On Apr. 9, LUX CSSF issued a communique on ICT services definition.
LUX CSSF published a communique on the definition of ICT services under DORA, new forms for third party ICT agreements and ICT outsourcing agreements.
Follows EIOPA Jan. 2025 issued questions and answers on DORA reg, see #241481.
Also follows LUX CSSF Feb. 2022 issued outsourcing notification form, see #163921.
Definition of ICT Services
Entities advised to note ESAs joint Q&As answer to question DORA030 on what types of services should be considered ICT services based on definition of DORA art. 3(21).#
The answer provided by EU CMSN confirmed that the definition of ICT services intentionally maintains a broad scope and provides further clarifications.
Entities strongly recommended to review EC's answer in detail as it may concern them, either as an entity in scope of DORA or service provider of entities in scope of DORA.
Financial services provided by professionals of the financial sector other than those covered by articles 29-3 to 29-6 of the Law of the financial sector of Apr. 5, 1993 are not to be considered an ICT service within the meaning of DORA.
On the contrary, services offered by professionals of the financial sector which are covered by articles 29-3 to 29-6 of the LFS, considering the nature of these services, must be considered as an ICT service in the meaning of DORA article 3(21).
In all cases, even though they are provided by a regulated financial entity.
Critical or Important Functions - DORA
LUX CSSF published a new notification form for financial entities subject to DORA to notify the CSSF, according to art 28(3) of DORA, in a timely manner about (a) any planned contractual arrangement regarding the use of ICT services supporting critical or important functions as well as when (b) a function has become critical or important.
In the case (a), prior notification shall be done by the financial entity as early as possible before planned implementation date of ICT third-party arrangement but at least 3 months or 1 month (when resorting to a LUX support PFS) before this date.
In the case (b), notification shall be done by the financial entity without undue delay.
This form shall be used as of today for the submissions of notifications.
Critical or Important ICT-Outsourcing
For entities not subject to DORA, requirements of cir 22/806, as amended by circular 25/883 remain applicable, shall continue to submit notifications according to the form.
This form has been updated to remove two questions related to paragraph 143 of circular 22/806 as this paragraph has been repealed from the circular.
Effectiveness
In order not to penalize entities that are well advanced in preparation of a notification based on the previous DORA form, financial entities may introduce notifications using the previous form during a transitional period until May 10, 2025.
After this date, only notifications submitted using the new form will be deemed compliant with instructions and forms outlined in sub-chapter 2.1 of circular 25/882.
Regulators
LUX CSSF
Entity Types
B/D; Bank; IA; Ins; Inv Co
Reference
PR, Form, 4/9/2025; Cir 22/806; Cir 25/882; Cir 25/883; DORA Dir 2022/2556, Reg 2022/2554;
