Bonn & Schmitt | View firm profile
- Clarification on definition of “ICT services”
The CSSF would like to draw the attention of all supervised entities to the ESAs joint Q&As answer to the question DORA030 on what types of services should be considered “ICT services” based on the definition of DORA Article 3(21).
The answer provided by the European Commission confirmed that the definition of “ICT services” intentionally maintains a broad scope and provides further clarifications. We strongly recommend supervised entities to review the Commissions answer in detail as it may concern them, either as an entity in scope of DORA or as a service provider of entities in scope of DORA.
Furthermore, we would like to clarify that financial services provided by professionals of the financial sector other than those covered by Articles 29-3 to 29-6 of the Law of the Financial Sector of 5 April 1993 are not to be considered an ICT service within the meaning of DORA. On the contrary, services offered by professionals of the financial sector which are covered by Articles 29-3 to 29-6 of the LFS, considering the nature of these services, must be considered as an ICT service in the meaning of DORA Article 3(21) in all cases, even though they are provided by a regulated financial entity.
- Notification of an ICT third-party arrangement supporting a critical or important function under DORA regulation
Today the CSSF published a new notification form for financial entities subject to DORA1 to notify the CSSF, according to Article 28(3) of DORA, in a timely manner about (a) any planned contractual arrangement regarding the use of ICT services supporting critical or important functions as well as when (b) a function has become critical or important.
In the case (a) mentioned above, the prior notification shall be done by the Financial Entity as early as possible before the planned implementation date of the ICT third-party arrangement but, in any case, at least three (3) months or one (1) month (when resorting to a Luxembourg support PFS) before this date. In the case (b) mentioned above, the notification shall be done by the Financial Entity without undue delay.
This form shall be used as of today for the submissions of notifications. In order not to penalise entities that are well advanced in the preparation of a notification based on the previous form, financial entities may introduce notifications using the previous form during a transitional period until 10 May 2025. After this date only notifications received with the new form will be considered as notified in line with the instructions and forms available in accordance with sub-chapter 2.1 of Circular CSSF 25/882 on requirements on the use of ICT third-party services for Financial Entities subject to the Digital Operational Resilience Act (DORA).
The CSSF would like to remind financial entities of the following, which was already published in the communiqué of 5 December 2024:
- Previously notified ICT outsourcing arrangements under Circular CSSF 22/806 are not required to be re-submitted in the context of DORA.
- Contractual arrangements on the use of ICT services already in place prior to 17 January 2025 and which have not been notified under Circular CSSF 22/806 because they do not qualify as a critical or important ICT outsourcing under the circular, are also not required to be submitted as notifications to the CSSF, however they need to be listed in the Register of Information.
- 9 April 2025
Form
- Notification of a critical or important ICT-outsourcing for entities not subject to DORA
For supervised entities not subject to DORA2, the requirements of Circular CSSF 22/806, as amended by Circular CSSF 25/883 remain applicable and therefore they shall continue to submit notifications according to the following form. Please note that this form has been updated to remove two questions related paragraph 143 of Circular CSSF 22/806 as this paragraph has been repealed from the circular.
For any further questions please contact: [email protected].
- 17 February 2023 – Updated on 9 April 2025
Notification of critical or important ICT outsourcing
Version 3
Form
1 Financial entities defined in Article 2(1)(a) to (i), (k) to (m), (p), (r) and (s), and within the meaning of Article 2(2) of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector
2 As defined in Chapter 2 of Circular CSSF 22/806 as amended by Circular CSSF 25/883: Specialised and support professionals of the financial sector, POST Luxembourg, branches in Luxembourg of credit institutions, investment firms and payment and e-money institutions incorporated in a third country, and management companies authorised only under Article 125-1 of Chapter 16 of the UCITS Law.