Advisory

CSSF Circular 21/785: IT/Cloud Outsourcing

By:
Jean-Hubert Antoine,
Magdalena Mihalcea
insight featured image
Replacement of prior authorisation obligation with prior notification obligation for material IT outsourcing
Contents

The Circular’s provisions apply to:

  • all credit institutions,
  • all PSF,
  • all payment institutions,
  • all establishments of electronic money, and
  • all investment fund managers subject to CSSF Circular 18/698.

 

Stay ahead of the regulatory curve on IT/Cloud outsourcing

CSSF has released a new Circular on 14th October for IT/Cloud Outsourcing. This new Circular replaces the prior authorisation requirement with a prior notification requirement in the event of outsourcing material activity but not business process outsourcing.

The new requirements aim to shorten the project timelines by listing the time period that the competent authority will take to process IT outsourcing request, depending on if the file is complete and if additional information is required by the CSSF.

 

Amendment of Circulars CSSF 12/552 - CSSF 17/656 - CSSF 20/758

IT Outsourcing: prior notification.

The notification period depends on whether the Outsourcing Service Provider is:

  • Support PSF: The notification must be provided at least 1 month before the planned subcontracting becomes effective;
  • Not support PSF: The notification must be provided at least 3 months before the planned subcontracting becomes effective.

Business Process Outsourcing: prior authorisation.

 

Amendment of CSSF Circular 17/654

Cloud Outsourcing: prior notification.

The notification period depends on whether the Cloud Service Provider is:

  • PSF and resource operation is ESCR/PSF: The notification must be provided at least 1 month before the planned subcontracting becomes effective;
  • PSF and signatory: The notification must be provided at least 1 month before the planned subcontracting becomes effective;
  • Not ESCR/PSF: The notification must be provided at least 3 months before the planned subcontracting becomes effective.

Cloud Computing Services: If the contract is a group contract aimed at providing the ESCR and other group entities with cloud computing services, it is subject to:

  • Local law for group entity contract: if the service contract is subject to the law of the country of the signatory group entity, the service contract may not be subject to the law of one of the countries of the European Union; else
  • European Union law for group entity contract: The service contract must be subject to the law of one of the countries of the European Union.

Data Centres: provision of resilience for the cloud computing services depends on the location of data centres:

  • Outside the European Union: If all data centres supporting cloud computing services are not located within the European Union and the contract is a group contract aimed at providing the ESCR and other group entities with cloud computing services, the resilience of cloud computing services in the European Union is not a requirement but must be taken into account in risk analysis;
  • Within the European Union: The service contract, signed with the cloud computing service provider, should provide resilience for the cloud computing services offered to ESCR in the European Union.

 

Transitional Measures

For supervised entities that have submitted their subcontracting authorisation requests between 1st September 2021 and 14th September 2021, the following provisions apply:

  • Feedback from CSSF till 15th January 2022 inclusive: In the event of a reaction from the CSSF (request for additional information, partial or complete opposition to the project), the CSSF will provide the supervised entity with details regarding the follow-up to the request.
  • No feedback from CSSF by 15th January 2022: In the absence of a reaction from the CSSF (request for additional information, partial or complete opposition to the project) by January 15th, 2022, the supervised entities may implement the planned subcontracting.

 

How Grant Thornton can help

The Security team at Grant Thornton Luxembourg has subject matter experts who are prepared to assist you in complying with the CSSF regulatory requirements by providing best-practice advice on a broad array of IT/Cloud outsourcing projects.

We would like to thank you for your trust in us thus far and look forward to collaborating with you in the future as well.

 

For further guidance regarding Circular CSSF 21/785, please contact Jean-Hubert Antoine or Magdalena Mihalcea.