On 27 March 2019, the Luxembourg regulator published Circular CSSF 19/714 to update Circular CSSF 17/654 on IT outsourcing relying on a cloud computing infrastructure. This update draws upon the interactions between the CSSF and supervised entities, and takes into account the regulatory developments at EU and Luxembourg levels since entry into force of Circular CSSF 17/654 in May 2017.

The update can be summarized as follows:

  • Addition of investment fund managers in the scope of application (in line with Circular CSSF 18/698 on their authorization and organization).
  • Introduction of optional requirements – for non-material activities only – in the context of proportionality, i.e.:
    • Notifications in case of change of functionalities (§27.j and §27.k)
    • Continuity in case of resolution or reorganization or another procedure (§28.b)
    • Transfer of services in case the continuity is threatened (§28.c)
    • Monitoring of activities (§30)
    • Contract under EU law and resiliency of the services in the EU (§31.a and §31.b), and
    • Right of audit (§31.j, §32, and §33).
  • Introduction of a register to be maintained by the supervised entities which includes all the cloud computing outsourcing of material as well as non-material activities; this detailed table covers 50+ questions about:
    • Activities to be outsourced,
    • Roles and responsibilities,
    • The cloud service provider,
    • Contractual information,
    • Controls over the outsourced activities, and
    • Options not to apply limited requirements, based on risk assessment and proportionality principle (as detailed above).
  • Introduction of new forms for the prior notification and application for authorization to outsource to a cloud computing infrastructure to support a material activity – these shorter forms of 8 to 11 pages replace the "compliance table" which required justifying compliance with the circular's requirements point by point; these forms rather ask focused questions about:
    • The type of outsourcing to a cloud computing infrastructure,
    • Relevant elements justifying compliance with Circular CSSF 17/654, and
    • Architecture and security measures.
  • Cancellation of the necessity to notify the outsourcing to a cloud computing infrastructure to support a non-material activity
  • Rewording and/or reorganization of some paragraphs for more clarity.

This update to Circular CSSF 17/654 is accompanied by an updated FAQ, as well as a separate guidance document on the assessment of IT outsourcing materiality. Under this guidance, an IT outsourcing is considered material if at least one of the following statements is met:

  1. From a technical point of view, the outsourced IT operational functions, activities or services safeguard the security and continuity of critical parts of the IT infrastructure.
  2. From a business point of view, the outsourced IT operational functions, activities or services support a material activity. In case of failure or dysfunction of the IT operational functions, activities or services, there is a major impact on the business activity (e.g. financial, continuity, reputational, regulatory, or strategic).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.