How investment fund managers can seamlessly align digital resilience with delegation oversight 

On 9 April 2025, the CSSF published Circulars 25/881, 25/882, and 25/883, accompanied by a clarifying communiqué. These developments have drawn considerable attention across Luxembourg’s financial sector for their impact on information and communication technology (ICT) risk management, DORA implementation, and third-party oversight. Collectively, they represent a substantial step toward regulatory coherence and stronger digital resilience.

A central concern for leadership teams across investment funds and their managers, banks and payment service providers (PSPs) has been the scale and impact of the resulting compliance changes. True to its reputation, the CSSF has sought to simplify implementation rather than complicate it — this latest regulatory update is no exception.

Circular CSSF 25/881: Refining ICT risk requirements

To begin with, Circular 25/881 amends Circular 20/750 by narrowing its scope. Previously, Circular 20/750 applied to a wide range of financial entities, including PSPs. The updated version removes PSPs from its remit, as they are now covered under the newly issued Circular 25/880. As amended, Circular 20/750 now applies only to entities outside DORA's scope and not classified as PSPs. While Circular 20/750 served as a foundational framework, Circular 25/881 builds on it with more targeted applicability and alignment with DORA’s regulatory architecture.

Circular CSSF 25/882: Governing ICT third-party services under DORA

Circular 25/882 introduces comprehensive requirements for financial entities subject to DORA, specifically concerning their use of ICT third-party service providers. Importantly, the circular expands regulatory coverage: all ICT third parties — regardless of whether their services qualify as outsourcing — are now within the Circular’s scope.

In comparison, under Circular 22/806, outsourcing was defined as any arrangement in which a third-party provider performs a function that would otherwise be carried out by the regulated entity itself. Not all third-party arrangements were previously considered “outsourcing.” This distinction no longer applies to ICT services under DORA. As a result, from now on, the term “ICT services” would broadly include all services encompassing digital and data services provided through ICT systems on an ongoing basis.

The Circular also offers practical instructions on the submission of certain information and reporting in relation to the use of ICT third-party providers, including:

• Notification: Entities must notify the CSSF at least three months before entering into ICT-related contractual arrangements — except for contracts with Luxembourg-based support professionals of the financial sector (PFS), where the notice period is reduced to one month.
• Register of Information: Firms must maintain and annually submit a Register of Information at entity, sub-consolidated, and consolidated levels. Registers for a calendar year must cover all arrangements concluded by year-end and be submitted between 28 February and 31 March of the following year. For the first reporting cycle (2025), the register must include all arrangements up to 31 March 2025 and be submitted between 1 April and 31 May 2025.
• Cloud Services: The Circular consolidates various definitions from earlier guidance and introduces the mandatory designation of a Cloud Officer, responsible for overseeing cloud service governance, whether hosted internally or managed by third-party providers via a client interface.

Circular CSSF 25/883: Updating the framework for outsourcing

Circular 25/883 amends Circular 22/806, clarifying the split between ICT and non-ICT outsourcing. Under the new approach:

• Part I of Circular 22/806 applies only to outsourcing arrangements that do not involve ICT
• DORA applies to all ICT services from third parties, regardless of whether they meet the formal definition of outsourcing.

Exceptions include:

• Investment Fund Managers (IFMs) authorized solely under Article 125-1 of Chapter 16 of the UCI Law, for which Circular 22/806 continues to apply fully, even for ICT outsourcing.
• Entities not subject to DORA but covered by Circular 22/806, for which both Parts I and II of Circular 22/806 remain applicable.

Investment fund managers: Navigating dual regulatory tracks

For Investment Fund Managers (IFMs), the path to compliance is not merely procedural — it is strategic and high-stakes. While the new Circulars usher in transformative change, Circular 18/698, and its anticipated revision, remains firmly in force, creating a layered and demanding regulatory landscape that IFMs must now navigate with precision.

In this evolving regime, IFMs find themselves at the intersection of legacy rules and forward-looking mandates. Circulars 25/882 and 25/883 must be read in conjunction with 18/698 — an exercise that is far from academic. The stakes are real: regulatory missteps could expose firms to supervisory scrutiny and reputational damage. To respond effectively, IFMs must rise to the occasion by:

• Conducting rigorous due diligence on ICT third-party providers, ensuring alignment not only with DORA but also with the elevated expectations of the CSSF.
• Drafting bulletproof contracts that embed DORA-compliant provisions, reflect an acute awareness of criticality, risk, and oversight.
• Diligently maintaining the DORA Register of Information, leaving no room for omission when reporting ICT third-party arrangements.

Practically speaking, for example, a Luxembourg IFM, when delegating the portfolio management function, must ensure compliance with CSSF Circulars 18/698 and 25/883, and would approach key third-party related activities as follows:

• Assessment of Critical/Important Functions would be a common assessment encompassing all functions leveraging third-party services.
• Due diligence and clauses listed in third-party contracts, for all ICT services (e.g., use of market information service such as Bloomberg or Thomson Reuters, transaction processing services such as SWIFT or any cloud-based applications) and outsourcing not concerning ICT (e.g., payroll management services or HR services) would be a common set of due diligence criteria – that aligns with DORA and Circular 22/806 as amended by 25/883. Non-ICT services, under Circular 18/698, e.g., Portfolio Management, that do not come under outsourcing would have to be based on topical set of due diligence criteria.
• Broadly, in terms of Registers, all ICT services – be it cloud-based accounting software, portfolio/fund management tools such as Yardi, eFront or Aladdin and market information services would all be listed in DORA’s Register of Information. While any non-ICT service be it a non-ICT outsourcing service under 25/883 or a non-ICT service under 18/698 would be listed under the Outsourcing Register detailed in Circular 22/806 as amended by 25/883.
• Other key deliverables such as Exit Plans and Risk Assessments could be created in a manner that jointly applies to Circulars 18/698 and 25/883.

Crucially, for all non-ICT third-party engagements, IFMs cannot lose sight of their obligations under Circular 18/698. These arrangements must still undergo careful vetting and be documented in the Outsourcing Register — an enduring testament to the dual compliance tracks IFMs must now master. 

All circulars emphasize the need to assess “critical or important” functions, establish exit strategies, and conduct risk assessments for all third-party service relationships. The CSSF's updated regulatory framework ensures greater consistency, clarity, and preparedness in managing third-party and digital risks across Luxembourg’s financial sector.

Complementing the Circulars

To complement the Circulars, the CSSF issued a Communiqué clarifying two additional keys points:

• Support PFS firms offering services such as IT systems support, communication network services, dematerialization, and archiving now fall within DORA’s scope.
• Two distinct notification forms have been introduced – one for ICT third-party arrangements supporting critical or important functions under DORA; and another for ICT outsourcing by entities not subject to DORA.

Conclusion: A new chapter in risk governance

The release of Circulars 25/881, 25/882, and 25/883 — together with the communiqué — marks a watershed moment in the evolution of Luxembourg’s regulatory landscape for digital operational resilience and third-party risk management. These measures are not simply regulatory adjustments. They represent a strategic consolidation of frameworks to ensure clarity, consistency, and alignment with European standards such as DORA. The key to an operationally efficient third-party/delegation oversight framework aligned to the new Circulars is to find synergies between the requirements for the individual framework components of these Circulars with those of Circular 18/698. Developing an integrated approach to oversight framework deliverables such as registers, due diligence, contractual clauses, governance controls, exit plans, risk assessments and policies serves as its cornerstone. This avoids duplication of activities that are needed to comply with the multiple layers of related regulation.

The CSSF’s approach demonstrates its ongoing commitment to providing clarity and helping financial institutions navigate complex compliance expectations without unnecessary burden. Entities must now shift their focus from interpretation to execution — establishing robust internal governance structures, clearly delineating ICT and non-ICT outsourcing, and embedding the updated notification and record-keeping requirements into day-to-day operations.

For firms across the spectrum — from PSPs and IFMs to banks and investment entities — the message is clear: digital resilience is no longer just a technical concern, but a core element of strategic and operational soundness. With the tools and guidance now in place, the responsibility lies with firms to take a proactive, structured, and forward-looking approach to third-party and ICT risk oversight in the years ahead.