On 9 April 2025, the Commission de Surveillance du Secteur Financier (“CSSF”) published a set of regulatory updates in response to the entry into application of the Digital Operational Resilience Act (“DORA”). These updates include two newly issued circulars and amendments to two existing ones. Together, they seek to clarify the interaction between Luxembourg’s domestic information and communication (“ICT”) related supervisory framework and the directly applicable DORA rules, while maintaining certain specific provisions relevant at national level. 

The updates are relevant for both entities within the scope of DORA (“DORA entities”) and those that remain outside it (“non-DORA entities”). Entities falling under either classification are advised to reassess their regulatory position, notification obligations, and third-party contractual arrangements in light of the clarified framework. 

Key Takeaways 

• CSSF Circular 25/880 introduces a standalone regime applicable exclusively to Payment Service Providers (“PSPs”). It implements the revised EBA Guidelines on ICT and security risk management (EBA/GL/2025/02), which amend the earlier EBA/GL/2019/04, and consolidates the ICT risk and reporting framework applicable to PSPs in Luxembourg. The circular also integrates the reporting requirement set out in Article 105-1(2) of the Law of 10 November 2009 on payment services.  The aim is to isolate PSP-specific rules from the broader framework applicable to non-PSP and non-DORA entities, while aligning national supervisory expectations with the latest EBA standards. 
• CSSF Circular 25/881 amends Circular CSSF 20/750 by narrowing its scope of application. As of 9 April 2025, Circular 20/750 applies only to non-DORA entities, with PSP-related provisions removed in light of the creation of Circular 25/880. The result is a cleaner separation of regimes, non-DORA entities remain subject to the amended Circular 20/750, whereas PSPs and DORA entities are subject to their respective frameworks. 
• In response to the harmonised rules introduced by DORA on ICT third-party risk management, the CSSF has issued CSSF Circular 25/882. This circular outlines supervisory expectations applicable to DORA entities when relying on external ICT service providers, including providers involved in the performance of critical or important functions. The circular defines the types of in-scope entities in line with DORA article 2(1), including credit institutions, investment firms, UCITS management companies (both Chapter 15 and Chapter 16), alternative investment fund managers authorised under Chapter 2 and internally managed alternative investment funds within the meaning of point (b) of Article 4(1) of the Law of 12 July 2013 on alternative investment fund managers, and investment companies without a designated management company.  In particular, the CSSF reiterates the obligation for DORA entities to submit a notification in a timely manner for any planned ICT outsourcing arrangement that supports a critical or important function, or when a function subsequently becomes critical or important. Entities are also required to maintain a register of information, with the submission window for the 2025 reporting year set between 1 April and 15 April.  Circular 25/882 also maintains certain provisions originally found in Circular 22/806 that are not addressed by DORA but which the CSSF considers necessary for local supervision. These include Luxembourg-specific expectations in areas such as data localisation, backup arrangements for (outsourced) accounting systems, and the appointment of a qualified cloud officer. Furthermore, the CSSF confirms it will continue to distinguish between cloud and non-cloud ICT services, notwithstanding the absence of such distinction in the DORA Regulation itself.  The overall objective is to ensure continued supervisory visibility over critical ICT dependencies, while allowing the CSSF to rely on established national mechanisms that have proven effective in practice. 
• CSSF Circular 25/883 amends Circular CSSF 22/806 in order to remove the ICT outsourcing provisions that have now been superseded by DORA and Circular 25/882, but only for entities that fall under the DORA regime. As a result, ICT outsourcing is no longer governed by Circular 22/806 for DORA entities, although business process outsourcing remains in scope. In contrast, non-DORA entities remain fully subject to Circular 22/806, including its ICT outsourcing requirements. Moreover, the circular remains applicable to Chapter 16 management companies for the purposes of ICT outsourcing, given their exclusion from the broader DORA regime.  Finally, the CSSF has repealed the previous requirement for cloud service agreements to be subject to the law of an EEA Member State and for cloud resilience to be ensured within the EEA. This change introduces a degree of contractual flexibility across both DORA and non-DORA regimes. 

Practical Considerations and Next Steps 

As part of the update, the CSSF has released new standard forms for ICT third-party arrangement notifications. DORA entities are expected to use the new form as of 9 April 2025, although a transition period until 10 May 2025 has been granted, during which submissions using the previous template will still be accepted. 

Entities are reminded that notification timelines remain unchanged. As a general rule, notifications must be made at least three months in advance, or one month for certain Luxembourg PFS entities. 

Conclusion  

Through these regulatory adjustments, the CSSF introduces a dual-track supervisory model: one aligned with DORA for entities falling within its scope, and one maintained under amended national rules for all other supervised entities. By preserving certain operational and reporting practices rooted in earlier CSSF circulars, the regulator ensures both continuity and coherence in the transition to the new European framework. 

All affected entities should now assess their ICT and outsourcing frameworks in light of these developments. This includes reviewing existing and upcoming contracts, updating internal registers, and ensuring that applicable notification obligations are met in a timely manner. 

For guidance on how these changes may affect your operations, including assistance with notification procedures or compliance assessments, our team remains at your disposal.