Section 4.3.4 Exit plans

111. In-Scope Entities shall have a documented exit plan when outsourcing critical or important functions that is in line with their outsourcing policy, exit strategies and business continuity plans, taking into account at least the possibility of:

31 See also Circular CSSF 21/787.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

a. the termination of outsourcing arrangements;

b. the failure of the service provider;

c. the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function;

d. material risks arising for the appropriate and continuous application of the function.

112. In-Scope Entities shall ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they shall:

a. develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and

b. identify alternative solutions and develop transition plans to enable In- Scope Entities to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the In-Scope Entity or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase.

113. When developing exit plans, In-Scope Entities shall:

a. define the objectives of the exit plan;

b. perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take;

c. assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities;

d. define success criteria for the transition of outsourced functions and data; and

e. define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under points 104 to 110) including indicators based on unacceptable service levels that shall trigger the exit.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Part II – Requirements in the context of ICT outsourcing arrangements 114. The purpose of this Part is to define specific requirements applicable in the context of ICT outsourcing (cloud and non-cloud), and that shall be complied with in addition to the general requirements laid out in Part I of this circular. The following provisions contribute to the sound and prudent management, the proper organisation of the In-Scope Entities and the preservation of information security of the In-Scope Entities 32.

115. The requirements set out in the present Part II do not apply to business process outsourcing (i.e. outsourcing arrangements that are not pure ICT outsourcing) even if the outsourcing arrangements themselves rely on ICT outsourcing i.e. underlying ICT systems form part of this business process outsourcing.

116. When ICT outsourcing, or at least one of the sub-contractors in case of sub-outsourcing, relies on a cloud computing infrastructure as defined in point 1, the In-Scope Entities shall comply with the requirements of points 114 to 119, as relevant, and Chapter 2 of Part II only. In case of ICT outsourcing arrangements other than those relying on cloud computing infrastructure as defined in point 1, In-Scope Entities shall comply with the requirements of points 114 to 119, as relevant, and Chapter 1 of Part II only.

117. In case of ICT sub-outsourcing, the requirements of this Part (as applicable in line with point 116) shall apply to the whole outsourcing chain.

118. In accordance with the principle of proportionality, an In-Scope Entity may, if evidenced by comprehensive and robust conclusions from the assessment of the criticality of functions and the risk analysis, justify not applying the requirements set out in the following points when the ICT outsourcing is not critical or important and is unlikely to become critical or important:

a. point 103: continuity in case of resolution or reorganisation or another procedure; and

b. point 112(b): transfer of services where the continuity of the provision of services is threatened.

119. In-Scope Entities are reminded that for all ICT outsourcing arrangements, they shall:

32 As required, inter alia, under Article 5(1a) LFS, Article 17 LFS and Article 11(2) LPS, point 135 of Circular CSSF 18/698, Article 5(2) of CSSF Regulation N° 10-4 and Article 57(2) of Delegated Regulation (EU) 231/2013.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

a. ensure that access to data and systems fulfil the principles of “need to know” and “least privilege”, i.e. access is only granted to persons whose functions so require, with a specific purpose, and their privileges shall be limited to the strict necessary minimum to exercise their functions; and

b. ensure that access to data subject to professional secrecy are granted in compliance with Article 41(2a) LFS or Article 30(2a) LPS where applicable.

Chapter 1. ICT outsourcing arrangements other than those relying on a cloud computing infrastructure

120. The requirements of points 59 and 60 apply to ICT outsourcing arrangements concerned by the present chapter.

Sub-chapter 1.1 Requirements applicable to In-Scope Entities other than Support PFS authorised under Articles 29-3, 29-5 and 29-6 LFS and their branches abroad

121. Without prejudice to point 119 above, In-Scope Entities may outsource their ICT system management/operation services:

a. in Luxembourg 33, solely to a credit institution or a financial professional holding a support PFS authorisation in accordance with Article 29-3 LFS (IT systems and communication networks operators of the financial sector “OSIRC”); the unique exception allowed under Article 1-1 (2) c) LFS is the recourse to an entity of the group to which the In-Scope Entity belongs and which exclusively deals with group transactions;

b. abroad, to any ICT service provider, including an entity of the group to which the In-Scope Entity belongs.

122. In-Scope Entities may outsource ICT services other than ICT system management/operation services to any ICT service provider, including a group entity providing ICT services or a support PFS. Such outsourcing arrangements must be set up in compliance with the requirements of point 119 above. In particular, if the service provider is not allowed to access to data subject to professional secrecy in compliance with Article 41(2a) LFS or Article 30(2a) LPS where applicable, the service provider may have access to this data only if it is overseen, throughout its mission, by a person of the In-Scope Entity in charge of ICT.

33 As per the LFS, the operation of ICT systems for credit institutions, professionals of the financial sector, payment institutions, e-money institutions, UCIs, pension funds, insurance undertakings or reinsurance undertakings established under Luxembourg law or foreign law is a regulated activity requiring an authorisation to be exercised in Luxembourg.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-chapter 1.2 Requirements applicable to Support PFS authorised under Articles 29-3, 29-5 and 29-6 LFS and their branches abroad

123. For the exclusive purpose of this sub-chapter, the following definitions apply:

a. Support PFS: an In-Scope Entity, including its branches, that is authorised to perform OSIRC 34 activities in accordance with Article 29-3 or PSDC 35 activities in accordance with Articles 29-5 or 29-6 LFS;

b. Own ICT systems 36 37: systems supporting the support PFS' organisation and administration; they are not proposed as a service to third parties and not used by the services proposed to third parties;

c. Client ICT systems: systems that fulfill the two following cumulative conditions:

i. they partially or exclusively support the activities carried out for regulated financial sector clients of the support PFS, irrespective of whether they belong to the client or to the support PFS or where they are located; and

ii. the support PFS is responsible to its client for their proper functioning.

124. Without prejudice to point 119 above, support PFS and their branches authorised as OSIRC in accordance with Article 29-3 LFS may partially outsource their ICT operator services, i.e. some management/operation services of client ICT systems 38 provided that the conditions of points 126 and 127 are fulfilled.

125. Without prejudice to point 119 above, support PFS and their branches authorised as PSDC in accordance with Articles 29-5 or 29-6 LFS may partially outsource the management/operation of the ICT systems supporting partially or exclusively the dematerialisation or conservation services they provide to regulated financial sector clients provided that the conditions of points 126 and 127 are fulfilled.

126. The service provider for the outsourcing arrangements referred to in points 124 and 125 above shall be:

34 IT systems and communication networks operators of the financial sector (“OSIRC”). 35 Dematerialisation and/or conservation service providers of the financial sector (“PSDC”). 36 The term "system" here may be limited to software if the service relates solely to software. 37 For example (non-exhaustive list): accounting systems, staff and payment management of the support PFS; management systems for clients' orders, purchase management, client relationship management but also email servers, the internal files servers, internet website of the support PFS (not the one used for services provided to its clients), the personnel's workstations, document storage, VoIP telephony, etc. 38 Such an outsourcing by an OSIRC is actually a sub-outsourcing from the perspective of In-Scope Entities outsourcing to this OSIRC.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

a. in Luxembourg 39, solely a credit institution or an entity that is authorised as support PFS in accordance with Article 29-3 LFS; b. Abroad, any ICT service provider, including an entity of the group to which the support PFS belongs.

127. The outsourcing arrangements referred to in points 124 and 125 above shall be considered as critical or important and are prohibited if they do not comply with the following:

a. The service provision is complementary 40 and does not carve out the support PFS (or its branch as relevant) of its substance in line with point 7; b. Support PFS and their branches have obtained the prior approval of all their concerned regulated financial sector clients; c. If the service provider may have access to data subject to professional secrecy according to Article 41 LFS or Article 30 LPS where applicable, the support PFS and their branches have clearly informed and obtained the prior consent of their regulated financial sector clients; d. Each year, the support PFS and their branches must provide the competent authority with their detailed oversight plan and exit plan ensuring compliance with sections 4.3.3 and 4.3.4 of this circular; e. Support PFS and their branches have obtained the prior approval of the competent authority for such outsourcing using the instructions and, where available, the forms on the CSSF website.

128. Without prejudice to points 59, 60 and 119 above, support PFS and their branches may outsource the management/operation services of their own ICT systems:

a. in Luxembourg, solely to a credit institution or an entity that is authorised as support PFS in accordance with Article 29-3 LFS;

b. abroad, to any ICT service provider, including an entity of the group to which the support PFS belongs.

129. The provision of ICT operation services on client ICT systems or on systems supporting PSDC activities, by branches of support PFS to their registered office, are prohibited if they do not comply with the relevant requirements listed in point 127.

39 As per the LFS, the operation of ICT systems for credit institutions, professionals of the financial sector, payment institutions, e-money institutions, UCIs, pension funds, insurance undertakings or reinsurance undertakings established under Luxembourg law or foreign law is a regulated activity requiring an authorisation to be exercised in Luxembourg. 40 An example of complementarity is the operation of a software by an OSIRC (or its branch as relevant) and the cascading operation of the underlying infrastructure by a service provider.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

130. Support PFS and their branches acting as OSIRC may, for their services as ICT operators, rely on infrastructures belonging to their group, subject to the condition that the services provided by the group or their sub-contractors, if any, are limited to those requiring a physical presence on these infrastructures. The management of systems containing data and processing to be carried out by the support PFS shall be excluded from such outsourcing. Infrastructure shall mean the IT resources that are necessary to host the systems and data under the management of the OSIRC. In this case, the support PFS shall, in particular, ensure they have permanent control over the actions taken by the group for their account. Where this outsourcing involves the presence on the infrastructure of data subject to the professional secrecy according to Article 41 LFS or Article 30 LPS, where applicable, the support PFS shall obtain the approval of the regulated financial sector clients before outsourcing.

131. Branches of support PFS may propose services relying on an infrastructure established in the country in which they are established (“host country”) to their regulated financial clients in the host country. This infrastructure may be outsourced to a local service provider, subject to the condition that the services provided by this service provider and its sub-contractors, if any, are limited to those requiring a physical presence on these infrastructures and excluding any management of systems containing data and processing to be carried out by the support PFS or its branch. The branch shall apply the principles laid down in this circular, and the registered office in Luxembourg shall keep the appropriate oversight of the services provided by its branch. The branches shall obtain approval for this local outsourcing from their regulated financial sector clients concerned.

132. Support PFS may outsource any ICT services other than those covered by points 124 to 131 above to any ICT service provider, including a group entity providing ICT services or a support PFS. Such outsourcing arrangements must be set up in compliance with the requirements of point 119 above. In particular, if the service provider is not allowed to access to data subject to professional secrecy in compliance with Article 41 LFS or Article 30 LPS where applicable, the service provider may have access to this data only if it is overseen, throughout its mission, by a person of the Support PFS in charge of ICT.

Chapter 2. ICT outsourcing arrangements relying on a cloud computing infrastructure

133. This chapter provides additional specific requirements to comply with in case of ICT outsourcing relying on a cloud computing infrastructure (hereafter also “cloud computing solution”). The use of a private cloud without outsourcing is thus excluded from the scope of this chapter.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-chapter 2.1 Definitions and application

Section 2.1.1 Specific terminology

134. For the purposes of this chapter and in addition to definitions provided in point 1, the following definitions shall apply:

1) Client interface the software layer made available by the cloud computing service provider to the In-Scope Entity allowing the latter to manage its cloud computing resources.

2) Cloud computing resource any computing capabilities (e.g. server, storage, network, etc.) provided by a cloud computing service provider.

3) Cloud computing service any firm proposing cloud services within the provider meaning of the definition of this Chapter 2.

4) In-Scope Entity an In-Scope Entity as defined in point 2, is consuming Cloud computing resources for the purpose of carrying out its activities.

5) Multi-tenant a physical or logical infrastructure serving several (In-Scope) Entities through shared cloud computing resources and by means of a standardised model.

6) Resource operation managing cloud computing resources made available through the client interface. By extension, “resource operator” shall mean the natural or legal person that uses the client interface to manage the cloud computing resources.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Section 2.1.2 Definition of “cloud computing” 135. Cloud computing is a model composed of the following five essential characteristics 41:

a. On-demand self-service: An In-Scope Entity 42 can unilaterally provide computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the cloud computing service provider.

b. Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin (e.g. browsers) or thick client (e.g. specific applications) platforms (e.g. mobile phones, tablets, laptops and workstations).

c. Resource pooling: The cloud computing service provider’s computing resources are pooled to serve multiple (In-Scope) Entities using a multi- tenant model, with different physical and virtual resources dynamically assigned and reassigned according to In-Scope Entity demand. There is a sense of location independence in that the In-Scope Entity generally has no control or knowledge over the exact location of the provided resources, but may be able to specify the location at a higher level of abstraction (e.g. country, region or data centre). Examples of resources include storage, processing, memory and network bandwidth.

d. Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the In-Scope Entity, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

e. Measured service: Cloud systems automatically control and optimise resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for both the provider and the In-Scope Entity of the utilised service.

41 The CSSF relies on the definitions proposed by international organisations such as the National Institute of Standards and Technology (NIST) or the European Union Agency for Network and Information Security (ENISA). 42 For the sake of clarity, the definition considers the case where the In-Scope Entity itself is the operator of the resources used.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Section 2.1.3 Conditions of application of Chapter 2 136. An outsourcing is considered as “outsourcing to a cloud computing infrastructure” within the meaning of this circular and governed by the requirements of this Chapter 2 if the five essential characteristics defined in point 135 and both of the following specific requirements are fulfilled:

a. Under no circumstances may staff employed by the cloud computing service provider access data and systems that an In-Scope Entity owns on a cloud computing infrastructure without prior and explicit agreement of the In- Scope Entity and without monitoring mechanism available to the In-Scope Entity to control the accesses. These accesses must remain exceptional. Nevertheless, access may be necessary under a legal requirement or in an extreme emergency following a critical incident affecting part of or all the (In-Scope) Entities of the cloud computing service provider 43. All accesses of the cloud computing service provider must be restricted and subject to preventive and detective measures in line with sound security practices and audited at least annually.

b. The cloud service provision does not entail any manual interaction by the cloud computing service provider as regards the day-to-day management of the cloud computing resources used by the In-Scope Entity 44 (e.g. provisioning, configuration or release of cloud computing resources). Thus, the resource operator alone (i.e. either the In-Scope Entity or a third party other than the cloud computing service provider) shall manage its ICT environment hosted on the cloud computing infrastructure. However, the cloud computing service provider may intervene manually:

i. for global management of ICT systems supporting the cloud computing infrastructure (e.g. maintenance of physical equipment, deployment of new solutions non specific to the In-Scope Entity); or

ii. within the context of a specific request by the In-Scope Entity (e.g. provisioning of a cloud computing resource that is missing in the catalogue proposed by the cloud computing service provider or performing insufficiently).

43 In cases of extreme emergency, the In-Scope Entity should be informed a posteriori. 44 Indeed, it is an automated system that allows provisioning resources, hence point (a) specifying that staff may not have access by default to In-Scope Entity resources.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-chapter 2.2 Requirements to be observed with respect to outsourcing to a cloud computing infrastructure

137. In accordance with the principle of proportionality, the In-Scope Entity may, if evidenced by comprehensive and robust conclusions from the assessment of the criticality and importance of functions and the risk analysis, justify not to apply the requirements set out in the following points of this circular when the activities outsourced to a cloud computing infrastructure are not related to a critical or important function and are unlikely to become critical or important:

a. point 142 c.: notification by the cloud computing service provider in case of change of functionalities;

b. point 142 d.: notification by the resource operator in case of change of functionalities.

138. The In-Scope Entity may outsource the “resource operation” as defined in point 134 to a third party when this third party falls under one of the following two circumstances:

a. The third-party is authorised as OSIRC under Article 29-3 LFS. The support PSF shall also comply with the requirements of this chapter where the operation of resources is carried out for an entity which is not a regulated financial sector client.

b. The third-party is not authorised as OSIRC under Article 29-3 LFS, either because it is located abroad, or because it is a Luxembourg-based entity of the group to which the In-Scope Entity belongs which provides operating services exclusively within the group as stated under the Article 1-1(2)c LFS. In such a case, in addition to complying with the requirements set out in this circular, the In-Scope Entity shall perform a prior thorough risk analysis of the activities of the resource operator, notably by verifying that the following points have been correctly addressed:

i. the roles and responsibilities defined between the resource operator and the cloud computing service provider;

ii. the management of the isolation of multi-tenant environments;

iii. the indicators collected by the resource operator to monitor the systems and data on the cloud computing infrastructure;

iv. the technical and organisational security measures implemented to access the client interfaces in order to manage the cloud computing resources, including the management of client interface access;