Skip to content

Simplified CSSF procedure authorisation of material IT outsourcings replaced by prior notification

Related people
Di Lorenzo Catherine
Catherine Di Lorenzo

Counsel

Luxembourg

View profile →

Ingallo Dara
Dara Ingallo

PSL - Senior Associate

Luxembourg

View profile →

Dutkiewicz Izabela
Izabela Dutkiewicz

Associate

Luxembourg

View profile →

Azoulay Barbara
Barbara Azoulay

Associate

Luxembourg

View profile →

Paul Wagner

Associate

Luxembourg

View profile →

Kim Lukac

Junior Associate

Luxembourg

View profile →

12 November 2021

On 20 October 2021, the CSSF published a press release 21/25 in relation to the new CSSF Circular 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing (the Circular) to service providers that are not professionals of the financial sector under the supervision of the CSSF. 

The Circular amends four existing CSSF Circulars governing, among other things, IT outsourcing:

  • CSSF Circular 12/552, which applies to credit institutions and professionals performing lending operation;
  • CSSF Circular 17/656, which applies to electronic money institutions, payment institutions and PFS other than investment firms;
  • CSSF Circular 20/758, which applies to investment firms; and
  • CSSF Circular 17/654 on cloud computing, which applies to all the above entities as well as AIFMs, UCITS, UCITS management companies, depositaries of AIFs and UCITS, central counterparties, Tier 2 third country central counterparties complying with the relevant EMIR requirements, data reporting services providers, market operators operating a trading venue, central securities depositaries and administrators of critical benchmarks.

Three months’ prior notification of material IT outsourcing

The Circular replaces the regime of prior authorisation of material IT outsourcing (including outsourcing to a cloud based infrastructure) in the four existing circulars by a notification prior to implementation. The CSSF has explained that the change was introduced in response to the continuing development of material IT outsourcing, in particular after the rise of 40% in IT outsourcing authorisation applications between 2019 and 2021.

Supervised entities must notify the material IT outsourcing three months before implementation using the dedicated notification form made available on the CSSF’s website. If the CSSF does not react within the notification period, the supervised entity may proceed as planned. 

Material IT outsourcing refers to the IT outsourcing of “critical or important functions” as defined in the EBA Guidelines, namely functions the defect or failure of which would materially impair the soundness or continuity of the supervised entity’s services, activities, financial performance as well as regulatory compliance. To perform the materiality assessment, institutions should take into account the CSSF FAQ on materiality.

The CSSF FAQ on materiality clarify that IT outsourcing is an arrangement of any form between a supervised entity and a service provider (including of the same group) by which the service provider performs an IT process, an IT service or an IT activity that would otherwise be undertaken by the supervised entity itself.

Fast-track notification for material IT outsourcing to support PSF

The notification period is reduced to one month in the case of outsourcing to a support PSF pursuant to Articles 29-3 to 29-6 of the law of 5 April 1993 on the financial.

Cloud-computing provider agreement subject to EU Member State law and cloud data centre located in the EU

Additionally, the new CSSF Circular 21/785 amends CSSF Circular 17/654 on cloud computing, according to which the service agreement signed with the cloud-computing provider must be subject to the law of an EU Member State and at least one data centre must be located in the EU and must be capable of autonomously providing the cloud computing services. The new circular provides that these conditions may be disregarded when the supervised entity can benefit from a group agreement which was signed by a non-EU company with the cloud computing provider.

Immediate effect

The Circular took effect on 15 October 2021. 

In its communiqué of 14 October 2021, the CSSF specified the transitional measures applicable. The former regime remains applicable to authorisation applications that were submitted up until 31 August 2021 (included).

Supervised entities, that submitted their applications between 1 September 2021 and 14 October 2021, will either: receive from the CSSF (i) a request for complementary information or a refusal by 15 January 2022; or (ii) no response, in which case the supervised entities may proceed with the outsourcing as from 15 January 2022. 

The notification procedure reduces the administrative burden of supervised entities and improves the proper execution of material IT outsourcing, by giving certainty to the date as from which outsourcing can be implemented.