| CSSF Regulatory Update Overview | | | | | | | | |
| CSSF Circular Name | Release Date | Applicability Date | Important Dates & Requirements | Key Obligations and Actions Required | Primary Audience / Affected Parties | Related Job Functions | Mapping to EU Regulation / EBA Guideline | Scope |
| Circular CSSF 25/880 on relationship management of payment service users and PSP ICT assessment | 9 April 2025 | Immediate | • Annual PSP ICT Assessment: Submit the assessment for the previous calendar year to CSSF via the eDesk portal by 31 March each year. The form must be validated by the member of the Management Body responsible for ICT. | • Enhance user awareness of payment security risks through assistance and guidance.<br>• Provide PSUs with options to disable specific payment functionalities, adjust spending limits, and receive security alerts.<br>• Keep PSUs informed of security procedure updates.<br>• Submit an annual PSP ICT Assessment using the CSSF’s standardized form. | • Management Body<br>• ICT Department<br>• Customer Relationship / Service Teams<br>• Compliance & Risk Management | ICT, Compliance, Risk Management, Customer Service | EBA/GL/2025/02 amending EBA/GL/2019/04 on ICT and security risk management.<br><br>Payment Services Directive 2 (PSD2). | Applies to all Payment Service Providers (PSPs) supervised by the CSSF, including Luxembourg branches of third-country PSPs and POST Luxembourg. EEA branches of Luxembourg PSPs must be included in the assessment. |
| Circular CSSF 25/881 amending Circular CSSF 20/750 on ICT and security risk management | 9 April 2025 | Immediate | • DORA Applicability: For entities now covered by DORA, Circular CSSF 20/750 no longer applies as of 17 January 2025. | • Maintain a comprehensive ICT strategy aligned with the overall business strategy.<br>• Establish and document an ICT and security risk management framework, approved annually by the management body.<br>• Implement information security policies covering logical, physical, and operational security.<br>• Establish Business Continuity Plans (BCPs) and test them at least annually for critical functions. | • Management Body<br>• ICT / IT Department<br>• Information Security<br>• Internal Control Functions (Risk, Compliance, Audit)<br>• Business Continuity Management | ICT, Information Security, Risk Management, Internal Audit, Management Body | EBA Guidelines EBA/GL/2019/04 (the text of which is now directly integrated into the circular).<br><br>Amended to remove overlap with the Digital Operational Resilience Act (DORA). | Applies in full to entities not falling under DORA, such as Support PFS, Specialised PFS, POST Luxembourg, and all branches in Luxembourg of credit institutions, investment firms, and payment institutions incorporated in a third country. |
| Circular CSSF 25/882 on requirements on the use of ICT third-party services for DORA entities | 9 April 2025 | Immediate | • Notification for Critical ICT Services: Notify CSSF at least 3 months before a planned contractual arrangement for critical/important ICT services comes into effect (reduced to 1 month for Luxembourg support PFS).<br>• Register of Information Submission: The first register (for year 2025) must be submitted between 1 April 2025 and 15 April 2025. Subsequently, the annual submission for year ‘n’ is due between 28 February and 31 March of year ‘n+1’. | • Maintain and submit an annual register of all ICT third-party service provider contracts.<br>• Ensure compliance with professional secrecy rules (e.g., Art. 41(2a) LFS) for all ICT TPP arrangements.<br>• For cloud services, appoint a “Cloud Officer” responsible for the use of cloud services and staff competence.<br>• Maintain a daily, secure backup of accounting positions in the EEA if using an accounting system outside Luxembourg. | • Management Body<br>• Procurement / Vendor Management<br>• Legal Department<br>• ICT / IT Department<br>• Cloud Management Teams<br>• Accounting / Finance | ICT, Vendor Management, Legal, Compliance, Cloud Officer, Accounting | Complements the Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554. | Applies to financial entities defined in Article 2 of DORA, including credit institutions, investment firms, payment institutions, CASPs, CSDs, CCPs, Management Companies, AIFMs, etc.. Does not apply to microenterprises. |
| Circular CSSF 25/883 amending Circular CSSF 22/806 on outsourcing arrangements | 9 April 2025 | Immediate | • Existing Arrangements Deadline: Existing outsourcing arrangements must be documented in line with the original circular by 31 December 2022.<br>• Pre-notification of critical outsourcing: Notification is required at least 3 months before the arrangement comes into effect (reduced to 1 month for Luxembourg support PFS). | • Maintain an updated outsourcing policy covering the entire lifecycle of arrangements.<br>• Conduct pre-outsourcing analysis, including risk assessments and due diligence on service providers.<br>• Establish a register of all outsourcing arrangements, distinguishing between critical and non-critical functions.<br>• Develop and test exit plans for all critical or important outsourced functions. | • Management Body<br>• Procurement / Vendor Management<br>• Internal Control Functions<br>• Legal Department<br>• All Business Units utilizing outsourced services | Procurement/Vendor Management, Legal, Compliance, Risk Management, Management Body, Internal Audit | Implements EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and ESMA Guidelines on outsourcing to cloud service providers (ESMA50-164-4285).<br><br>Amended to remove overlap with DORA for ICT outsourcing. | For non-ICT outsourcing, it applies to DORA entities (credit institutions, investment firms, payment institutions).<br><br>For all outsourcing (including ICT), it applies to entities not under DORA (e.g., other PFS, POST Luxembourg). |
| Circular CSSF 25/884 on remuneration policies for IFR investment firms | 14 April 2025 | Immediate | • EBA Guidelines Application: Applicable as of 30 April 2022.<br>• Waivers: For smaller firms or staff with low variable pay, Member States can waive requirements for deferral and pay-out in instruments. | • Establish a sound, gender-neutral remuneration policy for all staff.<br>• Establish a Remuneration Committee for firms with assets over EUR 100 million.<br>• Identify “identified staff” whose activities materially impact the firm’s risk profile.<br>• Structure variable pay with deferral, retention, and pay-out in instruments for identified staff, subject to proportionality. | • Management Body<br>• Remuneration Committee<br>• Human Resources<br>• Legal & Compliance<br>• Internal Control Functions | HR, Legal, Compliance, Risk Management, Management Body | Implements EBA Guidelines on sound remuneration policies under Directive (EU) 2019/2034 (EBA/GL/2021/13). | Applies to “non-SNI IFR investment firms” (Class 2 IFs).<br><br>”SNI IFR investment firms” (Class 3 IFs) must continue to comply with Circular CSSF 10/437. |
| Circular CSSF 25/892 on estimation of costs from major ICT-related incidents | 27 May 2025 | 31 May 2025 | • Reporting upon Request: Financial entities must, upon request from the CSSF, provide an estimation of aggregated annual costs and losses from major ICT-related incidents. | • Establish a process to estimate aggregated annual costs and losses from major ICT-related incidents.<br>• Use the specified template (Annex I of the guidelines) for submission.<br>• Choose a consistent reference year (calendar or accounting year) for reporting.<br>• Base estimations on financial statements or supervisory reporting where possible. | • Management Body<br>• ICT / IT Department<br>• Finance / Accounting<br>• Risk Management | ICT, Finance, Risk Management | Adopts the Joint ESA Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents (JC 2024 34). | Applies to all DORA financial entities except microenterprises. EU branches of entities with head offices in other Member States are excluded. |
| Circular CSSF 25/893 on reporting of major ICT-related incidents and significant cyber threats | 27 May 2025 | Immediate for DORA entities; 6 months after publication for “PSPs not under DORA” | • Initial Notification: Report major ICT-related incidents to CSSF via eDesk Portal or API interface according to RTS time limits.<br>• No Aggregated Reporting: CSSF does not permit aggregated reporting for major ICT-related incidents. | • Classify ICT-related incidents according to the criteria and thresholds in the RTS on classification.<br>• Submit initial, intermediate, and final reports for major ICT-related incidents using the specified forms.<br>• Notify the CSSF of significant cyber threats on a voluntary basis.<br>• Inform CSSF of any outsourcing of reporting obligations. | • Management Body<br>• ICT Department<br>• Security Operations Center (SOC)<br>• Incident Response Team<br>• Compliance Department | ICT, Incident Response, SOC, Compliance | Implements RTS on classification of ICT-related incidents and cyber threats and RTS/ITS on incident and voluntary cyber threats reporting under DORA. | Applies to all DORA financial entities and also extends DORA’s reporting framework to “PSPs not under DORA” (e.g., third-country PSP branches, POST Luxembourg). |
| Circular CSSF 25/895 on reporting for covered bond issuance | 31 July 2025 | N/A | • Quarterly Reporting: Submit tables on cover pools, liquidity, etc., by the 11th of February, May, August, and November.<br>• Annual Reporting: Submit a report in PDF format covering specific items from Article 16 of the Law. | • Transmit quarterly information using the specific .xlsx template provided by the CSSF, duplicating tabs for each issuance program.<br>• Transmit annual information in a free-form PDF report.<br>• Ensure reported data respects all regulatory limits and ratios as defined in the Law of 8 December 2021. | • Finance / Treasury<br>• Capital Markets / Funding Teams<br>• Regulatory Reporting<br>• Legal & Compliance | Treasury, Capital Markets, Regulatory Reporting, Compliance | Defines the reporting format and modalities for the Law of 8 December 2021 on the issuance of covered bonds. | Applies to all Luxembourg credit institutions that issue covered bonds (lettres de gage). |
| Circular CSSF 25/896 on implementation of restrictive measures (sanctions) | 18 August 2025 | 30 December 2025 | • Guidelines Application: Applicable as of 30 December 2025. | • Appoint a senior staff member responsible for compliance with restrictive measures.<br>• Conduct and document a restrictive measures exposure assessment at least annually.<br>• Implement a reliable screening system for customer base and transfers, calibrated to minimize false positives.<br>• Establish procedures to immediately freeze funds/crypto-assets and report true matches to authorities. | • Management Body<br>• Compliance / AML / Sanctions Teams<br>• Legal Department<br>• Operations / Payments | Compliance, AML, Sanctions, Legal, Operations | Adopts EBA Guidelines EBA/GL/2024/14 and EBA/GL/2024/15 on internal policies and controls for implementing Union and national restrictive measures. | Applies to credit institutions, investment firms, payment service providers (PSPs), and crypto-asset service providers (CASPs), including VASPs registered as of 30 Dec 2024. |
