Receive the latest insights, news and more direct to your inbox.
Published on 20 January 2026, CSSF Circular 26/905 introduces a major shift in how Less Significant Institutions (LSIs) in Luxembourg must organise, govern, and operationalise their approach to environmental, social and governance (ESG) risks. Yet despite its significance, the circular has so far received surprisingly little attention, an oversight that could leave institutions unprepared for a complex regulatory transition.
This article highlights what the circular requires, why it matters, and why institutions should act now.
Contents
Subscribe to our mailing list
A New Supervisory Reality for ESG Risk
With Circular 26/905, the CSSF formally adopts the EBA Guidelines on the management of ESG risks (EBA/GL/2025/01) into its supervisory practice. The Guidelines, originally published by the EBA on 9 January 2025, establish a harmonised and far-reaching framework for how European Union (EU) credit institutions must identify, measure, manage and monitor ESG risks across their business models and risk frameworks.
According to the CSSF, this step aims to ensure supervisory convergence at the European level, reinforcing a consistent and forward-looking approach to ESG risk oversight. Importantly, the Circular does more than simply “acknowledge” EBA expectations as it integrates them into the CSSF’s regulatory approach, creating binding expectations for all LSIs in Luxembourg.
Broader Scope Than Previous ESG Rules
Circular 26/905 represents a substantial evolution from earlier guidance, most notably CSSF Circular 21/773, which concentrated mainly on environmental and climate-related risks. Under the new circular, institutions are now required to address the full breadth of ESG risks, encompassing:
Environmental risks such as climate change, pollution, and biodiversity.
Social risks including labour standards, human rights considerations, and community impacts.
Governance risks relating to board oversight, conduct, and transparency.
By broadening the regulatory perimeter, the CSSF aligns Luxembourg with the ECB’s established expectations for significant institutions, as well as with the wider European movement toward comprehensive, sustainability-oriented prudential frameworks.
What LSIs Will Need to Implement
The circular requires institutions to put in place a robust and comprehensive ESG risk management system, including:
1. Governance & Strategy Integration
Institutions need to include ESG considerations in their business strategies, risk appetite frameworks, ICAAP and ILAAP processes, in their organisational structures and board‑level oversight, as well as to prepare transition plans with clear timelines and targets.
2. Identification and Measurement of ESG Risks
Institutions must systematically identify how ESG risks impact traditional risk categories such as credit, market, operational and reputational risk. The Guidelines also require forward‑looking metrics and scenario analyses.
3. Monitoring, Reporting & Internal Controls
Institutions must implement comprehensive internal reporting frameworks, supported by reliable data, methodologies and controls. Staff and management must also be adequately trained.
4. Proportionality for SNCIs
Small and Non‑Complex Institutions (SNCIs) may use simplified or less sophisticated arrangements based on their size, complexity and risk profile.
Deadlines Are Closer Than They Appear
The circular introduces two key application dates:
According to the CSSF, Circular CSSF 26/905 becomes applicable on 1 April 2026 for LSIs other than SNCIs, and on 11 January 2027 for SNCIs.
Why Institutions Should Act Now
ESG risk management is a core prudential expectation, embedded in solvency, governance, long‑term strategy and overall financial resilience. Institutions that postpone preparation risk supervisory findings, operational strain, fragmented implementation and difficulty keeping pace with evolving market and regulatory developments, while those that act early benefit from smoother supervisory engagement, more credible and mature ESG governance, stronger risk mitigation and a stronger strategic position in an increasingly dynamic regulatory and economic landscape.
The CSSF’s supervisory priorities in Sustainable Finance (published 2 March 2026) clarify regulatory expectations for the financial sector, emphasising high-quality ESG disclosures and the integration of sustainability risks into governance and risk management. For credit institutions, climate‑ and nature-related risks remain a key supervisory focus, aligned with the Single Supervisory Mechanism (SSM)’s 2026–2028 priorities. Ongoing monitoring will center on compliance with Circular CSSF 21/773 and the EBA Guidelines on ESG risk management, implemented via Circular CSSF 26/905. ESG considerations will continue to be embedded in on-site inspections of governance and credit‑risk frameworks, and the CSSF may carry out thematic reviews specifically targeting ESG risk management.
Conclusion: A Strategic Opportunity Hidden in Plain Sight
Circular 26/905 may not yet have generated extensive discussion within Luxembourg’s banking sector, but its implications are far‑reaching. It places ESG risk management firmly at the center of supervisory expectations and introduces a more ambitious set of requirements that will shape the way LSIs operate going forward.
Rather than serving solely as a compliance exercise, the circular creates an opportunity for institutions to enhance their resilience, strengthen long‑term strategic planning, and reinforce their positioning within Europe’s sustainable finance ecosystem.
Have you missed our Webinar "Advancing ESG Risk Management Under CSSF Circular 26/905"?
Contact
If you wish to understand how you could best implement the EBA Guidelines on the management of ESG risks, in line with the CSSF requirements, please contact Janice Daly, Advisory Partner at Grant Thornton Ireland, Jonathan Fitzpatrick, Partner, Head of Quantitative Risk at Grant Thornton Ireland or Dara Kelly, Head of Advisory at Grant Thornton Luxembourg.