Cloud Computing

Cloud computing is a network that allows access to a multitude of remote servers around the world. Companies are no longer requiered to host their own server, but will have easy access to all shared and dematerialized IT resources without any management.

The main advantages for companies in the exploitation of data center resources include a high degree of flexibility, the possibility of outsourcing IT infrastructure and the possibility of providing a simplified mode for users.

The CSSF supervising the professionals and products of the Luxembourg financial sector Luxembourg has issued in May 2017 the Circular 17/654 governing IT outsourcing based on cloud computing infrastructure or “cloud computing” infrastructure applicable to all credit institutions, financial sector professionals, payments institutions and electronic money institutions.

Objectives of the regulatory changes introduced in My 2017 by the CSSF

  • to take into account the cloud specificities in the context of outsourcing
  • to distinguish the provisioning of a cloud based outsourcing from the traditional outsourcing services provided by Support PFS
  • to maintain Support PFS’s particularities and to clarify their role in a cloud context
  • to stay compatible as far as possible with the work done at EBA level (Taskforce on IT Risk Supervision – TFIT)

Definition of Cloud Computing

According CSSF Cloud Computing has to fulfill the following 7 criteria:

  1. On-demand self-service
  2. Broad network access
  3. Resources pooling
  4. Rapid elasticity
  5. Measured service
  6. Apart from exceptional situations, the provider does not access the data and systems of the  the consumer without its prior consent and without monitoring mechanism available to the Institution Supervised by the CSSF and Consuming cloud computing Resources for the purpose of carrying out its activities (ISCR)
  7. No manual interaction of the provider as regards the day-to-day management of resources.

Three circulars govern Cloud Computing and IT Outsourcing in Luxembourg

The application of the circulars will depend whether the CSSF’s definition of the Cloud Computing (all 7 criteria) is met:

  • If yes, the new cloud circular applies instead of respectively the sub-chapter 7.4 of CSSF circular 17/655, or of the CSSF circular 17/656 (only available in French – the Circular 05/178 has been abolished and replaced)
  • If not, the 2 CSSF circulars 17/655 and 17/656 remain applicable respectively to the types of entities concerned

Different Roles

  • Signatory of the contract with the cloud service provider
  • Consumer (of resources) – modified in «ISCR», Institution supervised by the CSSF and Consuming cloud computing Resources for the purpose of carrying out its activities
  • Resource Operator
  • Cloud Computing Service Provider (CSP)

The cloud Circular takes up the obligations of the 17/655, but should be read according to the role played by the regulated entity.

The Circular points out the disconnection on from discussion on art. 41:

  • Encryption with the localization of the encryption keys in Luxembourg is no longer mandatory
  • Reference to legal risks and obligations
  • Consequence in current situation: the consent remains necessary if the operator not the Support PSF
  • The form of the consent is not specified

Confidentiality is now based on the technology and processes by applying key security principles:

  • Need to know
  • Least privilege

Cloud Officer Position

The Circular introduces the Cloud Officer position in financial services with the following functions:

  • Is responsible for the use of the cloud computing services and guarantees the competences of the teams
  • Is an employee of the resource operator
  • Shall have the adequate competencies on the product used
  • The ISCR and the CSSF must know the name of the cloud officer
  • A resource operator can have several cloud officers
  • The potions of Cloud Officer and Data Security Officer are incompatible