File transport and data protection

The CSSF has defined an infrastructure allowing the transmission of reporting files via transmission channels offered by external service providers. This document provides information on these transmission channels and the protection of the files passing through that infrastructure. 


The CSSF currently accepts the following transmission channels: 


Service provider

Transmission channel


Bourse de Luxembourg


CETRELSecurities S.A.




Information on reporting channels


The information and resources necessary for appropriate use of the transmission channels by reporting entities are specified below.


Transport: infrastructure of transmission channels

The file names of the different reportings are described in the CSSF’s naming convention, now in English; the former French version will not be maintained but remains available at naming convention FR - obsolete.


There are two types of return files:

- acknowledgements of receipt (FBR)

- results of the applicative processing of the files received (FDB)


All FBR files are in XML format and are instances of the same XML schema FileAcknowledge-v1.0. A file is considered to be properly received by the CSSF if the 4 operations performed at the reception of the file by the CSSF (file name verification, decryption, signature verification, etc.) correctly returned the status 'A' - Accepted. If one of those operations returns the status 'R' - Rejected, the file has not been properly received and the file must be sent a second time. The CSSF only generates FBR return files for its own reportings, as well as for entering EDIFACT files (including those of the BCL).


The FDB file format depends on the type of reporting; a common format is not foreseen because of the differences between the types of reporting. Only a sub-set of the current reportings will return an FDB file. Details are provided in the naming convention above and in the CSSF circulars, notably those mentioned below.



Data protection: PKI infrastructure to be used

All reporting files transmitted to the CSSF through the transmission channels must be encrypted according to the standards defined in Circular CSSF 08/334. Before sending any files, the Luxtrust SSL certificate used by the reporting entity to generate its electronic signature must be registered with the CSSF according to the procedure described in that circular.


CSSF certificate to be used to encrypt data (available in several formats):


- CSSF production certificate in force

- CSSF test certificate in force





Circular CSSF

Channel use

TAF / MiFID reporting



Prudential financial reporting (XBRL - FINREP format)

(except for tables B 2.3 and B 6.3)



Prudential reporting on capital adequacy (XBRL - COREP format)



Tables B 2.3, B 6.3 and B 4.4 (EDIFACT format)



ESP (Enquêtes spécifiques; special enquiries)



PFS reporting



Sociétés d'investissement en capital à risque ("SICAR")



Bank Reporting - long form report and management letter



Management companies - Chapter 13



UCITS IV Notifications


mandatory (alternative CSSF deposit server)

Payment institutions



Electronic money institutions



Credit institutions



By default, special enquiries will thus pass through the infrastructure of the communication channels. If another type of transmission is to be used for a given special enquiry, this will be mentioned in the circular letter initiating the enquiry.


Deactivated validation rules for COFREP files 

Version EBA

Applicability for reports submitted to the CSSF


19 May 2014

As from the start of production

24 June 2014

As from 26 June 2014

17 July 2014

As from 21 July 2014

22 October 2014

As from 23 October 2014

18 December 2014

As from 19 December 2014

27 February 2015

As from 3 March 2015

10 March 2015

As from 11 March 2015

8 May 2015

As from 4 June 2015

9 June 2015

As from 11 June 2015

15 June 2015

As from 11 June 2015

9 September 2015

As from 10 September 2015

10 December 2015

As from 10 December 2015

4 March 2016

As from 9 March 2016

10 March 2016

As from 11 March 2016

9 September 2016

As from 12 September 2016

9 December 2016

As from 13 December 2016

18 January 2017

As from 20 January 2017

10 March 2017

As from 12 March 2017

9 June 2017

As from 13 June 2017

11 September 2017

As from 12 September 2017

8 December 2017

As from 14 December 2017

9 March 2018

As from 12 March 2018

17 April 2018

As from 2 May 2018

11 June 2018

As from 13 June 2018

10 August 2018

As from 10 August 2018

10 September 2018

As from 11 September 2018

11 December 2018

As from 12 December 2018

8 March 2019

As from 11 March 2019

11 September 2019

As from 16 September 2019

5 November 2019

As from 12 November 2019

10 December 2019

As from 13 December 2019

4 February 2020

As from 7 February 2020

10 March 2020

As from 12 March 2020


Deactivated validation rules for SUFREP files 

NB: The reference file for EIOPA validations is available at
among the documents applicable to the version mentioned in the table below.

EIOPA Version

Active since

Applicability for reports submitted to the CSSF

Deactivated rules at the CSSF

2.3 Pension funds


As from the start of production 2019-09


2.3 Pension funds


Any report submitted after "Active since" date


2.3 Pension funds


Any report submitted after "Active since" date



Information on notification channels


Circular CSSF 11/509 defines, among other things, the initial notification procedure for the marketing of Luxembourg UCITS in the European Union. The latest information and developments concerning the notification packages are available in the file "Notifications FAQ".


XML notification letter

In accordance with the circular, every notification package must include a notification letter in XML format (XML schema notifletter.xsd) and a PDF version of this notification letter. It is the notifying party's responsibility to make sure that the information in both files are the same. The most recent version has been activated on 30 January 2012; it includes the amendments described on the document "Notifications FAQ" under the following questions:

- Quelles sont les prochaines évolutions du schéma notifletter.xsd?

- Que signifie l'état « Accepted by host » non mentionné dans la circulaire CSSF 11/509?

- Que signifie l'état « Force accepted by host » non mentionné dans la circulaire CSSF 11/509?



CSSF responses 

The CSSF's responses are XML files of the following schemata:








Acknowledgement of receipt


according to the standard applicable in 08/334 channels


Response after file analysis by the CSSF



Response after file analysis by the host authority



Internet filing

In order to file a notification package directly with the CSSF, registration should be made at the website


Following this registration, an email containing a link allowing to upload a notification package will be sent to the registered email address.


In practice, it is recommended that Luxembourg-based UCITS, proposing to market their units in another EU Member State, make use of the services offered by Cetrel Securities S.A. or Bourse de Luxembourg to submit the notification files to the CSSF.