clauses for cloud computing service providers.  

• New Circular CSSF 25/882: This new circular details the requirements for the use of ICT third-party services for DORA entities, including reporting and record-keeping obligations. Additionally, it retains certain elements from Circular CSSF 22/806 that fall outside DORA’s scope but are still essential for ensuring compliance.  
   
  Key updates to the new circular CSSF 25/882 include mandatory DORA reporting obligations and the definition of cloud computing in the context of third-party ICT outsourcing.  

How can entities comply with the CSSF updates?

To ensure full compliance with CSSF updates, supervised entities must review and update ICT risk management procedures, adhere to new payment service reporting requirements and amend their outsourcing agreements to meet the latest CSSF standards, particularly for ICT outsourcing. These modifications enable alignment with the latest CSSF circulars and EBA guidelines.  

Next steps

As of 9 April 2025, all entities covered by DORA must use the new CSSF notification form to report any new ICT outsourcing arrangements supporting critical or important functions or when an existing function gains critical importance.  

With the CSSF updates, Luxembourg’s regulatory framework for ICT risk management becomes clearer and more aligned with DORA’s EU-wide standards. These updates reduce regulatory overlap, ensuring that all in-scope entities can effectively manage ICT risks.  

For any further questions or if you require guidance on how these changes may affect your operations, our team at Bolder Group is ready to assist you. Collaborate with us to ensure seamless and efficient compliance with evolving regulatory requirements in the financial sector.  

Bolder Group does not provide financial, tax or legal advice and the information contained herein is meant for general information purposes only. We strongly recommend that before acting on any of the information contained herein, readers should consult with their professional advisers. The Bolder Group accepts no liability for any errors or omissions in the information, or the consequences resulting from any action taken by a reader based on the information provided herein.

Bolder Group refers to the global network of independent subsidiaries of Bolder Group Holding BV. Bolder Group Holding BV provides no client services. Such services are provided solely by the independent companies within the Bolder Group which are each legally distinct and separate entities and have no authority (actual, apparent, implied or otherwise) to obligate or bind Bolder Group Holding BV in any manner whatsoever. The operations of the Bolder Group are conducted independently and have no affiliation with third party financial, tax or legal advisory firms or corporations.