Section 4.2.1 Sound governance arrangements and third-party risk
CSSF Circular 22/806 on outsourcing (as amended by CSSF 25/883) · CSSF 22/806
risk 30. As part of the overall internal control framework, including internal control mechanisms, 18 In-Scope Entities shall have a holistic entity-wide risk management framework extending across all business lines and internal units. Under that framework, In-Scope Entities shall identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework shall also enable In-Scope Entities to make well- informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 19
31. In-Scope Entities, taking into account the principle of proportionality, shall identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, shall be assessed in line with points 66 to 70.
32. In-Scope Entities shall ensure that they comply with all requirements under GDPR, including for their third-party and outsourcing arrangements.