Cloud CSPM: the answer to CSSF Circular 22/806 on outsourcing

Excerpt — To remain compliant with CSSF in 2026, simply “moving to the cloud” is not enough. A Cloud Security Posture Management (CSPM) platform continuously proves correct configuration, monitoring, and auditability as required.

What the law requires

CSSF Circular 22/806 (updated on 9 April 2025) governs outsourcing with a cloud‑specific chapter. It notably requires:

• assessing cloud‑specific risks (multi‑tenant, data location, interception in transit, continuity) and documenting them, then reviewing them periodically, with continuous oversight of providers (points 66‑70, 104, 106, 142 b)). ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
• ensuring the proper selection and configuration of security measures at the provider (e.g., configurable cloud settings) and tracking operational indicators collected by the cloud resource operator (points 139, 140, 1980‑1986, 1397‑1402). ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
• providing rights of access to information and audit (including pooled audits, third‑party reports such as C5/ISAE), without relying exclusively on them long‑term, and retaining the right to conduct individual audits if needed (points 90‑100, 94‑97
• appointing a “cloud officer” on the resource operator’s side, responsible for skills and steering of cloud services (point 140
• notifying the CSSF for “critical or important” ICT outsourcing and knowing at all times where data and systems are located (points 59‑60, 141, 142 g)

The 22/806 circular is aligned with the DORA regulation in force since 17 January 2025 for financial entities to avoid duplication (preamble; DORA, Regulation (EU) 2022/2554). ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))

The technical solution (state of the art)

Cloud Security Posture Management (CSPM) is a cloud‑native security component that:

• maps all cloud accounts/projects (AWS, Azure, GCP, SaaS) via read‑only APIs, agentless;
• continuously assesses service configurations (networks, IAM, storage, encryption, logging, keys, images) against reference policies (CIS Benchmarks, ISO 27001 Annex A, BSI C5, CSSF requirements);
• detects drifts and errors (e.g., public buckets, inactive KMS keys, open ports, disabled logs), then prioritizes by criticality;
• documents data location, access paths, dependencies, and the subcontracting chain;
• produces audit and compliance evidence (exportable reports, exception traceability with expiration dates);
• orchestrates guided or automated remediations (policy‑as‑code, GitOps) with guardrails and approvals.

Why is this relevant for 22/806? Because the requirement for “proper selection and configuration” of controls, continuous monitoring, technical indicators, third‑party report review, and auditability are translated into concrete controls in the tool and its reports. CSPM reports also facilitate the reasoned use of third‑party reports (e.g., BSI C5 attestations) without relying on them exclusively, as required by the CSSF. ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))

Reference good practices:

• ISO/IEC 27001:2022 Annex A — control 5.23 (Use of cloud services), 8.9 (Configuration management), 8.16 (Monitoring activities);
• NIST CSF 2.0 — ID/PR/DE for continuous identification, protection, and detection;
• CIS Controls — C4 “Secure Configuration,” C8 “Audit Log Management,” C15 “Service Provider Management”;
• ENISA Threat Landscape 2023 — cloud misconfiguration is among the attack vectors exploited by threat actors, making continuous posture and remediation essential (ETL 2023; press release). ([enisa.europa.eu](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023?utm_source=openai))

How Luxgap delivers this

Our approach is pragmatic and CSSF‑aligned:

• Regulatory framing and architecture: mapping critical/important functions, cloud risk analysis (points 66‑70 and 142 b) of 22/806), and defining CSPM policies translating CSSF/DORA/ISO requirements. ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
• Agentless CSPM implementation: read‑only multi‑cloud API integration, activation of key controls (at‑rest/in‑transit encryption, access logs, configuration backups, criticality tags), setup of operational indicators required by the CSSF (points 1980‑1986). ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
• 24/7 monitoring (our managed SOC): connecting CSPM alerts to the SIEM, prioritization based on exposure (internet‑facing, sensitive data, identity), drift scenarios and guided remediation. See also our managed SOC for detection and response.
• Governance and audit (our ISO 27001 governance): review cycles, audit evidence, preparation for CSSF and security audits, and proportionate use of third‑party reports (C5/ISAE) without exclusive reliance (points 94‑97). ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
• Compliance support (our outsourced CISOs/DPOs): contract review (audit rights, location, subcontracting chain), CSSF notifications if “critical/important,” GDPR alignment where personal data are in the cloud (roles, Article 28 CNPD). CNPD — subcontracting. Benefit from an outsourced CISO for cyber steering.

Real‑world case in Luxembourg or the EU

A regulated payment firm in Luxembourg aimed to migrate its analytics data lake to a hyperscaler. As the function was “important,” a prior notification was planned. In six weeks:

• definition of CSPM policies aligned with 22/806 (VPC/VNET isolation, managed KMS, immutable logs, controlled CI/CD);
• data inventory and location by region, with CSPM dashboards answering “where is my data?”;
• configuration hardening per CIS Benchmarks, with a 72% reduction of initial critical drifts over three sprints;
• monthly CSPM reports provided to management and internal audit, complemented by reviewing the provider’s C5 attestations.

Result: a documented outsourcing file (risks, controls, indicators, audit rights), real‑time alerts on any drift, and exportable evidence for the CSSF. Teams retained control over exceptions (waivers) with expiry dates and owners, in line with proportionality.

First concrete steps

1. Appoint a “cloud officer.” Formalize the role (service steering, skills) as per 22/806 point 140. ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
2. Inventory all your cloud accounts/projects. Connect a read‑only CSPM to establish a baseline (mapping and initial gaps).
3. Translate 22/806 into technical policies. Derive CSPM rules for encryption, logs, admin access, network, data location, subcontracting, and operational indicators.
4. Set up monthly reports and alerts. Share with management and internal audit; prepare evidence for CSSF audits and reasoned use of third‑party reports (C5/ISAE). ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
5. Prepare CSSF notification if “critical/important.” Use risk, materiality, and exposure to decide, and incorporate DORA requirements where applicable. DORA. ([eur-lex.europa.eu](https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1726064286374&uri=CELEX%3A32022R2554&utm_source=openai))

Official sources

• CSSF — Circular 22/806 (updated 09/04/2025). ([cssf.lu](https://www.cssf.lu/fr/Document/circulaire-cssf-22-806/?utm_source=openai))
• CSSF — Consolidated text 22/806 (EN, PDF). ([cssf.lu](https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf))
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA). ([eur-lex.europa.eu](https://www.eur-lex.europa.eu/legal-content/EN/TXT/?qid=1726064286374&uri=CELEX%3A32022R2554&utm_source=openai))
• ENISA — Threat Landscape 2023 and press release (cloud misconfigurations). ([enisa.europa.eu](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023?utm_source=openai))
• BSI — Kriterienkatalog C5 and C5:2020. ([bsi.bund.de](https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/kriterienkatalog-c5_node.html?utm_source=openai))
• CNPD — Subcontracting (GDPR Art. 28 reminders). ([cnpd.public.lu](https://cnpd.public.lu/fr/dossiers-thematiques/associations/guide-monde-associatif/sous-traitance.html?utm_source=openai))