Update of several CSSF circulars related to ICT risk management and use of ICT third parties / ICT outsourcing
CSSF
As Circular CSSF 20/750 on ICT and security risk management and Circular CSSF 22/806 on outsourcing arrangements were overlapping partially or entirely with DORA regulation, these updates were necessary to provide enhanced clarity and transparency to the market.
1. ICT and security risk management: Update of Circular CSSF 20/750 on ICT and security risk management and publication of a new circular
DORA has introduced, inter alia, harmonised requirements for information and communication technology (ICT) risk management framework.
With a view to reducing the overlap with the DORA regulation, the European Banking Authority (“EBA”) reviewed its existing Guidelines on ICT and security risk management EBA/GL/2019/04 (“old EBA Guidelines”) and decided that an amendment was needed. Consequently, the EBA issued EBA GL 2025/02 amending EBA GL/2019/04 on ICT and security risk management (“new EBA Guidelines”).
The CSSF decided to adopt these new guidelines which are addressed only to Payment Service Providers (“PSPs”), and to add to this implementation the reporting requirement of Article 105-1(2) of the Law of 10 November 2009 on payment services (“LPS”) for PSPs.
On the other hand, the requirements of Circular CSSF 20/750 which were also applicable to non-DORA entities, remain applicable to them.
2. Use of ICT third-party services: Update of Circular CSSF 22/806 on outsourcing arrangements and publication of a new circular
DORA has introduced harmonised requirements on the use of ICT third-party services, including ICT outsourcing services, which are also in the scope of Circular CSSF 22/806 on outsourcing. In order to remove this overlap, the CSSF has decided to:
Amend Circular CSSF 22/806 on outsourcing arrangements regarding the provisions related to ICT outsourcing3, which are largely replaced by the DORA provisions on ICT third-party risk management:
The scope of application has been modified and the amended Circular CSSF 22/806 will:
be applicable to DORA entities only for business process outsourcing. The ICT outsourcing requirements are repealed as they are now covered by the DORA provisions on ICT third-party risk management and a new circular, as explained under point 2 below.
remain fully applicable to non-DORA entities for business process outsourcing and ICT outsourcing.
remain applicable, for ICT outsourcing, to management companies authorised only under Article 125-1 of Chapter 16 of the Law of 17 December 2010 relating to undertakings for collective investment.
The requirement of specific contractual clauses for cloud computing service providers (contract subject to the law of one of the Member States of the EEA and a resilience of the cloud computing services provided in the EEA) have been repealed to align the requirements between non-DORA and DORA entities.
Create a new Circular CSSF 25/882 on requirements on the use of ICT third-party services for DORA entities, which contain practical modalities regarding the reporting obligations for new critical or important ICT third party arrangements and for the register of information, as well a as a specific chapter on the use of ICT services which retains some elements from Circular CSSF 22/806 that are not covered in DORA but are still relevant and necessary to confirm to entities.
For any further questions please contact: ictrisksupervision@cssf.lu.
Please note that the web pages ICT Risk and Digital Operational Resilience Act (DORA) are currently under review and will be updated shortly. The update will include a mapping of these circulars.
1 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector
2 financial entities defined in Article 2(1)(a) to (i), (k) to (m), (p), (r) and (s), and within the meaning of Article 2(2) of Regulation (EU) 2022/2554
3 The EBA is reviewing EBA GL on outsourcing arrangements (EBA/GL/2019/02). The CSSF will consider future changes of the provisions related to non-ICT outsourcing arrangements of Circular CSSF 22/806 once the EBA published amended or new guidelines following their review.