Chapter 1. Definitions, abbreviations and acronyms

1. Unless otherwise specified, terms used and defined in the LFS, the LPS and Regulation (EU) No 575/2013 shall have the same meaning in this circular. In addition, for the purposes of this circular, the following definitions apply:

1) Cloud services services provided using cloud computing, that is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Services are considered as cloud computing services within the meaning of this circular if the conditions defined in points 135 and 136 are fulfilled.

a. Community cloud cloud infrastructure available for the exclusive use by a specific community of In-Scope Entities, including several In-Scope Entities of a single group.

b. Hybrid cloud cloud infrastructure that is composed of two or more distinct cloud infrastructures.

c. Public cloud cloud infrastructure available for open use by the general public.

d. Private cloud cloud infrastructure available for the exclusive use by a single In-Scope Entity.

2) Competent authority the CSSF or the ECB as competent authority for the supervision of entities in accordance with point 2 of this circular.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

3) Core business activities the activities of the In-Scope Entities which are subject to an authorisation or a registration by a competent authority.

4) Critical or important any function that is considered critical or function 4 important as set out in points 18 to 20.

5) Function any processes, services or activities.

6) ICT outsourcing an arrangement of any form between the In- Scope Entity and a service provider by which that service provider performs an ICT process, an ICT service or an ICT activity that would otherwise be undertaken by the In-Scope Entity itself. The services are pure ICT services in nature.

7) In-Scope Entity all supervised entities in accordance with point 2 of this circular.

8) Internal control functions the risk control function, the compliance function and the internal audit function.

9) Intragroup outsourcing 5 an outsourcing by an In-Scope Entity to a service provider who belongs to the same group.

For In-Scope Entities that are subject to supervision on a consolidated basis in accordance with their sectoral laws and regulations or that belong to a group that is subject to such consolidated supervision it is important to note that the scope of application of the provisions on intragroup outsourcing extends beyond the sole scope of such consolidated supervision.

4 In the context of outsourcing arrangements, the meaning of ‘critical or important function’ is to be read according to MiFID Law and Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II. In that regard, outsourcing arrangements comprise those that relate to ‘critical functions’ for the purpose of the recovery and resolution framework as defined under Article 1(64) of the BRRD Law. 5 For credit institutions that belong to a network of a central body or are part of an institutional protection scheme (IPS) subject to the conditions laid down in Article 113(7) CRR, an outsourcing to a member of the network or of the IPS shall be considered as an intragroup outsourcing for the purpose of this circular.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

10) Key function holders persons who have significant influence over the direction of the In-Scope Entity but who are neither members of the management body and are not the Chief Executive Officer (CEO).

In line with the specific provisions of Circular CSSF 12/552 and Circular CSSF 20/758, they include the heads of internal control functions and may include the Chief Financial Officer (CFO), where they are not members of the management body, and, where identified on a risk-based approach by institutions, other key function holders.

Other key function holders might include heads of significant business lines, European Economic Area/European Free Trade Association branches, third country subsidiaries and other internal functions.

11) Management body an In-Scope Entity’s body or bodies, which are appointed in accordance with national law, which are empowered to set the In-Scope Entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include the persons who effectively direct the business of the In-Scope Entity and the directors and persons responsible for the management of the In-Scope Entity.

In accordance with relevant circulars CSSF as applicable, the term management body encompasses the notions of authorised management, board of directors/or board of managers and/or supervisory board and executive board.

12) Member State Member State of the European Union. This term includes EEA countries other than EU countries as a matter of principal.

13) an arrangement of any form between an In- Scope Entity and a service provider by which a. Outsourcing that service provider performs a process, a service or an activity that would otherwise be undertaken by the In-Scope Entity itself.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

b. Sub-outsourcing a situation where the service provider under an outsourcing arrangement further transfers an outsourced function to another service provider (the “sub-contractor”).

There may be multiple sub-outsourcing arrangements within a same outsourcing arrangement. Sub-outsourcing may also be referred to as a ‘chain of outsourcing’, or ‘chain-outsourcing’.

14) Service provider a third-party entity that is undertaking an outsourced process, service or activity, or parts thereof, under an outsourcing arrangement.

In this context, a group entity shall be considered as a third-party entity.

15) Third country a State other than a Member State of the European Economic Area.

Abbreviations and acronyms:

16) AML/CFT Law Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended

17) BRRD Law Law of 18 December 2015 on the resolution, reorganisation and winding up measures of credit institutions and certain investment firms and on deposit guarantee and investor compensation schemes, as amended

18) BRRD institution a credit institution or a BRRD investment firm according to Article 59-15, point 13 LFS

19) CRR Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms

20) DORA Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU)

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

21) EBA the European Banking Authority

22) ECB European Central Bank

23) EEA European Economic Area

24) ESMA the European Securities and Markets Authority

25) GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

26) ICT Information and Communication Technology

27) LFS Law of 5 April 1993 on the financial sector, as amended

28) LPS Law of 10 November 2009 on payment services, as amended

29) MiFID II Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU

30) MiFID Law Law of 30 May 2018 on markets in financial instruments, as amended

31) UCITS Law Law of 17 December 2010 relating to undertakings for collective investment, as amended