Communiqué regarding the publication of Circular CSSF 21/785 on the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing
1. In accordance with point 8 of Circular CSSF 21/785, this communiqué defines the transitional measures as regards the authorisation applications for material IT outsourcing submitted to the CSSF prior to the date of entry into force of Circular CSSF 21/785.
2. For supervised entities which applied for a material IT outsourcing authorisation until 31 August 2021 inclusive, a feedback on their applications in the form of requests for further information, non-objection, conditional non-objection or refusal shall be systematically provided to the supervised entity in accordance with the procedures and time limits in place before 15 October 2021. In case of question on such a file, the supervised entities may address their question by email to the supervisor in charge of the supervision of the entity.
3. For supervised entities having applied for an outsourcing authorisation between 1 September 2021 and the day before the entry into force of the aforementioned circular (i.e. before 15 October 2021), the following provisions shall apply:
- In case of reaction of the CSSF (additional information request, partial or total refusal of the project), this reaction shall take place at the latest within 3 months from the date of entry into force of the circular, i.e. until 15 January 2022. When transmitting its reaction, the CSSF shall provide the supervised entity with details on the follow-up to the application.
- In the absence of a reaction from the CSSF, (additional information request, partial or total refusal of the project), by 15 January 2022, the supervised entities may implement the planned outsourcing. The absence of reaction from the CSSF shall be without prejudice to the supervisory measures or the application of binding measures and/or administrative sanctions which it might take at a later stage as part of the ongoing supervision, where it appears that these outsourcing projects do not comply with the applicable legal and regulatory framework.
4. In any event, the supervised entities shall be fully responsible for complying with all the relevant laws and regulations as regards the planned outsourcing projects.
Updated on 19 October 2021