Luxembourg: Material IT outsourcing - the CSSF's new approach

In brief

On 14 October 2021, the Commission de Surveillance du Secteur Financier (CSSF) issued a new Circular CSSF 21/785, whose purpose is to replace the prior authorization requirement for any material IT outsourcing, including IT outsourcing relying on a cloud-computing infrastructure, by an obligation to notify the CSSF prior to the implementation of the outsourcing arrangement. Circular CSSF 21/785 has therefore amended Circular CSSF 12/552 as amended, Circular CSSF 17/656, Circular CSSF 20/758 and Circular CSSF 17/654 accordingly.

Circular CSSF 21/785, which entered into force as of 15 October 2021, applies to all credit, payment and electronic money institutions, professionals of the financial sector (PFS) companies and investment fund managers subject to Circular CSSF 18/698.


Simplified procedure

  • Outsourcing of material IT activities

In its communiqué dated 20 October 2021, the CSSF stated that "Material IT outsourcing concerns "critical or important functions" as defined in the EBA Guidelines on outsourcing (EBA/GL/2019/02), namely functions where a failure would materially impair the soundness and continuity of the entity's services and activities as well as its regulatory compliance obligation."

The supervised entities may further refer to the CSSF Frequently Asked Questions on the assessment of IT outsourcing materiality to assess the materiality of their IT outsourcing projects.

  • Notification procedure

Prior to its implementation, any new material IT outsourcing arrangement must be communicated to the CSSF through a notification procedure using this notification template. The same notification template must be used to submit changes to existing outsourcing arrangements.

Such a notification form replaces the former (i) authorization form request for IT outsourcing of material activities; (ii) notification Form A, which was used in the case of cloud-computing outsourcing for a prior notification where a cloud-computing infrastructure was used for a material activity and provided by a Luxembourg-based eligible support PFS; and (iii) authorization Form B request for material activity on cloud computing not provided by a support PFS.

  • Notification period

The standard notification period is set to last at least three months before the planned outsourcing becomes effective.

The notification period is reduced to one month prior to the implementation of the outsourcing arrangement in the case of outsourcing to one of the following support PFS: IT systems and communication networks operators of the financial sector, or dematerialization or conversation service providers of the financial sector.

  • Assessment process

Within the respective three or one-month period of the outsourcing notification, the CSSF may respond in either of the following ways:

  • By requesting additional information or partially or totally reject the notified project, in which case the applicable notification period will be suspended
  • By not reacting at all, in which case the notified planned-outsourcing project could be implemented once the three- or one- month notification period, as applicable, has expired
  • Sanctions

Any material IT outsourcing whose notification does not comply with both conditions (utilization of the new notification template and compliance with the notification period) must be considered as not having been notified to the CSSF.

  • Transitional measures for pending authorization applications

In its communiqué accompanying Circular CSSF 21/785, the CSSF defined the transitional measures applicable to the supervised entities that have submitted authorization requests for material IT outsourcing prior to the entry into force of Circular CSSF 21/785, i.e., 15 October 2021:

Authorization application filed prior to 31 August 2021   Authorization application filed between 1 September and 14 October 2021
Procedures and deadlines in force prior to 15 October 2021 remain applicable.   Supervised entities can expect to receive comments from the CSSF within three months of the entry into force of Circular 21/785 (i.e., by 15 January 2022).
CSSF will in any event provide feedback (whether it requests additional information, or decides on non-objection, conditional non-objection or refusal). In the case of non-reaction from the CSSF within this three-month timeframe, the supervised entities may implement the outsourcing arrangement.

Confirmation of the CSSF's ongoing supervision

In its communiqué dated 20 October 2021, the CSSF emphasized that the prior notification process does not preclude the CSSF from its supervision powers and that the CSSF may continue to intervene through on-site inspections when it deems it necessary.

In more detail

Circular CSSF 21/785 also amends point 31 "Contractual clauses" of Circular CSSF 17/654 as amended on IT outsourcing relying on a cloud-computing infrastructure to specify the following:

  • The service contract signed with the cloud-computing service provider shall be subject to the law of one of the EU countries and at least one of the data centers shall be located in the EU (resiliency requirement).
  • If the signed service contract is a consuming cloud-computing resources group contract with a cloud service provider, the contract may be subject to the law of one of the signing parties' country, even if that country is located outside of the EU.
  • If the signed service contract is a consuming cloud-computing resources group contract with a cloud service provider, the resiliency requirement can be omitted but must be taken into account in the analysis to assess the risks.

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

© 2021 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents of this Site. Attorney Advertising: This Site may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Site may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. All rights reserved. The content of the this Site is protected under international copyright conventions. Reproduction of the content of this Site without express written authorization is strictly prohibited.