IT regulation and IT outsourcing in Luxembourg - What you need to know

This training aims to provide an introduction to the main IT regulatory requirements applicable to CSSF supervised entities with a specific focus on the topics of ICT and security risk management (CSSF 20/750), IT outsourcing and cloud computing (CSSF 22/806), incident reporting process (CSSF 24/847) and teleworking requirements (CSSF 21/769).

This presentation will be supported by good market practices and practical examples. The goal is to increase participants' comfort level when confronted with IT specific regulations and to strengthen their company’s oversight and IT risk management capabilities.

This training course is designed as an essential step to assist participants in addressing the following challenges, among others:

• What is the current IT regulatory framework in Luxembourg?
• Which IT regulations are applicable to your organisation (including investment fund managers, banks, PFS, e-money and payment institutions)?
• What are the main ICT risks to be considered in the risk management framework of your organisation?
• How to assess the ICT risks? What controls should be foreseen?
• What does IT outsourcing mean from a regulatory perspective?
• What are the key considerations prior to your IT outsourcing arrangements?
• What are the key aspects to know prior to your implementation of a telework solution within your organisation?

By the end of this training, participants will be able to:

• have a clear overview of the main applicable IT regulations;
• understand the key considerations and the common pitfalls while strengthening the IT regulatory framework:
• identify the main aspects of managing IT/cloud outsourcing and ICT related risks;
• describe the key documentation requirements.

• IT regulatory landscape in Luxembourg
  • Main provisions defined by laws and circulars, concepts and available guidance
  • Key challenges and common pitfalls
• ICT and security risk management as per CSSF 20/750
  • Governance and risk management
  • Information security
  • ICT operations/change/project management
  • Business continuity management
  • Payment services users relationship management
  • Main ICT risks and oversight
  • Key documentation to maintain (incl. procedures and policies, risk register, risk reporting, ICT assets inventory)
• IT outsourcing and cloud computingConcept of IT outsourcing materiality
  • Key focus of IT outsourcing lifecycle
  • Outsourcing and professional secrecy requirements
  • IT outsourcing vs. cloud outsourcing
  • Assessment of the applicability of cloud specific regulations
  • Roles and responsibilities
  • CSSF prior notification request process
  • Main outsourcing risks and oversight
  • Key documentation to maintain (incl. materiality assessment, due diligence, risk assessment, cloud register)
• ICT related incident reporting requirements as defined by CSSF 24/847
• Teleworking requirements (CSSF 21/769)

Certificate of attendance

This course is coordinated by Cécile Liégeois, Partner, and presented by Xiaoyi Fang, Director and Vojtech Volf, Senior Manager at PwC Luxembourg.

Cécile Liégeois is a partner specialising in audit and regulatory matters within the Financial Sector industry, with over 25 years of professional experience in Luxembourg. She possesses extensive expertise in Luxembourg banking, payment, and investment firm regulations, including MiFID II, governance, compliance, outsourcing, DORA, SFDR, and PSD2. Cécile leads external audits of banks, financial sector professionals, and management companies, preparing regulatory reports and managing projects on new regulatory implementations with a focus on business, regulatory, and operational impacts. She also supports the establishment of new regulated entities or branches such as banks, MiFID firms, or payment institutions. Her client work includes audits, regulatory impact assessments, compliance assistance, AML reviews, and outsourcing framework evaluations.

Xiaoyi Fang is a director specialising in the implementation of regulatory and IT-driven projects for entities supervised by CSSF, with expertise in EU and Luxembourg regulatory frameworks. She has led and contributed to numerous complex projects involving large banking groups, subsidiaries, and European institutions. Xiaoyi is well-versed in banking business operations and regulatory topics such as internal governance, IT compliance, outsourcing, MiFID, and ESG. Her expertise includes outsourcing matters, IT compliance, and MiFID II-SFDR. She has managed significant client projects, including remediation support, complex IT projects, and MiFID II implementation, and serves as a trainer and workshop moderator on regulatory and compliance subjects.

Vojtech Volf is a senior manager in PwC’s Regulatory, Risk and Compliance department, specialising in ICT compliance with over eight years of experience, including tenure at PwC since 2018. He focuses on IT compliance, PSD2, outsourcing (BPO/Cloud/IT), IT and security risks, privacy, and payment-related matters. Vojtech supports various license application processes for e-money, payment institutions, and IFMs, emphasising IT, data privacy, and operational payment aspects such as payment flows and safeguarding. He has led numerous ICT compliance, risk, and outsourcing projects, including risk assessments, remediation efforts, gap analyses for DORA and CSSF regulations, license acquisitions, and development of ICT compliance tools.