23 March 2020, the CSSF published the following information on their Covid-19 FAQ page:
“As part of the adaptation of their working environment in response to the Covid-19 situation, supervised entities may opt for cloud-based tools and solutions (e.g. collaborative tools, virtual desktop infrastructure, etc.).
To facilitate a rapid implementation of these solutions, prior authorisation by or notification to the CSSF, as requested in paragraph 26.b to 26.g of the Circular CSSF 17/654 (as amended by Circular CSSF 19/714) are not required as long as this exceptional situation lasts. A simple information by email to the CSSF contact agent of the concerned entity is considered sufficient at this stage.
This is without prejudice to the entity’s obligation to carry out appropriate due diligence and risk assessment of such cloud outsourcing.
Also, we remind the entities falling under the scope of this circular that those cloud outsourcings, whether they are material or not, must be recorded in the cloud register required in paragraph 26.a of the circular. This register shall be transmitted to the CSSF upon request.”
Please refer to the website of the CSSF for the official communiqué.