Section 2.1.1 Specific terminology

134. For the purposes of this chapter and in addition to definitions provided in point 1, the following definitions shall apply:

1) Client interface the software layer made available by the cloud computing service provider to the In-Scope Entity allowing the latter to manage its cloud computing resources.

2) Cloud computing resource any computing capabilities (e.g. server, storage, network, etc.) provided by a cloud computing service provider.

3) Cloud computing service any firm proposing cloud services within the provider meaning of the definition of this Chapter 2.

4) In-Scope Entity an In-Scope Entity as defined in point 2, is consuming Cloud computing resources for the purpose of carrying out its activities.

5) Multi-tenant a physical or logical infrastructure serving several (In-Scope) Entities through shared cloud computing resources and by means of a standardised model.

6) Resource operation managing cloud computing resources made available through the client interface. By extension, “resource operator” shall mean the natural or legal person that uses the client interface to manage the cloud computing resources.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Section 2.1.2 Definition of “cloud computing” 135. Cloud computing is a model composed of the following five essential characteristics 41:

a. On-demand self-service: An In-Scope Entity 42 can unilaterally provide computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the cloud computing service provider.

b. Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin (e.g. browsers) or thick client (e.g. specific applications) platforms (e.g. mobile phones, tablets, laptops and workstations).

c. Resource pooling: The cloud computing service provider’s computing resources are pooled to serve multiple (In-Scope) Entities using a multi- tenant model, with different physical and virtual resources dynamically assigned and reassigned according to In-Scope Entity demand. There is a sense of location independence in that the In-Scope Entity generally has no control or knowledge over the exact location of the provided resources, but may be able to specify the location at a higher level of abstraction (e.g. country, region or data centre). Examples of resources include storage, processing, memory and network bandwidth.

d. Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the In-Scope Entity, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

e. Measured service: Cloud systems automatically control and optimise resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for both the provider and the In-Scope Entity of the utilised service.

41 The CSSF relies on the definitions proposed by international organisations such as the National Institute of Standards and Technology (NIST) or the European Union Agency for Network and Information Security (ENISA). 42 For the sake of clarity, the definition considers the case where the In-Scope Entity itself is the operator of the resources used.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Section 2.1.3 Conditions of application of Chapter 2 136. An outsourcing is considered as “outsourcing to a cloud computing infrastructure” within the meaning of this circular and governed by the requirements of this Chapter 2 if the five essential characteristics defined in point 135 and both of the following specific requirements are fulfilled:

a. Under no circumstances may staff employed by the cloud computing service provider access data and systems that an In-Scope Entity owns on a cloud computing infrastructure without prior and explicit agreement of the In- Scope Entity and without monitoring mechanism available to the In-Scope Entity to control the accesses. These accesses must remain exceptional. Nevertheless, access may be necessary under a legal requirement or in an extreme emergency following a critical incident affecting part of or all the (In-Scope) Entities of the cloud computing service provider 43. All accesses of the cloud computing service provider must be restricted and subject to preventive and detective measures in line with sound security practices and audited at least annually.

b. The cloud service provision does not entail any manual interaction by the cloud computing service provider as regards the day-to-day management of the cloud computing resources used by the In-Scope Entity 44 (e.g. provisioning, configuration or release of cloud computing resources). Thus, the resource operator alone (i.e. either the In-Scope Entity or a third party other than the cloud computing service provider) shall manage its ICT environment hosted on the cloud computing infrastructure. However, the cloud computing service provider may intervene manually:

i. for global management of ICT systems supporting the cloud computing infrastructure (e.g. maintenance of physical equipment, deployment of new solutions non specific to the In-Scope Entity); or

ii. within the context of a specific request by the In-Scope Entity (e.g. provisioning of a cloud computing resource that is missing in the catalogue proposed by the cloud computing service provider or performing insufficiently).

43 In cases of extreme emergency, the In-Scope Entity should be informed a posteriori. 44 Indeed, it is an automated system that allows provisioning resources, hence point (a) specifying that staff may not have access by default to In-Scope Entity resources.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Sub-chapter 2.2 Requirements to be observed with respect to outsourcing to a cloud computing infrastructure

137. In accordance with the principle of proportionality, the In-Scope Entity may, if evidenced by comprehensive and robust conclusions from the assessment of the criticality and importance of functions and the risk analysis, justify not to apply the requirements set out in the following points of this circular when the activities outsourced to a cloud computing infrastructure are not related to a critical or important function and are unlikely to become critical or important:

a. point 142 c.: notification by the cloud computing service provider in case of change of functionalities;

b. point 142 d.: notification by the resource operator in case of change of functionalities.

138. The In-Scope Entity may outsource the “resource operation” as defined in point 134 to a third party when this third party falls under one of the following two circumstances:

a. The third-party is authorised as OSIRC under Article 29-3 LFS. The support PSF shall also comply with the requirements of this chapter where the operation of resources is carried out for an entity which is not a regulated financial sector client.

b. The third-party is not authorised as OSIRC under Article 29-3 LFS, either because it is located abroad, or because it is a Luxembourg-based entity of the group to which the In-Scope Entity belongs which provides operating services exclusively within the group as stated under the Article 1-1(2)c LFS. In such a case, in addition to complying with the requirements set out in this circular, the In-Scope Entity shall perform a prior thorough risk analysis of the activities of the resource operator, notably by verifying that the following points have been correctly addressed:

i. the roles and responsibilities defined between the resource operator and the cloud computing service provider;

ii. the management of the isolation of multi-tenant environments;

iii. the indicators collected by the resource operator to monitor the systems and data on the cloud computing infrastructure;

iv. the technical and organisational security measures implemented to access the client interfaces in order to manage the cloud computing resources, including the management of client interface access;

v. the consistency of the operations and security policies defined by the resource operator with the configurations of the cloud computing resources and the planned security measures;

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

vi. the competences of the operators (e.g. certifications, technical training);

vii. the review of the audit reports of the cloud computing service provider by the resource operator;

viii. the competent authority’s and the In-Scope Entity’s right to audit the resource operator (in line with the requirements under points 88 to 100).

139. It shall be noted that an In-Scope Entity relying on a service provider that cumulates the activities of cloud computing service provider and resource operator is subject to the requirements of this Chapter 2 provided that both activities are properly segregated (i.e. so that staff exercising the cloud computing service provider function cannot access data and thereby continues to fulfil the definition of cloud computing within the meaning of this chapter). The same applies where the service provider cumulating both functions is authorized under Article 29-3 LFS. If this segregation requirement cannot be fulfilled, the outsourcing is not considered as an outsourcing to a cloud computing infrastructure within the meaning of this chapter but as a traditional ICT outsourcing; in such a case only the requirements of Chapter 1 of Part II shall apply.

a. The resource operator shall designate among its employees one person, the “cloud officer”, who shall be responsible for the use of cloud services and shall guarantee the competences of the staff managing cloud computing resources (cf. point 142a). The resource operator shall assign the function of “cloud officer” to a qualified person that masters the challenges of outsourcing to a cloud computing infrastructure. This function may be taken up by persons that already cumulate other functions within the ICT department.

b. If resource operation is performed by the In-Scope Entity, the “cloud officer” may cumulate the responsibility for the outsourcing relationship management. If the In-Scope Entity relies on a third party for cloud computing resource operation, the In-Scope Entity must know the name of the “cloud officer” of the resource operator.

141. Necessity to inform the competent authority:

a. The notification requirements of points 59 and 60 also apply to cloud computing outsourcing arrangements. In the particular case where an entity authorised under Article 29-3 LFS acts as an intermediary and not as a resource operator between an In-Scope Entity and a cloud computing service provider, the In-Scope Entity shall submit a notification at least three (3) months before the planned outsourcing is effectively implemented for the outsourcing of critical or important functions to the cloud computing service provider.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

b. Any entity authorised as OSIRC under Article 29-3 LFS shall request authorisation from the competent authority before marketing in the following cases:

i. the entity intends to act as a resource operator for its regulated financial sector clients;

ii. the entity intends to provide a cloud computing infrastructure to its regulated financial sector clients, acting thus as a cloud computing service provider;

iii. the entity intends to provide a cloud computing solution to its regulated financial sector clients by relying on one or more cloud computing infrastructures. This entity acts then as a sub-outsourcing cloud computing service provider.

c. Without prejudice to point 119, support PFS and their branches authorised as OSIRC under Article 29-3 LFS may partially outsource their resource operator services 45 only under the conditions that compliance with point 126 and the requirements listed under point 127 are fulfilled. For the sake of clarity, a prior approval by the competent authority is therefore required as indicated in point 127 e. Point 129 also applies mutatis mutandis for the provision of resource operator services.

142. Management of outsourcing risks:

a. In line with point 35, the resource operator shall retain the necessary expertise to effectively monitor the outsourced services or functions on a cloud computing infrastructure and manage the risks associated with the outsourcing. Moreover, the resource operator shall ensure that staff in charge of cloud computing resources management, including the “cloud officer”, have sufficient competences to take on their functions based on appropriate training in management and security of cloud computing resources that are specific to the cloud computing service provider;

b. As set out in points 66 to 70, a risk assessment of outsourcing arrangements shall be carried out by the In-Scope Entity. The risks specific to the use of cloud computing technologies shall also be part of this assessment and encompass, e.g.: isolation failure in multi-tenant environments, the various legislations that are applicable (country where data are stored and country where the cloud computing service provider is established), interception of data-in-transit, failure of telecommunications

45 Such an outsourcing by an OSIRC is actually a sub-outsourcing from the perspective of In-Scope Entities outsourcing to this OSIRC.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

(e.g. Internet connection), the use of the cloud as “shadow IT” 46, the lack of systems portability once they have been deployed on a cloud computing infrastructure or the failure of continuity of cloud computing services;

c. Any change in the application functionality by the cloud computing service provider - other than the changes relating to corrective maintenance - shall be communicated prior to its implementation to the resource operator who shall inform the In-Scope Entity, so that they may take the necessary measures in case of material change or discontinuity;

d. Any change in the application functionality managed by the resource operator - other than the changes relating to corrective maintenance - shall be communicated to the In-Scope Entity, prior to its implementation, so that the latter may take the necessary measures in case of material change or discontinuity;

e. The In-Scope Entity and the resource operator shall have full awareness of the continuity and security elements remaining under their responsibilities when using a cloud computing solution;

f. The In-Scope Entity shall understand and the resource operator shall control the risks linked to a cloud computing infrastructure;

g. The In-Scope Entity and the resource operator shall know at any time where their data and systems are located globally 47, be it production environments or replications or backups.

46 “Shadow IT” is the use of ICT resources that is non-controlled by the ICT department. 47 It is important that the In-Scope Entity and the resource operator know in which country data is stored, in a global way. For example, data is shared between country A and country B, but cannot be in country C under any circumstances.

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Part III – Date of application 143. This circular is applicable from 30 June 2022 to all outsourcing arrangements entered into, reviewed or amended on or after this date.

144. In-Scope Entities shall review and amend existing outsourcing arrangements with a view to ensuring that they are compliant with this circular.

145. In-Scope Entities shall complete the documentation of all existing outsourcing arrangements in line with this circular following the first renewal date of each existing outsourcing arrangement, but by no later than 31 December 2022.

Where the In-Scope Entities assess that the review and amendment of outsourcing arrangements of critical or important functions existing prior to 30 June 2022 will not be finalised by 31 December 2022, they shall inform their competent authority in a timely manner of that fact, including the measures planned to complete the review or the possible exit strategy.

Claude WAMPACH Marco ZWICK Jean-Pierre FABER

Director Director Director

Françoise KAUTHEN Claude MARX Director Director General

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Annex – List of implemented ESA Guidelines This circular implements:

 the revised EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02);  the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-164-4285, the ESMA Cloud Guidelines) previously implemented by Circular CSSF 21/777 amending Circular CSSF 17/654.

The above-mentioned guidelines are available on the websites of the EBA (www.eba.europa.eu) and ESMA (www.esma.europa.eu).

CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883

Commission de Surveillance du Secteur Financier 283, route d’Arlon L-2991 Luxembourg (+352) 26 25 1-1 direction@cssf.lu www.cssf.lu CIRCULAR CSSF 22/806 as amended by Circular CSSF 25/883