The Revised CSSF Cloud Circular

The Revised CSSF Cloud Circular

The Revised CSSF Cloud Circular

23.07.2019 LU law

On 27 March 2019, the Luxembourg supervisory authority for the financial sector (the Commission de surveillance du secteur financier or CSSF) published the long-awaited CSSF Circular 19/714 amending the CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure (the Revised Cloud Circular).

The Revised Cloud Circular (CSSF Circular 19/714) notably makes the following amendments to the CSSF Circular 17/654:

  • inclusion of investment fund managers in the scope of application of the Revised Cloud Circular (in line with the CSSF Circular 18/698) in addition to all credit institutions and professionals of the financial sector (PFS) authorised under the Luxembourg law of 5 April 1993 on the financial sector, as amended (the Financial Sector Law), and all payment institutions and electronic money institutions (the Supervised Entities) authorised under the Luxembourg law of 10 November 2009 on payment services, as amended;
  • deletion of the requirement to notify the CSSF of a cloud computing outsourcing of non-material activities in favour of maintaining a cloud register (the Cloud Register);
  • introduction of the Cloud Register to be maintained by the Supervised Entities for all cloud computing outsourcing irrespective of whether the outsourced activities are material or non-material;
  • replacement of the former “compliance table” under the initial CSSF Circular 17/654 by more specific and pragmatic forms available on the CSSF website; and
  • in accordance with the general principle of proportionality, introduction of optionality for some requirements of the Revised Cloud Circular for non-material activities only (see point 3 below). 

The CSSF also published the following explanatory documents helping to better understand the Revised Cloud Circular on its website:

  • a guide to assist the Supervised Entities in qualifying the materiality of the activities; and
  • an updated FAQ to assist the Supervised Entities in their analyses and procedures.

1. Compulsory Cloud Register

Supervised Entities falling under the scope of the Revised Cloud Circular shall maintain a Cloud Register under the form published by the CSSF on its website of all cloud computing infrastructure outsourcing, whether the outsourced activities are material[1] or not. This Cloud Register shall be transmitted to the competent authority (the CSSF or the European Central Bank for Luxembourg credit institutions falling under its supervision, the Competent Authority) upon request.

Apart from investment fund managers, which will have one year to comply (i.e. no later than 27 March 2020), other Supervised Entities shall establish and complete their Cloud Register within six months as from the entry into force of the Revised Cloud Circular on 27 March 2019 (i.e. no later than 27 September 2019).

It is important that all Supervised Entities ensure compliance within the deadlines set by the Revised Cloud Circular, as the CSSF will carry out unannounced controls.

2. Prior Notification and Authorisation Forms for the Outsourcing of Material Activities

Supervised Entities intending to outsource material activities to a cloud computing infrastructure must notify the Competent Authority where any of the below conditions is met:

  1. the cloud computing service provider is an institution authorised under Articles 29-3 or 29-4 of the Financial Sector Law (i.e. a Primary IT systems operators of the financial sector or a Secondary IT systems and communication networks operators of the financial sector (the IT Support PFS) and resource operation[2] is carried out either by the Supervised Entity or by an IT Support PFS; or
  2. resource operation is carried out by an IT Support PFS, where the latter is the signatory[3].

The notification form to be transmitted to the Competent Authority during the preliminary phase of the project is available on the CSSF website as the form A.

However, where none of the conditions set out above is met, Supervised Entities must electronically apply for a prior authorisation to the Competent Authority using the form B available on the CSSF website.

Similarly, a Supervised Entity intending to change its cloud computing service provider, its models or its resource operator must inform anew the Competent Authority in accordance with the requirements set out above (i.e. new notification or authorisation request).

But Supervised Entities wishing to terminate a cloud outsourcing which is material will have to notify the Competent Authority of their decision by using the specific notification form C available on the CSSF website.

3. Optionality of Some Requirements for Non-Material Activities Only

The Revised Cloud Circular also introduces a principle of proportionality according to which the implementing measures of the Competent Authority shall be adapted to the nature, scale and complexity of the activity outsourced, including the risks. Therefore, pursuant to the principle of proportionality, Supervised Entities may justify not applying the following requirements of the Revised Cloud Circular where only non-material activities are outsourced and in accordance with their risk analysis:

  • notification by the cloud computing service provider in case of change of functionalities (point 27.j of the Revised Cloud Circular);
  • notification by the resource operator in case of change of functionalities (point 27.k of the Revised Cloud Circular);
  • continuity in case of resolution or reorganisation or another procedure (point 28.b of the Revised Cloud Circular);
  • transfer of services in case the continuity is threatened (point 28.c of the Revised Cloud Circular);
  • monitoring of activities (point 30 of the Revised Cloud Circular);
  • contract under the European Union law (point 31.a of the Revised Cloud Circular);
  • resiliency of the services in the European Union (point 31.b of the Revised Cloud Circular);
  • right of audit for the Supervised Entity (point 31.j of the Revised Cloud Circular);
  • details regarding the right of audit (point 32 of the Revised Cloud Circular); and
  • exercise of the right of audit (point 33 of the Revised Cloud Circular). 

Supervised Entities must briefly justify their decision not to apply limited requirements of the Revised Cloud Circular by completing the last part of their Cloud Register dedicated to these aspects.

4. Sanctions

Depending on whether the outsourcing is material or not and to various factors to be assessed in concreto in each case, the CSSF may impose the following penalties in order of increasing severity:

  • a warning,
  • a blame,
  • a fine,
  • one or more of the following measures:
    • a temporary or definitive prohibition on the execution of any number of operations or  activities, as well as any other restrictions on the activities of the person or entity,
    • a temporary or definitive prohibition on participation in the profession by the de jure or de facto, directors or senior management personnel of persons or entities subject to the supervision of the CSSF.

The CSSF may also disclose to the public any penalties imposed, unless such disclosure would seriously jeopardise the financial markets or cause disproportionate damage to the parties involved.

5. Conclusion

Even if the Revised Cloud Circular is more flexible and based on a more decentralised approach than the initial CSSF Circular 17/654 in terms of notification and authorisation procedures, there are still important obligations for Supervised Entities, notably to establish and update regularly a Cloud Register. Supervised Entities should therefore ensure that sufficient attention is paid to the Revised Cloud Circular in the preparation and implementation of their cloud outsourcing projects.


The author published an extended article on the Revised Cloud Circular in the issue n° 8 (October 2019) of the review ACE – Comptabilité, fiscalité, audit, droit des affaires au Luxembourg (Wolters Kluwer): Nicolas Pradel, “Cloud Outsourcing: New Procedures for Luxembourg Supervised Entities under the Revised Cloud Circular”, in ACE – Comptabilité, fiscalité, audit, droit des affaires au Luxembourg, n° 8, vol. 14, October 2019, pp. 18-26.

The content of this article is intended to provide a general overview of the subject matter. Please contact us should you require any further information.



  1. “Material activity” means any activity that, when it is not carried out in accordance with the rules applicable to the Supervised Entity, reduces the Supervised Entity’s ability to meet the regulatory requirements or to continue its operations as well as any activity necessary for sound and prudent risk management.
  2. “Resource operation” means managing cloud computing resources made available through the client interface. By extension, “resource operator” means the natural or legal person that uses the client interface to manage the cloud computing resources.
  3. “Signatory” means the institution that signs the contract with the cloud computing service provider. Several cases can be distinguished to identify the signatory of a cloud computing service contract:

a. where the Supervised Entity itself is the resource operator, the service contract is signed between the Supervised Entity and the cloud computing service provider (the signatory is the Supervised Entity).

b. where a third party is in charge of resource operation, the contract shall be signed: (i) either between the Supervised Entity and the cloud computing service provider (the signatory is the Supervised Entity) or (ii) between the resource operator and the cloud computing service provider (the signatory is the resource operator).


Related news

01.09.2020 NL law
Toezichthouders aan de poort

Articles - Het kan iedere financiële onderneming overkomen: in de bus vindt men een verzoek om informatie te verstrekken aan een van  de financiële toezichthouders, De Nederlandsche Bank (DNB) of de Autoriteit Financiële Markten (AFM). Een dergelijk verzoek leidt al snel tot onrust binnen de onderneming. Ingrid Viertelhauzen en Maciek Bednarski bespreken de reikwijdte van de inlichtingenbevoegdheid en plaatsen hier enkele kanttekeningen bij.

Read more

01.09.2020 NL law
Handhavingsbesluiten van financiële toezichthouders bestuursrechtelijk aanvechten

Articles - Financiële toezichthouders (Stichting Autoriteit Financiële Markten (AFM), De Nederlandsche Bank (DNB) en de Autoriteit Consument en Markt (ACM)) hebben een breed arsenaal aan formele sancties en informele maatregelen tot hun beschikking om normconform gedrag bij marktpartijen te bewerkstelligen. Voorbeelden daarvan zijn: een last onder dwangsom, een bestuurlijke boete, een aanwijzing, een waarschuwing, een normoverdragend gesprek en de publicatie van sancties.

Read more

10.08.2020 NL law
ISDA kondigt publicatie van Adjusted RFRs, wijziging van de 2006 Definitions en IBOR Fallback Protocol aan

Short Reads - In twee in juli verschenen persberichten kondigt ISDA (i) de aanvang van de berekening en publicatie door Bloomberg van zogenaamde 'Fallback Rates' voor een aantal bestaande IBORs en (ii) de voorgenomen publicatie door ISDA van gewijzigde 'rate options' in de 2006 Definitions en het langverwachte IBOR Fallback Protocol aan.

Read more

28.08.2020 NL law
Loan Market Association publiceert aanvulling op bestaande Revised Replacement of Screen Rate Clause in reactie op aanbeveling van Working Group on Sterling Risk-Free Reference Rates

Short Reads - In het kader van de rentebenchmarktransitie (voor uitleg en achtergrond, zie mijn vorige publicatie van augustus 2020) heeft de Loan Market Association (LMA) in mei 2018 een zogenaamde 'Replacement of Screen Rate Clause' gepubliceerd die partijen in hun op door de LMA ontwikkelde standaarddocumentatie gebaseerde kredietovereenkomsten kunnen opnemen.

Read more

27.07.2020 NL law
Outsourcing laws and Regulation in the Netherlands – 2020

Articles - Are there any additional legal or regulatory requirements for outsourcing transactions undertaken by government or public sector bodies? What formalities are required to transfer, lease or license assets on an outsourcing transaction? Or, What are the most material legal or regulatory requirements and issues concerning data security and data protection that may arise on an outsourcing transaction?

Read more