← All laws

Compliance · ICT outsourcing

CSSF 22/806, outsourcing and cloud for Luxembourg financial entities.

The CSSF Circular 22/806 (amended by CSSF 25/883) consolidates into a single framework the requirements for outsourcing by Luxembourg supervised entities: governance, contracts, monitoring of sub-providers, exit plans, and cloud-specific requirements. Since 17 January 2025, it articulates with the DORA Regulation (EU 2022/2554).

Build my quote → Contact us
New — article explorer
Browse the 28 articles one by one, with Luxgap practical guidance
Explore articles →

Who is concerned?

All CSSF-supervised entities that outsource a function or service: credit institutions, investment firms, payment and electronic money institutions (LSF and LSP), management companies under article 125-1 of the UCITS law, and support PFS (financial-sector ICT providers under articles 29-3, 29-5 and 29-6 of the LSF).

The circular goes beyond the EBA scope: the CSSF chose to extend convergence to all Luxembourg financial entities to align national practice.

Key obligations

  • Map all outsourcing arrangements, identify those covering critical or important functions.
  • Outsourcing policy approved by the management body, reviewed at least annually, covering provider selection, risk management, monitoring and exit.
  • Contractual phase with minimum clauses: SLAs, audits, sub-outsourcing chain, confidentiality, data return, applicable law, jurisdiction.
  • Continuous monitoring of the provider: performance indicators, incidents, access control, regulatory compliance, certifications.
  • Exit plans tested and documented for every critical outsourced function, with scenarios for in-housing and switching to another provider.
  • Specific cloud requirements: data location, encryption, audit rights, multi-tenant constraints, CSSF notification before deploying a new cloud solution on a critical function.
  • CSSF notification mandatory for any material outsourcing or cloud on a critical function, before go-live.

Deadlines

The 22/806 circular has been in force since 30 June 2022 (initial date of application) and was amended by CSSF 25/883 to align with DORA. Since 17 January 2025, in-scope financial entities apply DORA as primary regulation; CSSF 22/806 remains applicable as a complement for national specifics (notification, support PFS, Luxembourg intragroup arrangements).

Sanctions for non-compliance

The CSSF wields the full toolkit of Luxembourg financial law: compliance orders, administrative sanctions, restrictions or suspension of authorisation, pecuniary sanctions, up to withdrawal of authorisation for serious breaches. Sanctions are aligned with the law of 5 April 1993 on the financial sector.

Beyond formal sanctions, a 22/806 breach at a CSSF inspection can block a project (cloud deployment refused, outsourcing frozen) or compromise a prior authorisation (new service, new activity, M&A).

How Luxgap helps

We support CSSF entities, PFS and funds on the full outsourcing lifecycle:

  • Audit of your current setup: mapping, gap analysis versus 22/806 and DORA.
  • Drafting of the outsourcing policy, standard contract clauses, testable exit-plan templates.
  • Setting up the outsourcing register (criticality, certifications, exit horizon).
  • Preparing CSSF notifications for critical functions and cloud, managing the dialogue with your CSSF relationship manager.
  • Annual testing of exit plans under real conditions, documented and enforceable.
  • Articulation with DORA: ICT provider register, ICT incident management, digital operational resilience testing (TLPT).

Let's secure your outsourcing setup.

Configure a quote for a CSSF 22/806 audit, drafting your outsourcing policy, or a full support package including DORA. Reply within one business day.

Build my quote →