CSSF aligns with DORA following the key updates on ICT and Outsourcing regulations

Published: 25 Apr 2025

Author: Precedence Research

Share :

Commission de Surveillance du Secteur Financier (CSSF), also known as the Financial Supervisory Authority, released various new circulars regarding information and communications technologies (ICT) risk management and the role of ICT third parties, planning to align practices and existing circulars with the Digital Operational Resilience Act (DORA). Specific key changes include modification of the Circular CSSF 20/750 on ICT and security risk management, and outsourcing arrangements on Circular CSSF 22/806, with the announcement of the new circular CSSF 25/880 and Circular CSSF 25/882. The impact of this new circular will be seen in decreasing regulatory overlap, signifying clarity, and ensuring adherence with DORA. Further, it will affect the outsourcing practice and ICT risk management for DORA and non-DORA individuals monitored by the CSSF.

ICT and Security Risk Management

• New Circular CSSF 25/880: This circular is directed to all types of Payment Service Providers (PSPs) applicable for DORA and non-DORA entities. The circular follows new EBA guidelines on ICT and security risk management. It focuses on providing the requirements for PSPs' ICT assessment. The circular also executes the required reports on an operational and security risk basis, following the law of 10 November 2009 on payment services. 
• Circular CSSF 20/750: The circular CSSF 20/750 on ICT and security risk management applies only to non-DORA entities, along with a few updates. PSPs are predefined with certain limitations to specialize in PSPs. The circular helps PSPs and is limited to Post Luxembourg and third-country branches. DORA entities are directly out of the frame of this circular.

Outsourcing

• Circular CSSF 22/806: This circular delivers an extensive framework for its outsourcing arrangements. It also consists of ICT outsourcing. DORA has announced reconciled requirements to utilize the services of an ICT third-party and ICT outsourcing, coinciding with circular CSSF 22/806.

Circular CSSF 22/806 has been enforced to discard overlap with DORA and favor DORA entities for business process outsourcing purposes. Whereas DORA already has access to ICT outsourcing requirements. The circular remains completely applicable to non-DORA individuals for ICT outsourcing and business process also to those management companies who initiated collective investment. A few underlined contractual clauses for cloud computing service providers were abolished to align with the requirements between DORA and non-DORA entities.

• New Circular CSSF 25/882: Circular CSSF 25/882 introduced precise requirements for the use of ICT third-party services for DORA entities. The circular focuses on the requirements needed to use ICT third-party services, containing a maintained register of information and reporting obligations. It preserves a few elements from the Circular CSSF 22/806, which remained uncovered by DORA, and is also necessary for agreement.