CSSF Circular Updates: ICT Risk Management and Use of ICT Third-Party Services Under DORA

On 9 April 2025, the Commission de Surveillance du Secteur Financier (“CSSF”) published a set of regulatory updates in response to the entry into application of the Digital Operational Resilience Act (“DORA”). These updates include two newly issued circulars and amendments to two existing ones. Together, they seek to clarify the interaction between Luxembourg’s domestic information and communication (“ICT”) related supervisory framework and the directly applicable DORA rules, while maintaining certain specific provisions relevant at national level. 

The updates are relevant for both entities within the scope of DORA (“DORA entities”) and those that remain outside it (“non-DORA entities”). Entities falling under either classification are advised to reassess their regulatory position, notification obligations, and third-party contractual arrangements in light of the clarified framework. 

Key Takeaways 

  • CSSF Circular 25/880 introduces a standalone regime applicable exclusively to Payment Service Providers (“PSPs”). It implements the revised EBA Guidelines on ICT and security risk management (EBA/GL/2025/02), which amend the earlier EBA/GL/2019/04, and consolidates the ICT risk and reporting framework applicable to PSPs in Luxembourg. The circular also integrates the reporting requirement set out in Article 105-1(2) of the Law of 10 November 2009 on payment services.  The aim is to isolate PSP-specific rules from the broader framework applicable to non-PSP and non-DORA entities, while aligning national supervisory expectations with the latest EBA standards. 
  • CSSF Circular 25/881 amends Circular CSSF 20/750 by narrowing its scope of application. As of 9 April 2025, Circular 20/750 applies only to non-DORA entities, with PSP-related provisions removed in light of the creation of Circular 25/880. The result is a cleaner separation of regimes, non-DORA entities remain subject to the amended Circular 20/750, whereas PSPs and DORA entities are subject to their respective frameworks. 
  • In response to the harmonised rules introduced by DORA on ICT third-party risk management, the CSSF has issued CSSF Circular 25/882. This circular outlines supervisory expectations applicable to DORA entities when relying on external ICT service providers, including providers involved in the performance of critical or important functions. The circular defines the types of in-scope entities in line with DORA article 2(1), including credit institutions, investment firms, UCITS management companies (both Chapter 15 and Chapter 16), alternative investment fund managers authorised under Chapter 2 and internally managed alternative investment funds within the meaning of point (b) of Article 4(1) of the Law of 12 July 2013 on alternative investment fund managers, and investment companies without a designated management company.  In particular, the CSSF reiterates the obligation for DORA entities to submit a notification in a timely manner for any planned ICT outsourcing arrangement that supports a critical or important function, or when a function subsequently becomes critical or important. Entities are also required to maintain a register of information, with the submission window for the 2025 reporting year set between 1 April and 15 April.  Circular 25/882 also maintains certain provisions originally found in Circular 22/806 that are not addressed by DORA but which the CSSF considers necessary for local supervision. These include Luxembourg-specific expectations in areas such as data localisation, backup arrangements for (outsourced) accounting systems, and the appointment of a qualified cloud officer. Furthermore, the CSSF confirms it will continue to distinguish between cloud and non-cloud ICT services, notwithstanding the absence of such distinction in the DORA Regulation itself.  The overall objective is to ensure continued supervisory visibility over critical ICT dependencies, while allowing the CSSF to rely on established national mechanisms that have proven effective in practice. 
  • CSSF Circular 25/883 amends Circular CSSF 22/806 in order to remove the ICT outsourcing provisions that have now been superseded by DORA and Circular 25/882, but only for entities that fall under the DORA regime. As a result, ICT outsourcing is no longer governed by Circular 22/806 for DORA entities, although business process outsourcing remains in scope. In contrast, non-DORA entities remain fully subject to Circular 22/806, including its ICT outsourcing requirements. Moreover, the circular remains applicable to Chapter 16 management companies for the purposes of ICT outsourcing, given their exclusion from the broader DORA regime.  Finally, the CSSF has repealed the previous requirement for cloud service agreements to be subject to the law of an EEA Member State and for cloud resilience to be ensured within the EEA. This change introduces a degree of contractual flexibility across both DORA and non-DORA regimes. 

Practical Considerations and Next Steps 

As part of the update, the CSSF has released new standard forms for ICT third-party arrangement notifications. DORA entities are expected to use the new form as of 9 April 2025, although a transition period until 10 May 2025 has been granted, during which submissions using the previous template will still be accepted. 

Entities are reminded that notification timelines remain unchanged. As a general rule, notifications must be made at least three months in advance, or one month for certain Luxembourg PFS entities. 

Conclusion  

Through these regulatory adjustments, the CSSF introduces a dual-track supervisory model: one aligned with DORA for entities falling within its scope, and one maintained under amended national rules for all other supervised entities. By preserving certain operational and reporting practices rooted in earlier CSSF circulars, the regulator ensures both continuity and coherence in the transition to the new European framework. 

All affected entities should now assess their ICT and outsourcing frameworks in light of these developments. This includes reviewing existing and upcoming contracts, updating internal registers, and ensuring that applicable notification obligations are met in a timely manner. 

For guidance on how these changes may affect your operations, including assistance with notification procedures or compliance assessments, our team remains at your disposal. 

 

by Olivier Sciales

Chevalier & Sciales advises on the acquisition of Nobu Hotel in London

Chevalier & Sciales is pleased to have advised Limestone Capital AG, a private equity firm focused on the European hospitality sector, on the successful acquisition of Nobu Hotel London Shoreditch for an undisclosed sum. Located in one of London’s most dynamic districts, the property offers 164 guest rooms, a restaurant, fitness and wellness facilities, and over 3,000 square feet of event space while showcasing views of the City from their top suites.

The team at Chevalier & Sciales, led by Cécile Rechstein, provided comprehensive legal and regulatory guidance, covering tax and corporate matters.

by Olivier Sciales

Luxembourg’s Draft Law No. 8476: Implementing the EU AI Act

Summary/Abstract

On 23 December 2024, Luxembourg submitted Draft Law No. 8476 to support the implementation of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). The bill outlines the designation of national authorities responsible for market surveillance, conformity assessments, and cooperation with EU institutions. It also introduces regulatory sandboxes, clarifies enforcement mechanisms, and sets out applicable sanctions. Businesses developing or deploying AI systems in or from Luxembourg should assess their classification and compliance readiness, especially with the AI Act’s staged application beginning in February 2025.

Luxembourg advances implementation of the EU AI Act

On 23 December 2024, the Luxembourg government introduced Draft Law No. 8476 as part of its national strategy to implement the EU’s landmark Artificial Intelligence Act (AI Act). The bill is currently under review by the Chambre des Députés and focuses on setting up the legal and institutional mechanisms needed to enforce the EU regulation at national level.

The AI Act imposes harmonized rules for the development, marketing, and use of AI systems in the EU, relying heavily on Member States to appoint competent authorities and structure enforcement mechanisms. Draft Law No. 8476 fills this role in Luxembourg’s legal framework.

Scope and objectives

The draft law’s core objective is to provide a procedural and organizational foundation for Luxembourg’s enforcement of the AI Act. It addresses:

  • Designation of notifying authorities to accredit and monitor conformity assessment bodies (CABs);

  • Identification of market surveillance authorities based on sectoral competence;

  • Establishment of a cooperation framework for national and EU-level enforcement;

  • Creation of AI regulatory sandboxes for supervised innovation;

  • Specification of enforcement powers and sanctions.

Notifying authorities and conformity assessment

The draft law identifies the following bodies as notifying authorities:

  • Office luxembourgeois d’accréditation et de surveillance (OLAS) – general oversight and accreditation;

  • Agence luxembourgeoise des médicaments et produits de santé (ALMPS) – oversight in the medical and health sectors;

  • Commissariat du gouvernement à la protection des données (CGPD) – competent for AI systems involving personal data processed in state procedures.

These authorities are tasked with supervising conformity assessment bodies (CABs), which certify whether high-risk AI systems meet the requirements of the AI Act based on standards, documentation, and technical testing.

For high-risk systems used by law enforcement, immigration or asylum authorities, assessments will be carried out directly by the Commission nationale pour la protection des données (CNPD), reflecting the sensitivity of such use cases.

Market surveillance authorities

The bill adopts a sector-specific approach to enforcement by assigning market surveillance functions to a range of authorities based on their existing regulatory remit:

  • CNPD – Default horizontal surveillance authority and single contact point with the European Commission.

  • Commission de surveillance du secteur financier (CSSF) – Financial services and markets.

  • Commissariat aux assurances (CAA) – Insurance sector.

  • Autorité de contrôle judiciaire – Judiciary and prosecution bodies.

  • ILNAS – Products and services regulated under EU harmonisation legislation.

  • ILR – Critical infrastructure and digital services.

  • ALMPS – Healthcare and medical devices.

  • ALIA – Compliance with content transparency obligations, including AI-generated or manipulated media.

These authorities are granted investigatory and enforcement powers, including inspections, orders to correct or remove non-compliant AI systems, and—where necessary—application of penalties.

Regulatory sandboxes

The draft law introduces a legal basis for the establishment of AI regulatory sandboxes, a feature encouraged by the AI Act. These are supervised environments where businesses can test innovative AI systems in collaboration with regulators, promoting early-stage compliance and responsible development.

Each surveillance authority will be expected to administer sandboxes within its sector, enabling tailored support for participants.

Coordination and EU cooperation

To ensure alignment with EU enforcement, the CNPD is designated as the single national contact point under Article 70(2) of the AI Act. The CNPD will coordinate Luxembourg’s cooperation with the European Commission, other Member State authorities, and relevant EU bodies such as the AI Office.

The draft law also contains provisions for structured inter-agency cooperation at national level and anticipates Union safeguard mechanisms, which may be triggered for serious cross-border compliance issues. In such cases, enforcement measures taken in Luxembourg could be escalated to EU level, potentially resulting in coordinated market restrictions.

Sanctions and enforcement powers

In line with the AI Act, the bill outlines a graduated system of sanctions:

  • Up to €35 million or 7% of global turnover for prohibited AI practices (Article 5 AI Act);

  • Up to €15 million or 3% for violations involving high-risk AI systems;

  • Up to €7.5 million or 1% for providing false or misleading information.

Fines are subject to proportionality rules for SMEs and startups. Competent authorities may also issue warnings, orders, and public notices. Decisions may be appealed before the Administrative Court of Luxembourg.

Strategic implications for businesses

As implementation of the AI Act progresses, companies developing or deploying AI systems within Luxembourg or across borders should begin preparing for compliance. Immediate steps may include:

  • Classifying systems under the AI Act’s risk tiers (e.g. high-risk under Annex III);

  • Reviewing documentation and governance to ensure transparency, human oversight, and post-market monitoring;

  • Assessing contractual frameworks with deployers, importers, and distributors;

  • Engaging with potential CABs for early-stage guidance;

  • Preparing for sandbox participation in case of novel or complex AI applications;

  • Aligning GDPR compliance, particularly in cases involving personal data or AI-generated content.

Conclusion

Draft Law No. 8476 provides Luxembourg’s legal backbone for enforcing the AI Act. It takes a structured, competence-based approach, emphasizing coordination between national agencies and with the European Commission. The bill reflects Luxembourg’s dual commitment: encouraging trustworthy AI innovation while ensuring robust enforcement and protection of fundamental rights.

Businesses active in Luxembourg’s AI ecosystem should view this development as both a compliance imperative and a strategic opportunity to engage proactively with regulators. The first key provisions of the AI Act will begin to apply six months after entry into force—which may be as early as February 2025.

by Olivier Sciales

CSSF Updates AML/CFT blacklist with 4 countries

On October 28, 2024, Luxembourg’s financial sector regulator, the Commission de Surveillance du Secteur Financier (CSSF), updated its circular CSSF 22/822. This amendment added Algeria, Angola, Côte d’Ivoire, and Lebanon to the FATF’s list of jurisdictions under increased monitoring, while removing Senegal due to its progress in addressing anti-money laundering and counter-terrorism financing (AML/CFT) deficiencies.

In October 2024, Algeria, Angola, Côte d’Ivoire, and Lebanon each committed to collaborating with the FATF and their relevant regional bodies to strengthen their AML/CFT measures. These commitments include efforts to improve national cooperation, increase transparency on beneficial ownership, expand oversight of financial and non-financial sectors, and enhance investigations and sanctions related to money laundering and terrorism financing. Algeria and Angola have focused on strengthening supervision and financial intelligence, Côte d’Ivoire has reinforced its legal and asset management frameworks, and Lebanon has targeted anti-bribery measures, risk management, and unlicensed financial activities.

In contrast, Senegal, which has made significant strides since 2021, was removed from the list. The FATF recognized Senegal’s achievements in enhancing its understanding of AML/CFT risks, fostering international cooperation, improving financial institution supervision, expanding law enforcement capacity, implementing sanctions, and monitoring high-risk non-profits.

The Democratic People’s Republic of Korea (DPRK), Iran, and Myanmar are still listed as high-risk jurisdictions requiring enhanced due diligence and/or countermeasures due to significant strategic deficiencies in their regimes to counter money laundering, terrorist financing, and proliferation financing.

As of today, the following countries are identified as high-risk countries:

 

1. Algeria
2. Angola
3. Bulgaria
4. Burkina Fase
5. Cameroon
6. Côte d’Ivoire
7. Croatia
8. Democratic Républic of Congo
9. Haïti
10. Kenya
11. Lebanon
12. Mali
13. Monaco
14. Mozambique
15. Namibia
16. Nigeria
17. Philippines
18. South Africa
19. South Sudan
20. Syria
21. Tanzania
22. Venezuela
23. Vietnam
24. Yemen

Get in touch with our Corporate team for advice and assistance on the latest developments.

by Olivier Sciales

New EU Commission study on areas most at risk of corruption

Corruption impacts every sector, but some areas are particularly vulnerable, especially those handling large public funds or delivering essential services like healthcare. To better understand these vulnerabilities, the European Commission released the study “High-risk Areas of Corruption in EU Member States: A Mapping and In-Depth Analysis” (https://op.europa.eu/fr/publication-detail/-/publication/5c0730b2-9769-11ef-a130-01aa75ed71a1/language-en) on November 4, 2024. Launched in 2023, the study highlights six key sectors facing high corruption risks, examining the reasons for these risks and offering insights into how corruption damages critical systems.

The study’s findings highlight six specific areas—healthcare, finance, public procurement, defence and security, construction and infrastructure, and sports. Corruption in these areas not only undermines service quality and trust but also often involves cross-border elements that call for coordinated EU action. The findings of the study were a major point of discussion at the 2nd plenary meeting of the EU Network Against Corruption on October 3, 2024.

The study’s results also align with the EU’s 2023 Joint Communication on the fight against corruption, emphasizing that this research will inform the EU’s first full anti-corruption strategy.  A follow-up study will investigate actions that mitigate corruption in these high-risk areas.

Which sectors are most at risk, and what are the specific threats?

The study outlines six high-risk sectors in detail, each facing unique challenges that require tailored anti-corruption strategies:

Public Procurement: Why is it so vulnerable?

Public procurement—where governments spend on goods and services—makes up around 14% of the EU’s gross domestic product (GDP), with expenditures of over EUR 2 trillion each year. The large amounts of money, combined with complex and often opaque processes, make this sector a prime target for corruption. Here, common forms of corruption include bribery, collusion, and embezzlement. Corruption in public procurement not only diverts funds from their intended uses but can also lead to inflated costs, poor service quality, and weakened public trust. Improving transparency and enhancing oversight mechanisms are vital to reducing corruption in this sector.

How does corruption affect healthcare in the EU?

Healthcare is a vital sector, and corruption here can have direct consequences on public health and safety. With significant budgets, multi-layered supply chains, and a mix of public and private players, the sector faces risks that include fraudulent billing, conflicts of interest, and favouritism. The financial impact of healthcare-related corruption in the EU is estimated at up to EUR 56 billion each year. As healthcare access is often a matter of life and death, these vulnerabilities create serious risks for patients. Tackling healthcare corruption requires strengthening regulatory frameworks and improving transparency to safeguard both resources and patient outcomes.

What makes the financial sector so attractive for corrupt practices?

The financial sector, encompassing banking, insurance, and investments, is a cornerstone of the EU’s economy. However, it also harbours considerable corruption risks, including money laundering, tax evasion, and links to organized crime. Corruption in this sector often crosses borders, as criminal groups exploit jurisdictional differences to launder money or evade taxes. Such activities are estimated to cost the EU up to EUR 1 trillion annually. Addressing corruption here calls for coordinated regulatory responses across Member States, with robust measures to counter tax fraud and financial crime.

Why is the defence and security sector at such high risk?

Increased defence spending in response to EU security demands has made the sector more vulnerable to corruption. The high level of secrecy, significant funding, and involvement of both national and international supply chains all contribute to risks such as bribery, arms sales corruption, and the misuse of procurement funds. Corruption within the defence sector affects national security, while the sector’s opacity makes tracing and combating corruption challenging. Addressing these issues requires establishing clearer accountability standards and promoting transparency in defence-related spending.

How does corruption impact construction and infrastructure?

The construction and infrastructure sector is essential to economic growth, but its projects are often susceptible to corruption due to high value, complex procurement processes, and extensive timelines. Common practices include bid-rigging, use of substandard materials, and bribery, leading to costly projects and compromised safety standards. Corruption in this area not only raises costs but can also jeopardize public safety when corners are cut on safety requirements or materials. With the sector contributing approximately 5% to the EU’s total gross value added, reforms to improve oversight and regulatory compliance are essential to safeguard public resources.

How widespread is corruption in sports, and what are its effects?

Sports corruption in the EU is particularly evident in betting and match-fixing schemes, with football and tennis being prime targets for illicit activities. Corruption in this area not only damages the integrity of sports but also exploits players, fans, and communities, particularly through illegal betting networks. Match-fixing and other corrupt practices not only erode public trust in sports but also involve complex international crime networks. Addressing these issues requires coordinated efforts across borders, with enhanced regulatory frameworks that address sports betting, match-fixing, and associated financial crimes.

What is the Path Forward for Tackling Corruption in High-Risk Sectors?

The study’s conclusions stress the need for a strategic, multifaceted approach to effectively address corruption in these six sectors. Suggested actions include enhancing transparency, improving regulatory collaboration across borders, and bolstering enforcement capabilities to counter complex, evolving corruption risks. By implementing a robust anti-corruption framework across the EU, Member States can work together to protect public resources, enhance service quality, and rebuild trust in public institutions.

These findings will inform the EU’s forthcoming anti-corruption strategy, which will focus on prevention, enforcement, and accountability. Prioritizing these high-risk sectors offers an opportunity to mitigate the extensive impacts of corruption, fostering a safer, more transparent, and fair society for all Europeans.

Get in touch with our Corporate team for advice and assistance on the latest developments.

by Olivier Sciales

New RCS Filing Requirements: Mandatory Luxembourg National Identification Numbers for Natural Persons

Starting on 12 November 2024, the Luxembourg Business Registers (LBR) will introduce new filing requirements for natural persons associated with entities registered in the Luxembourg Trade and Companies Register (RCS). These changes are aimed at enhancing the accuracy of records and aligning with the National Register of Natural Persons, thereby improving the quality of official information. 

Who Will Be Impacted? 

The new obligations will apply to all natural persons associated with entities registered in the RCS, including individuals acting in roles such as managers, directors, shareholders, auditors, and legal representatives. This requirement applies regardless of whether the individuals are resident or non-resident in Luxembourg. 

Exemptions: Certain categories of individuals are exempt from this obligation, such as judicial representatives in legal matters and agents of foreign entities with branches in Luxembourg. 

Key Updates and Required Information 

The most notable change is the requirement for entities to submit the Luxembourg National Identification Number (LNIN)—often referred to as the Matricule or CNS number—for each natural person affiliated with an entity. 

  • For those already holding a LNIN: Entities simply need to input the LNIN in the appropriate field during the next filing or update. No additional documentation will be necessary. 
  • For those without a LNIN: An application for a new LNIN will need to be submitted. The application must include personal information such as full name, date and place of birth, nationality, gender, and private home address. In addition, proof of identity and residence documents will be required, with translations accepted in either Luxembourg’s official languages or English (non-certified translations are sufficient). 

Confidentiality: While the LNIN will be mandatory, it will not be made public in the RCS. Other personal details, such as gender, nationality, and residence information, will similarly remain confidential. These details will be shared with the State Information Technology Centre (Centre des technologies de l’information de l’Etat) for entry into the National Register of Natural Persons. 

Transition Period and Compliance 

A transition period starting from 12 November 2024 will be granted, during which entities will be able to update their records free of charge. The duration of this transition has not yet been officially determined. During this phase, filings can proceed even without providing the LNIN, but all entities must ensure they have completed the updates before the end of this period. 

Once the transition period closes, filings involving natural persons—whether new registrations, modifications, or annual updates—must include the LNIN. Failure to comply may result in the rejection of filings by the RCS. 

Effects on the Register of Beneficial Owners (RBE) 

For those listed in the Register of Beneficial Owners (RBE), these changes will also require updates to the RBE records, ensuring that the LNIN is included in line with RCS filings. Keeping these records synchronized is crucial to prevent inconsistencies. 

What Steps Should Entities Take? 

Entities are encouraged to begin gathering LNINs for all relevant individuals as soon as possible. For those who do not yet have a LNIN, it is advisable to start the application process to avoid delays. 

If you require assistance in navigating the registration or updating process, we are here to help. We can provide guidance on both the application for new LNINs and compliance with the updated RCS filing requirements. 

For further details, you can consult the LBR FAQ regarding these new requirements, available in French FAQ – Identifiant National (lbr.lu). 

Should you have any questions or need further support for the registration, feel free to reach out to our Corporate team. 

by Olivier Sciales

EU finalizes AI Act: A landmark regulation for Artificial Intelligence

On 21 May 2024, the European Council gave its final approval to the much-anticipated Artificial Intelligence regulation (the “AI Act”), establishing harmonized rules for AI development, placement on the market, and usage within the European Union (EU). This marks the EU’s first significant effort to regulate AI technologies, reflecting their increasing importance in modern economies.

What is the AI Act?

The AI Act provides a comprehensive legal framework for the regulation of AI systems, based on the risks they pose to fundamental rights, safety, and public health. It aims to strike a balance between fostering innovation and ensuring adequate oversight.

After nearly three years of legislative negotiations, the Act has substantially expanded from its original proposal. One of the most notable additions is the inclusion of general-purpose AI models as a newly regulated category—underlining the EU’s focus on AI as a strategic area of concern.

Highlights of the AI Act

Risk-based categorization of AI systems

The AI Act introduces a tiered framework, categorizing AI systems into four groups based on the risks they present:

  1. Prohibited AI practices (Art. 5)
    These include systems using manipulative or exploitative techniques that could lead to harm or discrimination. Such practices are strictly banned across the EU with no exceptions. Examples include social scoring and certain types of biometric surveillance.

  2. High-risk AI systems (Chapter III, incl. Articles 9 and 25)
    High-risk AI covers applications in regulated sectors such as medical devices, civil aviation, vehicles, biometry, and critical infrastructure. These systems are identified through Annex I and Annex III, and are subject to strict compliance obligations for providers, importers, distributors, and deployers.

    • Under Article 9, a risk management system must be established, implemented, documented, and maintained.

    • Article 25 outlines detailed responsibilities for providers, including risk assessments, technical documentation, and ongoing monitoring throughout the system’s lifecycle.

    • If any actor in the value chain has reason to believe the system is non-compliant, deployment must be suspended.

  3. Other AI systems
    These are AI systems that interact with individuals, such as chatbots or AI-generated content tools. The Act imposes transparency obligations, including Article 50, which requires users to be informed that content is AI-generated or manipulated.

  4. General-purpose AI models (GPAI)
    GPAI refers to models capable of powering a broad range of applications. These are subject to lighter obligations unless they qualify as general-purpose AI models with systemic risks—i.e., models with high-impact capabilities, often trained using exceptionally large computational resources.
    When systemic risk applies, additional requirements include risk mitigation policies, adversarial testing, and model evaluation obligations

Governance and Enforcement (Chapter VII)

The Act establishes a multi-level governance structure:

  • At European level:

    • An AI Office within the European Commission to oversee enforcement.

    • The European Artificial Intelligence Board, with representatives from each Member State, to advise and coordinate.

    • An Advisory Forum offering technical expertise.

    • A scientific panel of independent experts to support enforcement.

  • At national level:
    Each Member State must designate at least one notifying authority and one market surveillance authority to oversee and enforce compliance at the domestic level.

Luxembourg’s Regulatory Sandbox

On 14 June 2024, Luxembourg’s CNPD (Commission Nationale pour la Protection des Données) officially launched a Regulatory Sandbox for AI. This initiative allows companies registered in Luxembourg to test their AI systems in a collaborative and supervised environment, with a focus on GDPR compliance.

Upcoming Steps

The AI Act was published in the Official Journal of the EU on 1 August 2024 and entered into force on 21 August 2024, in accordance with Article 113. Its provisions will be implemented in three stages:

  • Six months after entry into force:
    The rules on prohibited AI practices will apply.

  • Twelve months after entry into force:
    Obligations related to general-purpose AI and the establishment of new EU and national governance bodies will become applicable.

  • Thirty-six months after entry into force:
    The more complex requirements concerning high-risk AI systems will come into effect.

While full applicability generally begins 24 months after entry into force, these staged measures allow for a phased rollout based on risk levels and preparedness.

Further Developments

The AI Act is part of a broader legislative framework that also includes the forthcoming:

  • AI Liability Directive, which will address civil liability for harm caused by AI systems, and

  • Product Liability Directive, which will update EU product safety laws to reflect the use of AI.

Together, these instruments will define the EU’s comprehensive regulatory approach to artificial intelligence in the years ahead.

by Olivier Sciales

EU updates AML/CFT blacklist and adds five countries

The European Commission has issued a new regulation to amend Delegated Regulation (EU) 2016/1675 by adding the Democratic Republic of the Congo, Gibraltar, Mozambique, Tanzania and the United Arab Emirates to Table I of the Annex and deleting Nicaragua, Pakistan, and Zimbabwe from that table. The regulation is aimed at ensuring the effective protection of the integrity and proper functioning of the financial system and the internal market of the Union from money laundering and terrorist financing. 

The European Union has been identifying countries with strategic deficiencies in their regimes on Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) that pose significant threats to the financial system of the Union. In line with Article 9(4) of Directive (EU) 2015/849, the Commission takes the recent available information into account, in particular recent Financial Action Task Force (FATF) Public Statements, the FATF list of ‘Jurisdictions under Increased Monitoring’, and FATF reports of the International Cooperation Review Group in relation to the risks posed by individual third countries. 

Since the latest amendments to Regulation (EU) 2016/1675, the FATF has significantly updated its list of ‘Jurisdictions under Increased Monitoring’. At its plenary meeting in March 2022, the FATF added the United Arab Emirates (UAE) to its list and deleted Zimbabwe from its list. At its plenary meeting in June 2022, the FATF added Gibraltar to its list. At its plenary meeting in October 2022, the FATF added the Democratic Republic of the Congo (DRC), Mozambique and Tanzania to its list and deleted Nicaragua and Pakistan from its list. All those changes were assessed by the Commission in line with Article 9 of Directive (EU) 2015/849. 

The UAE made a high-level political commitment in February 2022 to work with the FATF and the Middle East and North Africa Financial Action Task Force to strengthen the effectiveness of its AML/CFT regime. Since then, the UAE demonstrated positive progress, including by providing additional resources to the Financial Intelligence Unit (FIU) to strengthen the FIU analysis and providing financial intelligence to Law Enforcement Authorities and the Public Prosecutors for combating high-risk ML threats. The UAE should continue to work to implement its FATF action plan. 

Despite that commitment and progress, the concerns that led to the listing of the UAE by the FATF have not yet been fully addressed. The UAE should therefore be considered as a country that has strategic deficiencies in its AML/CFT regime under Article 9 of Directive (EU) 2015/849. 

In June 2022, Gibraltar made a high-level political commitment to work with the FATF and MONEYVAL, the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism of the Council of Europe, to strengthen the effectiveness of its AML/CFT regime. Gibraltar has made progress on a significant number of its MER’s recommended actions since the adoption of its MER in December 2019, such as completing a new national risk assessment, addressing the technical deficiencies in relation to Beneficial Owner-related recordkeeping, introducing transparency requirements for nominee shareholders and directors, strengthening the financial intelligence unit, and refining its ML investigation policy in line with risks. 

The DRC, Mozambique and Tanzania have been identified as countries that have strategic deficiencies in their AML/CFT regimes. The FATF identified significant strategic deficiencies in their AML/CFT regimes, resulting in the countries being listed as ‘Jurisdictions under Increased Monitoring’. The Commission has considered the recent available information, including FATF reports of the International Cooperation Review Group in relation to the risks posed by the three countries. 

The European Commission has reviewed the progress made by Nicaragua, Pakistan, and Zimbabwe in addressing strategic deficiencies in their AML/CFT regimes, which led to their delisting by the FATF in 2022. The FATF has welcomed the significant progress made by these countries, noting that they have established legal and regulatory frameworks to meet their commitments in their respective action plans. The Commission’s assessment concludes that Nicaragua, Pakistan, and Zimbabwe no longer have strategic deficiencies in their AML/CFT regimes and have addressed related technical deficiencies to meet their commitments. These countries will continue to work with regional bodies to further improve their AML/CFT systems, including oversight of non-profit organizations in line with FATF standards. 

As of today the following countries are identified as high-risk third countries: 

  1. Afghanistan 
  2. Barbados 
  3. Burkina Faso 
  4. Cambodia 
  5. Cayman Islands 
  6. Democratic Republic of the Congo 
  7. Gibraltar 
  8. Haiti 
  9. Jamaica 
  10. Jordan 
  11. Mali 
  12. Morocco 
  13. Mozambique 
  14. Myanmar 
  15. Panama 
  16. Philippines 
  17. Senegal 
  18. South Sudan 
  19. Syria 
  20. Tanzania 
  21. Trinidad and Tobago 
  22. Uganda 
  23. United Arab Emirates 
  24. Vanuatu 
  25. Yemen 

The Commission Delegated Regulation EU) 2023/410 of 19 December 2022 amending Delegated Regulation (EU) 2016/1675 as regards adding the Democratic Republic of the Congo, Gibraltar, Mozambique, Tanzania and the United Arab Emirates to Table I of the Annex to Delegated Regulation (EU) 2016/1675 and deleting Nicaragua, Pakistan and Zimbabwe from that table is available here.   

Get in touch with our team for expert advice and assistance on the latest developments. 

by Olivier Sciales

New law simplifies administrative dissolution for empty shell companies in Luxembourg

The new Law of 28 October 2022 creating the procedure for administrative dissolution without liquidation entered into force on February 1, 2023. It provides a simplified dissolution process for “empty shell” commercial companies, which is carried out at the request of the Public Prosecutor in collaboration with the managing entity of the Luxembourg Register of Commerce and Companies (RCS) and the Luxembourg Business Register (LBR).

To initiate the administrative dissolution process, a commercial company must meet three cumulative conditions: (1) an infringement of criminal law or a material breach of commercial law committed by the company, (2) the absence of employees, and (3) the absence of assets.

The administrative dissolution process in Luxembourg is carried out through an exchange of information between the LBR and the Public Prosecutor. The LBR conducts necessary checks, collects financial, administrative, and tax data, and provides the information to the Public Prosecutor. Based on the findings, the Public Prosecutor will determine whether to request the LBR to initiate the dissolution procedure. The procedure is then initiated, and the company is notified and the information is published in the Recueil électronique des sociétés et associations (RESA). The company is unable to manage its assets from the date of publication of the opening decision in the RESA. Afterwards, the LBR obtains evidence regarding the presence of employees or assets from financial institutions, insurance companies, and other relevant authorities, and the results are then presented to the Public Prosecutor who will decide whether to continue or discontinue the procedure. If all the required conditions are met, the administrative dissolution process will be concluded within six months and the company will be dissolved and removed from the RCS.

The Public Prosecutor spearheads the administrative dissolution procedure, with the District Court handling commercial matters having oversight. If a company or any third party wishes to challenge the procedure, they must submit their grievances to the President of the District Court within a month of the publication of the opening decision on the RESA.

Some entities, such as regulated UCIs (UCITS, Parts II Funds, SIFs, SICARs), RAIFs, insurance and reinsurance companies, credit institutions, and law firms, are excluded from the scope of the Law. Non-supervised investment funds and their alternative investment fund managers could be eligible for such administrative dissolution if they meet the criteria of an empty shell.

Get in touch with our Restructuring and Insolvency team for an in-depth discussion about the above! Our experts are here to help and provide you with the information you need to make informed decisions.

 

by Olivier Sciales

The end of the unrestricted access to the Luxembourg register of beneficial owners - ECJ joined cases C‑37/20 and C‑601/20

As we reported in our newsletter dated 27 May 2022, the European Court of Justice (the “ECJ”) had to rule for several months on the compatibility of access to the Luxembourg Register of Beneficial Owners (the “RBO”) system with European law.

The legal opinion of Advocate General Pitruzzella raised in 2022 the issue of the open-data system: anyone, without specifying his or her identity, could have access to the RBO, which the Advocate General considered incompatible with the duties of the Member States concerning privacy.

The ECJ recently ruled in a judgment of 22 November 2022 that public access to beneficial ownership information under the amended AML Directive (the Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing) constitutes a serious interference with the fundamental rights to privacy and personal data protection enshrined in Articles 7 and 8 respectively of the Charter of Fundamental Rights of the European Union (hereinafter the “Charter”).

More specifically, the data that anyone could find on the RBO allows:

  • to draw up a profile of certain personal identification data, the state of wealth of the person concerned and the specific economic sectors, countries, and companies in which he or she has invested.
  • this information becomes accessible to a potentially unlimited number of persons so that such processing of personal data is likely to also allow persons who, for reasons unrelated to the purpose of this measure, seek information on the material and financial situation of a beneficial owner, to have free access to this information.
  • the potential consequences for data subjects resulting from possible misuse of their data are aggravated by the fact that once made available to the general public, they can not only be freely consulted, but also stored and disseminated and that it thus becomes all the more difficult, or even illusory, for those persons to defend themselves effectively against misuse.

The open-data system of the RBO affects the privacy rights of the listed beneficial owners. Therefore, the ECJ held that this serious interference can be derogated from and that in this respect the interference is justified by a general interest objective because the Directive at the source of the RBO institution: “aims at preventing money laundering and terrorist financing by creating, through increased transparency, an environment less likely to be used for these purposes.”

Firstly, the ECJ found that serious interference, even if justified, is not confined to what is strictly necessary. The conditions of access to the RBO go beyond what is strictly necessary, even if the press and the usefulness of the RBO to criminal investigations are not in dispute. Secondly, the ECJ finds that the interference is not proportionate either. In this respect, the Court finds that the substantive rules governing that interference do not meet the requirement of clarity and precision.

The fight against money laundering and terrorist financing is primarily the responsibility of the public authorities as well as of entities, such as credit or financial institutions, which, because of their activities, have specific obligations in this respect (the “KYC duties”). For this reason, the amended AML Directive provides that information on beneficial owners must be accessible, in all cases, to the competent authorities and financial intelligence units, without any restriction, as well as to reporting entities, in the context of customer due diligence.

In comparison with the previous regime, which provided access to information on beneficial owners not only for the competent authorities and certain entities but also for any person or organisation able to demonstrate a legitimate interest, the regime introduced by Directive 2018/843 represents a considerably more serious infringement of the fundamental rights guaranteed by Articles 7 and 8 of the Charter, without this aggravation being offset by the possible benefits, which could result from the latter regime compared to the former, as regards the fight against money laundering and terrorist financing.

Following this decision, access to the RBO was immediately suspended in Luxembourg as of 22 November 2022.

by Olivier Sciales