On 9 April 2025, the CSSF published a series of circulars aligning its regulatory framework with the European DORA (Digital Operational Resilience Act) regulation, in force since 17 January 2025. These updates aim to remove regulatory overlaps and clarify the obligations of supervised entities. The new circulars set forward a clear distinction between the entities covered by DORA and the non-Dora entities, given that the regulatory requirements are tailored to each category.
- ICT risk management
- CSSF Circular 20/750 (amended by CSSF Circular 25/881):
- Applies only to non-DORA entities (support PFS, POST Luxembourg, branches of third-country PSPs).
- The obligations specific to PSPs are now grouped together in a dedicated circular.
- New CSSF circular 25/880:
- Aims at all PSPs subject to the LPS.
- Formalises expectations regarding the relationship with payment service users (PSUs).
- Maintains the annual requirement for PSP ICT Assessment reporting via eDesk, before 31 March.
- Outsourcing and third-party ICT service providers
- Circular CSSF 22/806 (amended by circular CSSF 25/883):
- No longer applicable to DORA entities for ICT outsourcing.
- Remains fully applicable to non-DORA entities, including for ICT outsourcing.
- New circular CSSF 25/882:
- Sets out the rules applicable to DORA entities using third-party ICT service providers.
- Specifies:
- The notification deadlines (3 months or 1 month for support PFS),
- The information register procedures (submission between 1 and 15 April each year),
- The specific requirements in cloud computing, including the appointment of a cloud officer.
- The CSSF maintains the distinction between cloud and non-cloud services.
Updated notification forms are available on the CSSF website (different for DORA entities and non-DORA entities).
A webinar dedicated to these regulatory changes will be organised soon.