IT and cloud outsourcing: new notification regime

Extracted from Elvinger Hoss Prussen website on October 26, 2021
26 octobre 2021 par
vanessa Icardi Serrami

On 14 October 2021, the CSSF published its new CSSF Circular 21/785 with regard to replacing the prior authorisation obligation with a prior notification obligation in the case of material IT outsourcing (the “Circular”), which results in a simplification of the current regulatory requirements.

The Circular became effective from 15 October 2021.

I.  IT outsourcing (material) – authorisation requirement replaced by notification requirement 

Until now, all credit institutions, professionals of the financial sector (“PFS”), payment institutions and electronic money institutions subject to CSSF Circulars 12/552, 17/656 and 20/758 respectively, had to apply for the CSSF’s prior authorisation in the case of material IT outsourcing.

The Circular eases this regime by introducing a notification procedure, by which the CSSF needs to be notified (i) by means of the template forms available on the CSSF’s website and (ii) in advance of the contemplated implementation of the project. In particular, the Circular indicates the following:

  • notification to the CSSF 1 (one) month in advance in the case of outsourcing to a Luxembourg support PFS under Articles 29-3 to 29-6 of the 1993 Law on the financial sector; and

  • notification to the CSSF 3 (three) months in advance in all other cases.

The CSSF can, however, suspend these deadlines by asking for further information or by partly or fully opposing the project. 

Finally, the CSSF reminded, in its press release 21/25 , that even if a material IT outsourcing project was notified to them, the CSSF may still intervene afterwards, through on-site inspections for example, if they identify serious shortcomings regarding compliance with the professional obligations.

II.  Cloud outsourcing

1.   Authorisation requirement replaced by notification requirement 

The provisions of CSSF Circular 17/654, as amended, (the “Cloud Circular”) also become less constraining. From 15 October 2021, all the entities listed under I. above, as well as all investment fund managers subject to CSSF Circular 18/698 will be allowed to make a simple CSSF notification for material outsourcing on a cloud infrastructure, respectively applying the 1 (one) (in the case of outsourcing to a Luxembourg support PFS under Articles 29-3 to 29-6 of the 1993 Law on the financial sector), or three (3) months’ prior notification.

2.   More favourable regime for groups

From 15 October 2021, if the service agreement signed with the cloud computing service provider is a group-wide agreement (i.e. signed by a group entity for the benefit of other group affiliates, including the Luxembourg supervised entity):

  • The agreement with the cloud service provider can be subject to the laws of the country of establishment of the group entity having signed the agreement, even though the entity is located outside the European Union (Point 31 a. of the Cloud Circular).

  • In addition, having a resiliency of the cloud computing services in the European Union is no longer a requirement but this should still be taken into account when analysing the respective risks.

The Circular’s provisions ease considerably the regime applicable to group entities, which used to enter into agreements for the whole organisation and struggled to comply with the related requirements. 

III.  Transitional measures 

In its communiqués of 14 October 2021 (updated on 19 October 2021), the CSSF further provided indications for material IT outsourcing requests submitted before 15 October 2021. Requests submitted before 31 August 2021 will receive a response from the CSSF (i.e. a request for further information, (conditional) non-objection or refusal). With regard to requests submitted between 1 September 2021 and 14 October 2021 (until midnight), the CSSF stated that it would reply in one of the ways mentioned above up until 15 January 2022, the lack of any such reply being an implicit green light for implementing the proposed project.

Finally, the CSSF highlighted that supervised entities remain responsible for compliance with all applicable legal and regulatory provisions with respect to the notified IT outsourcing projects.