Operational Resilience / Outsourcing Regulations in Luxembourg

Submission of the register of information at individual or consolidated level to the CSSF (excluding entities under the direct supervision of the ECB)

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Operational Resilience / Outsourcing Reporting & Disclosure Technology & Cyber

BankAsset ManagerWealth Manager

View Original

🇱🇺 CSSF Guidance high

February 11th 2026

Guidance for interpretation and resolution of CSSF error messages related to the submission of the DORA register

Guidance allowing financial entities to identify the National Competent Authority to which their register of information has to be submitted.

AI Analysis

This CSSF guidance document, published on 11 February 2026, provides detailed explanations and resolution steps for error messages encountered during the submission of the DORA Register of Information (RoI) via the eDesk portal, specifically for the 2026 submission cycle. It matters because it enables Luxembourg financial entities to ensure compliant submissions amid enhanced validation checks on more data fields, avoiding re-submission delays and supporting timely transmission to the ESAs by CSSF deadlines. Non-compliance risks supervisory scrutiny under DORA's ICT risk management framework.

What Changed

Enhanced validation checks for the 2026 RoI submission: Applies ESA-defined checks (last updated April 2025) to more data fields to improve data quality, compared to prior cycles. Specific error resolutions detailed, including requirements for LEI code communication to CSSF beforehand, correct reference date ('2025-12-31') in file naming, plain-CSV files in predefined .zip structure, and proper FilingIndicators.csv/parameters.csv content. Mandatory inclusion of all tables (even empty) in FilingIndicators.csv set to 'true', with matching identification codes across parent-child records. Builds...

What You Need To Do

Assign "DORA Reporting" role in eDesk to dedicated employee(s) per user guide
Communicate LEI code to CSSF line supervisor prior to first submission to enable upload
Prepare RoI in plain-CSV files within
Test submissions against listed error codes (e
Consult ESAs' EBA resources (data point model, validation rules, FAQs) and CSSF guides (e

Key Dates

31 December 2025 - Reference date for 2026 RoI submission (all contractual arrangements up to this date).

11 February 2026 - Publication date of this error guidance (last updated 10/02/2026).

1 April 2025 to 15 April 2025 - Initial 2025 submission window via eDesk (for context; 2026 window likely similar, pending confirmation).

30 April 2025 - CSSF re-submission deadline post-validation for 2025; analogous for 2026 if errors detected. DEADLINE

May 2025 - ESAs' second-round validation for 2025; expect similar for 2026 with potential re-submissions.

Compliance Impact

Urgency: High - Published today (11 February 2026), this equips firms for imminent 2026 RoI submissions (reference date 31 December 2025), with stricter validations on expanded fields risking rejections/re-submissions. Matters for operational resilience compliance under DORA Article 28, as accurate RoI supports supervisory oversight of ICT third-party risks; delays could trigger CSSF/ESA follow-up or fines. Firms with prior 2025 issues (e.g., portal extensions to May 2025) must prioritize to avoid recurrence.

References

Sectors:

Banking & Credit Investment Management Payments & E-Money

Topics:

Operational Resilience / Outsourcing Technology & Cyber Reporting & Disclosure

BankFintechPayment Provider

View Original

🇱🇺 CSSF News critical

February 10th 2026

Active exploitation of vulnerabilities on Ivanti Endpoint Manager Mobile (EPMM)

CVE-2026-1281 & CVE-2026-1340

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Operational Resilience / Outsourcing Technology & Cyber Reporting & Disclosure

BankWealth ManagerFintech

View Original

🇱🇺 CSSF News low

February 10th 2026

Quarterly development of employment in support PFS

Situation as at 31 December 2025

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Prudential / Capital Requirements Reporting & Disclosure Operational Resilience / Outsourcing

BankAsset ManagerWealth Manager

View Original

🇱🇺 CSSF News low

February 10th 2026

Balance sheet total and net result of support PFS

Situation as at 31 December 2025

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Prudential / Capital Requirements Reporting & Disclosure Operational Resilience / Outsourcing

BankAsset ManagerWealth Manager

View Original

🇱🇺 CSSF News medium

February 9th 2026

PSD2 - PSP ICT Assessment – 2026 Campaign related to the financial year 2025

No description available.

Sectors:

Payments & E-Money

Topics:

Reporting & Disclosure Operational Resilience / Outsourcing

Payment Provider

View Original

🇱🇺 CSSF News medium

February 2nd 2026

Outcomes of the 2025 SFTR Data Quality indicators review

The CSSF informs the market regarding the outcomes of the SFTR Data Quality indicators review performed in 2025

Sectors:

Banking & Credit Capital Markets & Trading Payments & E-Money

Topics:

Reporting & Disclosure Prudential / Capital Requirements Operational Resilience / Outsourcing

BankBroker DealerPayment Provider

View Original

🇱🇺 CSSF News low

January 22nd 2026

List of members of the Consultative Committee for Prudential Regulation (Updated)

No description available.

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Prudential / Capital Requirements Operational Resilience / Outsourcing Authorisation & Licensing

BankAsset ManagerWealth Manager

View Original

🇱🇺 CSSF News medium

January 20th 2026

Resolution Reporting Requirements - track changes

No description available.

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Reporting & Disclosure Prudential / Capital Requirements Operational Resilience / Outsourcing

BankAsset ManagerWealth Manager

View Original

🇱🇺 CSSF Guidance high

January 20th 2026

New Circular CSSF 26/906 “Central administration, internal governance and risk management” applicable to payment and electronic money institutions

No description available.

AI Analysis

CSSF Circular 26/906, published on 20 January 2026, establishes detailed requirements for central administration, internal governance, and risk management for payment institutions (PIs) and electronic money institutions (EMIs) in Luxembourg, repealing prior circulars IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155. It clarifies application of the amended Law of 10 November 2009 on payment services, emphasizing robust governance amid sector growth to ensure safety, efficiency, and trust. This matters for compliance as it mandates comprehensive reviews and updates to governance frameworks by mid-2026, addressing rising transaction volumes.

Sectors:

Payments & E-Money

Topics:

Senior Managers / Governance Operational Resilience / Outsourcing

Payment ProviderFintech

View Original

🇱🇺 CSSF Guidance high

January 20th 2026

Circular CSSF 26/906

Central administration, internal governance and risk management

AI Analysis

Circular CSSF 26/906, published on 20 January 2026, consolidates and clarifies Luxembourg's rules on central administration, internal governance, and risk management specifically for payment institutions, electronic money institutions, and account information service providers. It repeals prior circulars (IML 95/120, IML 96/126, IML 98/143, and CSSF 04/155) to address growth in transaction volumes by mandating robust governance, control functions, and risk processes, enhancing safety, efficiency, and trust in these services. This matters for compliance professionals as it strengthens defenses against financial crime, operational risks, and supervisory scrutiny in a high-growth sector.

Sectors:

Payments & E-Money

Topics:

Senior Managers / Governance AML / Financial Crime Operational Resilience / Outsourcing

Payment Provider

View Original

🇱🇺 CSSF News high

January 20th 2026

Resolution Reporting Requirements (Updated)

No description available.

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Prudential / Capital Requirements Reporting & Disclosure Operational Resilience / Outsourcing

BankAsset ManagerWealth Manager

View Original

🇱🇺 CSSF News

January 15th 2026

SSM Calendar Claude Wampach – 10/2025

No description available.

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

AML / Financial Crime Prudential / Capital Requirements Operational Resilience / Outsourcing

BankWealth ManagerAsset Manager

View Original

🇱🇺 CSSF Guidance low

January 15th 2026

Circular CSSF 19/708 - Annex (Updated)

Electronic transmission of documents to the CSSF

AI Analysis

Circular CSSF 19/708 mandates the electronic transmission of specified documents to the CSSF via secure platforms like e-file or SOFiE, effective from February 1, 2019, replacing prior paper or other methods. This updated annex (as amended by Circular CSSF 21/790 and further revisions up to April 1, 2025) standardizes submissions for investment funds and related entities, reducing administrative burdens while ensuring document integrity and CSSF accessibility. Compliance professionals must monitor the dynamic annex list on the CSSF website to avoid nullified submissions.

What Changed

Mandatory Electronic-Only Submission: Documents listed in Annex I must be transmitted exclusively via e-file (http://www.e-file.lu) or SOFiE (http://www.cetrel-securities.lu/wp_static/what-do-we-offer/secured-reporting-channel-sofie-sort/), in PDF format supporting read access, printing, copy/paste, and word search; other methods post-February 1, 2019, are null and void. Dynamic Annex Updates: The annex, published on the CSSF website, is regularly updated (e.g., latest noted April 1, 2025) and includes prospectuses, management regulations, annual reports, risk management reports, compliance...

What You Need To Do

Register/access e-file or SOFiE platforms if not already (test/production environments available since February 2019)
Consult and adhere to the latest Annex I for document list, nomenclatures, and formats (PDF with full functionality)
Ensure submissions are final/official versions matching hard copies; use specified identifiers for UCIs/SIFs/SICARs
Implement processes for automatic/manual transmission (e
Train staff on responsibilities and integrate into reporting workflows; reference CSSF FAQs for closing documents

Key Dates

1 February 2019 - Entry into force Mandatory electronic transmission for listed documents; non-electronic submissions null and void.

28 January 2019 - Publication date of original Circular CSSF 19/708.

22 December 2021 - Amendment by Circular CSSF 21/790.

1 April 2025 - Latest annex update noted.

Ongoing - Regular checks required Entities must monitor CSSF website for annex updates. DEADLINE

Compliance Impact

Urgency: Low (for new implementations post-2019; medium for ongoing monitoring). This matters for operational efficiency and CSSF relations, as non-compliance risks rejected filings, delays (e.g., approvals under SFDR processes), or supervisory scrutiny, but long-standing rule (since 2019) with established platforms reduces immediate pressure. Firms must prioritize annex vigilance to avoid disruptions in routine reporting like annual reports or prospectuses.

References

Sectors:

Investment Management Wealth & Private Banking Insurance & Pensions

Topics:

Reporting & Disclosure Operational Resilience / Outsourcing Authorisation & Licensing

Asset ManagerWealth ManagerInsurance

View Original

🇱🇺 CSSF Guidance high

December 23rd 2025

Circular CSSF 25/903

Update of Circular CSSF 24/850 on the practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS, as well as the engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and the separate report to be drawn up on an annual basis.

AI Analysis

Circular CSSF 25/903 updates Circular CSSF 24/850, refining practical rules for support Professional of the Financial Sector (support PFS) in Luxembourg regarding their annual descriptive report, self-assessment questionnaire, and the roles of approved statutory auditors (réviseurs d’entreprises agréés). It specifies requirements for auditors' engagement, management letters, and separate annual reports. This matters for support PFS as it enhances supervisory oversight, ensures consistent reporting quality, and strengthens internal controls, directly impacting compliance and audit processes amid CSSF's focus on robust PFS supervision.

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Reporting & Disclosure Senior Managers / Governance Operational Resilience / Outsourcing

All FirmsFintechPayment Provider

View Original

🇱🇺 CSSF Guidance high

December 23rd 2025

Circular CSSF 24/850 (as amended by Circular CSSF 25/903) (Updated)

Practical rules concerning the descriptive report and the self-assessment questionnaire to be submitted on an annual basis by support PFS.Engagement of the réviseurs d’entreprises agréés (approved statutory auditors) of support PFS and practical rules concerning the management letter and the separate report to be drawn up on an annual basis.

AI Analysis

Circular CSSF 24/850, as amended by Circular CSSF 25/903, establishes practical rules for support Professional of the Financial Sector (support PFS) in Luxembourg to submit annual descriptive reports and self-assessment questionnaires, while also defining the roles of approved statutory auditors (réviseurs d’entreprises agréés) in issuing management letters and separate reports. This guidance standardizes supervisory reporting and audit processes to enhance oversight of support PFS, which provide essential back-office services to authorized PFS. It matters because non-compliance risks supervisory sanctions, reputational damage, and operational disruptions for entities reliant on support PFS structures.

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Reporting & Disclosure Operational Resilience / Outsourcing Senior Managers / Governance

BankWealth ManagerAll Firms

View Original

🇱🇺 CSSF Guidance high

December 16th 2025

Circular CSSF 25/900

amending Circular CSSF 22/811.Authorisation and organisation of entities acting as UCI administrators.

AI Analysis

Circular CSSF 25/900, issued on 16 December 2025, amends Circular CSSF 22/811 to clarify governance principles, authorisation requirements, and operational standards for UCI (Undertakings for Collective Investment) administrators in Luxembourg, while reforming annual reporting obligations. It matters because it strengthens supervisory oversight, aligns with DORA for ICT outsourcing, and simplifies reporting to enhance efficiency and compliance in the fund administration sector.

What Changed

Repeals Annex B of Circular CSSF 22/811 with immediate effect, replacing it with streamlined annual reporting via a core compliance-focused Self-Assessment Questionnaire (SAQ) that assesses governance, internal controls, operational organization, and risk management; detailed instructions are now on the CSSF website. Introduces prior CSSF authorisation requirements for entities acting as UCI administrators, including a defined administrative procedure with application details in Annex A; authorisation remains valid unless substantial changes occur, requiring re-application or prior...

What You Need To Do

Assess eligibility and obtain prior CSSF authorisation via Annex A application (or notify substantial changes); ensure ongoing validity by monitoring operational model and delegations
Adapt internal processes for revised annual UCIA reporting (SAQ-focused, integrated where applicable); submit using CSSF website instructions starting for FY ending 31 Dec 2025
Review/update contracts with UCIs/IFMs to define roles, responsibilities, and oversight; implement delegation monitoring, remediation plans, and ICT compliance (DORA/Circular 25/882 or 20/750)
For DORA-scope entities, align outsourcing arrangements with Circular CSSF 25/882

Key Dates

16 December 2025 - Issuance date; repeal of Annex B of Circular CSSF 22/811 effective immediately.

January 2025 - DORA entry into force, applying to ICT outsourcing for in-scope UCIAs.

31 December 2025 - New reporting framework (SAQ and updated modalities) applies to all financial years ending on or after this date.

Compliance Impact

Urgency: High - Immediate repeal of prior reporting Annex requires prompt process updates; new framework applies to FY 2025 year-ends (just past as of Jan 2026), risking supervisory scrutiny or penalties for non-compliance; DORA alignment adds operational resilience pressure amid ongoing CSSF focus on fund admin governance.

References

Sectors:

Investment Management Wealth & Private Banking

Topics:

Authorisation & Licensing Reporting & Disclosure Operational Resilience / Outsourcing

Asset ManagerWealth ManagerBank

View Original

🇱🇺 CSSF Guidance high

December 16th 2025

Circular CSSF 22/811 (as amended by Circular CSSF 25/900) (Updated)

Authorisation and organisation of entities acting as UCI administrators

AI Analysis

Circular CSSF 22/811, as amended by Circular CSSF 25/900, establishes CSSF requirements for the authorisation, governance, internal organisation, and oversight of entities acting as UCI (Undertakings for Collective Investment) administrators in Luxembourg. It matters because it standardises practices amid regulatory, technological, and market evolutions, ensuring robust controls, risk management, and supervision for fund administration activities critical to Luxembourg's fund industry.

Sectors:

Investment Management Wealth & Private Banking

Topics:

Authorisation & Licensing Senior Managers / Governance Operational Resilience / Outsourcing

Asset ManagerBankAll Firms

View Original

🇱🇺 CSSF News high

November 28th 2025

Supply-chain attack using NPM packages

Press release 25/18

Sectors:

Banking & Credit Investment Management Wealth & Private Banking

Topics:

Operational Resilience / Outsourcing Technology & Cyber Consumer Protection / Conduct

BankFintechAll Firms

View Original

🇱🇺 CSSF Guidance high

October 31st 2025

Circular CSSF 25/898

Update of Circular CSSF 07/325 on Provisions relating to credit institutions and investment firms of EU origin established in Luxembourg by way of branches or exercising activities in Luxembourg by way of free provision of services, as amended by Circulars CSSF 21/765 and CSSF 22/827

AI Analysis

Circular CSSF 25/898 updates Luxembourg's supervisory framework for EU-origin credit institutions and investment firms operating in Luxembourg through branches or free provision of services. This amendment enhances the self-assessment questionnaire (SAQ) used by the CSSF to align supervisory oversight with current regulatory priorities, particularly adding UCI administration as a new thematic module. The update reflects the CSSF's evolving supervisory focus and requires affected institutions to demonstrate compliance with expanded assessment criteria.