Transcription of Circular CSSF 17/654
1 Circular CSSF. 17/654 . as amended by Circulars CSSF 19/714, CSSF 21/777. and CSSF 21/785. IT outsourcing relying on a cloud computing infrastructure Circular CSSF 17/654 . as amended by Circulars CSSF 19/714, CSSF 21/777 and CSSF 21/785 1/26. In case of discrepancies between the French and the English text, the French text shall prevail. Circular CSSF 17/654 . as amended by Circulars CSSF 19/714, CSSF 21/777 and CSSF 21/785. Re: IT outsourcing relying on a cloud computing infrastructure luxembourg , 17 May 2017. Ladies and Gentlemen, To all credit institutions and PFS. within the meaning of the Law of 5 April 1993 on the financial sector The purpose of this Circular is to clarify the regulatory framework governing IT. (LFS). outsourcing relying on a cloud computing infrastructure (hereafter also cloud To all payment institutions and electronic money institutions within computing solution ) provided by an external provider. The use of a private the meaning of the Law of cloud without outsourcing is thus excluded from the scope of this Circular .
2 10 November 2009 on payment services (LPS) This Circular applies to: To all investment fund managers a. to all credit institutions and PFS within the meaning of the Law of 5 April subject to Circular CSSF 18/698 1993 on the financial sector (LFS);. To alternative investment fund managers (AIFMs) and depositaries b. to all payment institutions and electronic money institutions within the of alternative investment funds meaning of the Law of 10 November 2009 on payment services (LPS);. (AIFs). c. to all investment fund managers subject to Circular CSSF 18/698;. To undertaking for collective investment in transferable securities d. to alternative investment fund managers (AIFMs) within the meaning of (UCITS), to management companies 1. point (b) of Article 4(1) of the AIFMD and to depositaries of alternative and depositaries of UCITS, as well as to investment companies that have investment funds (AIFs) referred to in Article 21(3) of the AIFMD.
3 Not designated a management company authorised in accordance e. to undertakings for collective investment in transferable securities (UCITS), with the UCITS Directive to management companies of UCITS within the meaning of point (b) of 2. To central counterparties, including Article 2(1) of the UCITS Directive and to depositaries of UCITS within the Tier 2 third-country central meaning of point (a) of Article 2(1) of the UCITS Directive, as well as to counterparties, complying with the investment companies that have not designated a management company relevant requirements of EMIR. authorised in accordance with the UCITS Directive;. To data reporting services providers and to market operators operating a f. to central counterparties (CCPs) within the meaning of Article 2(1) of trading venue 3. EMIR , including Tier 2 third-country CCPs within the meaning of Article To central securities depositories To administrators of critical benchmarks 1.
4 Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010. 2. Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS). 3. Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC. derivatives, central counterparties and trade repositories. Circular CSSF 17/654 . as amended by Circulars CSSF 19/714, CSSF 21/777 and CSSF 21/785 2/26. 25(2a) of EMIR, complying with the relevant requirements of EMIR in accordance with point (a) of Article 25(2b) of EMIR;. g. to data reporting services providers within the meaning of point (63) of 4 5. Article 4(1) of MiFID II and to market operators operating a trading venue within the meaning of point (24) of Article 4(1) of MiFID II.
5 H. to central securities depositories within the meaning of point (1) of Article 6. 2(1) of the CSDR ;. i. to administrators of critical benchmarks within the meaning of point (25). 7. of Article 3(1) of the Benchmark Regulation . This Circular contributes to the sound and prudent management, the proper organisation of these entities and the preservation of information security of these entities 8. This Circular defines: cloud computing ;. the requirements with respect to outsourcing to a cloud computing infrastructure. The instructions to inform the CSSF of the outsourcing to a cloud computing infrastructure in accordance with the requirements of paragraph 26 of this Circular are available on the CSSF website 9. 4. As from 1 January 2022, the reference to this provision must be read as a reference to point (36a) of Article 2(1) of MiFIR. 5. Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU.
6 6. Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012. 7. Regulation (EU) 2016/1011 of the European Parliament and of the Council of 8 June 2016 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014. 8. As required, inter alia, under Article 5(1a) of the LFS, Article 17 of the LFS and Article 11(2) of the LPS, point 135 of Circular CSSF 18/698, Article 5(2) of CSSF Regulation N 10-4 and Article 57(2) of Delegated Regulation (EU) 231/2013. 9. Link: competent-authority-relating-to-your-out sourcing-to-a-cloud-computing-infrastruc ture-under- Circular - cssf-17-654/.
7 Circular CSSF 17/654 . as amended by Circulars CSSF 19/714, CSSF 21/777 and CSSF 21/785 3/26. I. Definitions Specific vocabulary 1. Institution shall mean a legal person. 1a. Competent authority shall mean the CSSF or the European Central Bank for luxembourg credit institutions falling under its supervision. 2. ISCR shall mean an institution supervised by the competent authority and consuming cloud computing resources for the purpose of carrying out its activities. 3. Cloud computing resource shall mean any computing capabilities ( server, storage, network, etc.) provided by a cloud computing service provider. 4. Cloud computing service provider shall mean any firm proposing cloud services within the meaning of the definition of this Circular . 5. Outsourcing shall mean the complete or partial transfer of the operational functions, activities or services of the institution to an external service provider, which is part of the group to which the institution belongs or not.
8 6. Multi-tenant shall mean a physical or logical infrastructure serving several ISCRs through shared cloud computing resources and by means of a standardised model. 7. Client interface shall mean the software layer made available by the cloud computing service provider to the ISCR allowing the latter to manage its cloud computing resources. 8. Resource operation shall mean managing cloud computing resources made available through the client interface. By extension, resource operator shall mean the natural or legal person that uses the client interface to manage the cloud computing resources. 9. Signatory shall mean the institution that signs the contract with the cloud computing service provider. 10. Material activity shall mean any activity that, when it is not carried out in accordance with the rules, reduces the institution's ability to meet the regulatory requirements or to continue its operations as well as any activity necessary for sound and prudent risk management.
9 Circular CSSF 17/654 . as amended by Circulars CSSF 19/714, CSSF 21/777 and CSSF 21/785 4/26. Definitions of cloud computing . 11. Using a cloud computing solution is considered as outsourcing. In order to define cloud computing and distinguish it from traditional outsourcing, the CSSF relies on the definitions proposed by international organisations 10. 12. Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources ( networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models, as presented subsequently in paragraphs 14, 15 and 16. 13. The cloud computing infrastructure can be viewed as containing both a physical layer and an abstraction layer.
10 The physical layer consists of the hardware resources that are necessary to support the cloud services being provided and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually, the abstraction layer sits above the physical layer. 14. The five essential characteristics that define the concept of cloud computing are: a. On-demand self-service: An ISCR 11 can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the cloud computing service provider. b. Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin ( browsers) or thick client ( specific applications) platforms ( mobile phones, tablets, laptops and workstations).
