Article Post on 21 July 2017

New CSSF Circular on IT outsourcing relying on a cloud computing infrastructure

_On 17 May 2017, the Luxembourg Supervisory Authority of the Financial Sector (CSSF) published the  CSSF Circular 17/654 (Circular 17/654) on IT outsourcing relying on a cloud computing infrastructure.

Circular 17/654 was prepared in the context of a cloud workstream performed by the CSSF with the view of analysing the functioning and management methods of cloud services provided by certain major players in this area, including public clouds, and following a study conducted by the European Union Agency for Network and Information Security (ENISA). The CSSF, by contributing to the said study, concluded that, overall, the extent of adoption of cloud computing by the European financial sector was low1.

The core aim of Circular 17/6542 is thus to clarify (i) the definition of cloud computing as well as (ii) the requirements to be followed in a scenario where outsourcing relies on a cloud computing infrastructure by always considering the cloud specifies in the context of an outsourcing and by distinguishing it from “standard” IT outsourcing (typically to an entity of the group or to a Support PFS).  

To define the concept of cloud computing, the CSSF has relied on recognised terms that are used by international organisations, such as ENISA, and based its definition on the seven following criteria that set the scope of Circular 17/654:

  1. on-demand self-service;
  2. broad network access;
  3. resources pooling;
  4. rapid elasticity;
  5. measured service;

6. no access by the provider to the data/system of the consumer without its prior consent and without a monitoring mechanism available to the consumer, apart from exceptional situations3; and
7. no manual interaction of the provider regarding the day-to-day management of resources.

Where these seven criteria are met, Circular 17/654 will apply instead of respectively:

  • Sub-Chapter 7.4 of CSSF Circular 12/5524 (for credit institutions and investment firms)
  • CSSF Circular 17/6565 (for payment institutions, electronic money institutions and PFS other than investment firms)

which provisions remain applicable where such entity does not have recourse to cloud computing solutions meeting the 7 criteria set forth here above.

Circular 17/654 also identifies four typical cloud arrays (private cloud, community cloud, public cloud and hybrid cloud) and defines the roles of the different actors in a cloud computing infrastructure based outsourcing model as follows:

  • Signatory: the entity signing the contract with the CSP
  • ISCR: Institution Supervised by the CSSF and Consuming cloud computing Resources for the purpose of carrying out its activities (the consumer of resources)
  • Resource Operator
  • CSP: Cloud computing Service Provider

where the Resource Operator and the Signatory might be the same entity.

Per Circular 17/654, direct as well as indirect outsourcing to a CSP (in either Luxembourg or abroad) will be possible. In case of direct outsourcing, the ISCR will need to appoint a Cloud Officer who will be responsible for the use of the cloud computing services and who guarantees the competences of the teams6. In case of indirect outsourcing, the ISCR may either use (i) a Luxembourg Support PFS or (ii) a non-regulated entity that is located either abroad (group exempted or not) or in Luxembourg and group exempted, in which cases the Cloud Officer will be appointed at the level of the Support PFS/non-regulated entity.

Thus, Circular 17/654 abolishes the restriction to outsource abroad only to the group. In addition, encryption with localisation of the encryption keys in Luxembourg will no longer be mandatory. Notably, Circular 12/552 has recently been amended in that sense as well7.

Finally, Circular 17/654 sets the rules for cloud computing in terms of, among others, governance (no discharge of liability at the level of the ISCR), notification to or authorisation by the CSSF, risk management, continuity measures and the contractual clauses to be found in the contractual relationship with the CSP (for example the mandatory audit right granted to the CSSF).

Circular 17/654 is effective immediately.

The content of this article is intended to provide a general overview to the subject matter. Please contact us should you require any further information.

Authors: Michel Bulach (Partner), Charles Krier, Peggy Muck.

1. CSSF Annual Report 2015, Chapter XII, Section 2

2. Applying to credit institutions, professionals of the financial sector (“PFS”), payment institutions and electronic money institutions

3. Not further specified

4. On central administration, internal governance and risk management

5. On administrative and accounting organisation and IT outsourcing

6. For more information on the Cloud Officer, see point 24.c of Circular 17/654

7. See also bill n° 7024 easing the current outsourcing rules that were put forth in the law of 5 April 1993 on the financial sector, as amended


Share this content