The Luxembourg Supervision Commission of the Financial Sector (Commission de Surveillance du Secteur Financier) (CSSF) issued on 14 October 2021 (i) a new circular: Circular CSSF 21/785 re: Replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing (only in French) (New CSSF Circular) and (ii) a related communication regarding the publication of Circular CSSF 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing (only in French) (CSSF Communication).

Both will have direct consequences on – and simplify – the applications made or to be made by institutions supervised by the CSSF (Supervised Entities) and, as the case may be, consuming cloud computing resources for the purposes of carrying out their activities (ISCRs).

Amendments in a nutshell

The New CSSF Circular amends the following circulars:

  • Circular CSSF 12/552 re: Central administration, internal governance and risk management, as amended (Central Administration Circular);
  • Circular CSSF 20/758 re: Central administration, internal governance and risk management, as amended, which is only applicable for investment firms (IFs) (Central Administration Circular (IFs));
  • Circular CSSF 17/656 re: Administrative and accounting organisation; IT outsourcing (IT Outsourcing Circular); and
  • Circular CSSF 17/654 re: IT outsourcing relying on a cloud computing infrastructure, as amended (Cloud Circular).

Replacement of the prior authorisation obligation by a prior notification obligation regarding material IT outsourcing

An important change the New CSSF Circular foresees is that, in the case of outsourcing of a material IT activity within the meaning of the relevant circular, the Supervised Entity or the ISCR no longer has to ask the CSSF for authorisation but only notify the CSSF, at least:

  • one month in advance in cases where:
    • for ISCRs subject to the Cloud Circular as outsourcing relates to cloud outsourcing, (i) the cloud computing service provider is an institution that is authorised under Articles 29-3 or 29-4 of the law of 5 April 1993 on the financial sector, as amended (LFS) and the resource operation is carried out either by the ISCR or by an institution authorised under Articles 29-3 or 29-4 of the LFS; or where (ii) resource operation is carried out by an institution authorised under Articles 29-3 or 29-4 of the LFS, where it is the signatory; or
    • for Supervised Entities subject to the Central Administration Circular, the Central Administration Circular (IF) and/or the IT Outsourcing Circular, the service provider is an institution that is authorised under Articles 29-3 to 29-6 of the LFS;
  • three months in advance in cases where:
    • for ISCRs subject to the Cloud Circular as outsourcing relates to cloud outsourcing, (i) none of the two above-mentioned conditions are fulfilled; or where (ii) an institution authorised under Articles 29-3 or 29-4 of the LFS acts as intermediary and not as resource operator between the ISCR and the cloud computing service provider; or
    • for Supervised Entities subject to the Central Administration Circular, the Central Administration Circular (IF) and/or the IT Outsourcing Circular, in all the other cases;

before the planned IT outsourcing becomes effective.

A new form is available on the CSSF website (replacing form B), noting that forms D and E remain applicable.

Any material IT outsourcing that does not comply with these two conditions (use of the correct form and respect of the relevant deadline (one or three months)) will be considered as non-notified.

Following the notification, in the absence of a response from the CSSF (eg request for additional information, partial or complete opposition to the project), the Supervised Entity or the ISCR will be able to implement the material IT outsourcing. The CSSF may respond and decide to suspend the deadline. In any case, please note that it remains the sole responsibility of the supervised institutions (including the Supervised Entity or the ISCR) to comply with all relevant laws and regulations regarding the planned outsourcing projects.

The lack of response from the CSSF during the notification process does not prejudge the monitoring measures or the application of binding measures and/or administrative sanctions that it may take at a later stage in the framework of monitoring, if it appears that the outsourcing projects do not comply with the applicable legal and regulatory framework.

Finally, the New CSSF Circular refers to the CSSF Communication regarding the transitional measures concerning applications for authorisation of a material IT outsourcing submitted to the CSSF before the date of entry into force of the New CSSF Circular (15 October 2021) (see below).

Other amendments re: group contract (Cloud Circular)

The main argument accepted by the CSSF by which a derogation to the obligation to put the service contract subject to a EU governing law is now enshrined in the Cloud Circular. By way of reminder, the argument was that the contract is a group contract aimed at allowing the ISCR and its other group entities to make use of cloud computing services. In such a case, the contract may also be subject to the law of the country of the signing group entity, including when the country is located outside the EU.

In accordance with the Cloud Circular, a service contract signed with the cloud computing service provider will provide for a resiliency of the cloud computing services provided to the ISCR in the EU. It has now been added that, when the contract signed is a group contract aiming to make the ISCR and its other group entities benefit from cloud computing services, the resiliency of cloud computing services in the EU is not a requirement but must be taken into account in the entity's risk analysis.

Consequences for the Supervised Entities/ISCRs

Transitional measures

For the current applications submitted up to and including the 31 August 2021, feedback on their requests in the form of:

  • a request for additional information;
  • a non-objection;
  • a conditional non-objection; or
  • a refusal,

will be systematically provided by the CSSF according to the procedures and deadlines in place before the 15 October 2021. The Supervised Entity or the ISCR may send any question(s) regarding such applications by email to the CSSF auditor in charge of its supervision.

For the current applications submitted between 1 September 2021 and 14 October 2021, two scenarios exist:

  • If the CSSF responds (eg request for additional information, partial or complete opposition to the project), the response will be provided at the latest within three months from the date of entry into force of the New CSSF Circular (15 January 2022). In the transmission of its response, the CSSF will provide details of the follow-up of the request.
  • If there is no response from the CSSF by 15 January 2022, the Supervised Entity or the ISCR may implement the planned outsourcing (if any). The absence of a response from the CSSF does not prejudge the supervisory measures or the application of binding measures and/or administrative sanctions that it could be led to take at a later stage in the framework of the permanent supervision, if it appears that the outsourcing projects do not comply with the applicable legal and regulatory framework.

New regime

By way of reminder and as mentioned above, for the upcoming applications, the Supervised Entity or the ISCR will no longer need to request authorization for material IT outsourcing to the CSSF. The Supervised Entity or the ISCR will notify the CSSF within the relevant timeframe (one or three months) by sending out the notification form and will then be able, in the absence of a reaction from the CSSF and within the relevant time frame (one or three months), to automatically implement the material IT outsourcing.