Big changes have arrived for Luxembourg’s financial sector. On April 9, 2025, the Commission de Surveillance du Secteur Financier (CSSF) rolled out a series of new circulars to bring local regulations in line with the EU’s Digital Operational Resilience Act (DORA). If you’re a financial entity or a service provider in Luxembourg, here’s what you need to know-and do-right now.
What’s Driving the Change?
DORA officially became law on January 17, 2025, aiming to boost the digital resilience of the financial sector across the EU. It sets out tough new standards for managing information and communication technology (ICT) risks, reporting incidents, testing resilience, managing third-party risks, and sharing intelligence. The CSSF’s latest circulars are designed to remove regulatory overlaps, clarify requirements, and make sure Luxembourg’s framework matches the new EU-wide rules.
Key Regulatory Updates
Here’s a breakdown of the main changes:
ICT and Security Risk Management
- New Circular CSSF 25/880: This is now the go-to rulebook for payment service providers (PSPs), whether or not they fall under DORA. It adopts the latest EBA Guidelines on ICT and security risk management and sets out how PSPs should assess their ICT risks. It also introduces new reporting requirements on operational and security risks.
- Circular CSSF 20/750: This circular now only applies to non-DORA entities, with a narrower definition of “PSPs.” If you’re a DORA entity, you’re no longer covered by this circular.
Outsourcing Arrangements
- Circular CSSF 22/806: Previously, this covered all outsourcing-including ICT outsourcing. Now, for DORA entities, it only applies to business process outsourcing. ICT outsourcing is governed directly by DORA, so there’s no more overlap. For non-DORA entities and management companies, the circular still applies in full.
- Cloud Computing: Specific contractual clauses for cloud service providers have been repealed to harmonize requirements for both DORA and non-DORA entities.
New Requirements for ICT Third-Party Services
- New Circular CSSF 25/882: This sets out the rules for DORA entities when using ICT third-party services. It covers reporting obligations, the need to maintain a detailed register of all ICT third-party arrangements, and retains some elements from the old framework that aren’t covered by DORA but are still needed for compliance.
What Should Financial Entities Do Next?
Here’s a quick action plan to help you stay compliant:
- Review and update your ICT risk management procedures to align with the latest EBA Guidelines and Circular CSSF 25/880.
- Make sure you meet the new reporting requirements under Article 105-1(2) of the Law of 10 November 2009 on payment services.
- Check your outsourcing agreements. Update them to reflect the new requirements in Circular CSSF 22/806 (for business process outsourcing) and Circular CSSF 25/882 (for ICT outsourcing and third-party services).
- If you’re a DORA entity, ensure you’re maintaining a comprehensive register of all ICT third-party arrangements as required by the new circulars.
These changes aren’t just about ticking boxes-they’re about building stronger digital defenses in a world where cyber risks are growing fast. DORA’s requirements are now the gold standard, and the CSSF is making sure Luxembourg’s financial sector keeps pace. By acting now, you’ll not only stay on the right side of the rules but also help protect your business and your clients from digital threats.
If you’re unsure how these updates affect your organization or need help updating your policies and contracts, now’s the time to seek expert advice. The new rules are here, and being proactive is the best way to stay resilient.
Read more:
- https://www.cssf.lu/en/2025/01/entry-in-application-of-dora-regulation-on-17-january-2025/
- https://www.cssf.lu/en/digital-operational-resilience-act-dora/
- https://www.goodwinlaw.com/en/insights/publications/2025/01/alerts-finance-fs-entry-into-force-of-dora-in-luxembourg
- https://www.cssf.lu/en/2025/04/definition-of-ict-services-under-dora-new-forms-for-ict-third-party-arrangements-ict-outsourcing-arrangements/
- https://chambers.com/articles/dora-the-cssf-is-making-far-reaching-changes-to-its-regulatory-framework-on-ict-risks-and-outsourc
- https://practiceguides.chambers.com/practice-guides/banking-regulation-2025/luxembourg/trends-and-developments
- https://www.nautadutilh.com/en/insights/cssf-aligns-outsourcing-rules-with-dora-framework/
- https://insightplus.bakermckenzie.com/bm/banking-finance_1/luxembourg-cssf-aligns-with-dora-key-updates-on-ict-and-outsourcing-regulations
- https://www.arendt.com/news-insights/news/entry-into-application-of-dora-today/
- https://www.klgates.com/Digital-Operational-Resilience-in-the-Financial-Services-Sector-EU-and-UK-Update-7-31-2024
- https://www.cssf.lu/en/2024/12/dora-regulation-reminders-and-advice-on-preparedness/
- https://www.cssf.lu/en/2025/04/updates-of-several-cssf-circulars-related-to-ict-risk-management-and-use-of-ict-third-parties-ict-outsourcing/
- https://www.mondaq.com/financial-services/1572410/entry-into-force-of-dora-on-january-17-2025-the-cssf-will-be-at-the-heart-of-the-compliance-framework-in-luxembourg
- https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf
- https://www.deloitte.com/lu/en/Industries/financial-services/perspectives/cssf-releases-outsourcing-circular.html