Contact UsSchedule Call
Knowledge Base
CSSF Circular 22/806

CSSF Circular 22/806

What is CSSF Circular 22/806?

Circular CSSF 22/806 was published by the Commission de Surveillance du Secteur Financier (CSSF) — Luxembourg’s financial regulator — and entered into force on June 30, 2022. It provides detailed guidance on outsourcing arrangements, including cloud computing, for financial institutions under CSSF supervision.

It aligns with EBA/GL/2019/02 (the European Banking Authority’s guidelines on outsourcing) and strengthens the governance, risk management, and contractual requirements for critical or important outsourcing relationships.

Who Must Comply?

This Circular applies to CSSF-supervised entities, including:

  • Banks

  • Investment firms

  • Payment institutions

  • Electronic money institutions

  • Professionals of the financial sector (PFS)

  • Management companies (UCITS, AIFMs)

While Aginion is not itself regulated by the CSSF, many of our clients are — and we support them in achieving compliance with 22/806 when they outsource IT services or cloud infrastructure to us.

Key Requirements of CSSF 22/806

Here’s a simplified overview of what the Circular requires when a regulated entity outsources IT or cloud services:

Area Summary of Requirements
Governance & Risk Maintain a register of outsourcing arrangements, conduct risk assessments, and involve senior management.
Due Diligence Evaluate the service provider’s ability to deliver the service securely and reliably.
Contractual Clauses Include detailed clauses on data protection, audit rights, subcontracting, service levels, termination, and more.
Security & Confidentiality Ensure strong controls around access, encryption, and data segregation.
Business Continuity (BCP) Define recovery plans, test them regularly, and ensure continuity in case of provider failure.
Location & Data Transfers Be transparent about where data is stored and processed — and respect GDPR/EU data transfer rules.
Exit Strategies Ensure smooth and secure exit/migration procedures are in place.
Audit & Supervision Ensure the CSSF retains audit and access rights, directly or via the regulated entity.

The regulation places significant responsibility on the regulated entity, even if a third-party MSP or cloud provider is involved.

How We Help Our Customers Comply with 22/806

At Aginion, we understand the compliance burden our customers face. While we are not subject to 22/806 directly, we align our practices, contracts, and technical measures to help you meet your obligations.

Here’s how we support you:

CSSF 22/806 Requirement How Aginion Supports You
Outsourcing Register We provide detailed documentation about the scope, location, and criticality of all services we deliver.
Risk & Impact Assessments We assist in preparing supplier due diligence and help assess the risk profile of outsourced ICT services.
Data Sovereignty All customer data is hosted in Luxembourg or Germany, under EU jurisdiction only. US cloud infrastructure is avoided unless explicitly requested.
Contractual Safeguards Our contracts (MSA, SoW, DPA) include required clauses:

  • Audit and access rights
  • Subprocessor transparency and approval
  • Data location guarantees
  • Exit and transition planning
Security and Access Controls We implement ISO 27001-aligned controls:

  • Encryption at rest and in transit
  • Role-based access control (RBAC) and MFA
  • Secure remote access and VPN
  • Logging, alerting, and retention of security events
BCP/DR Testing We maintain and test disaster recovery plans, perform regular failover drills, and make documentation available for audits.
Exit Planning Support Upon termination, we offer full support for:

  • Secure data handover
  • System transition planning
  • Certified data deletion
Audit & Regulator Readiness We support customer teams with:

  • Service documentation packs
  • Supplier risk summaries
  • Templates and guidance for CSSF inspections

We can also interface directly with your legal, compliance, or audit teams to help justify how outsourcing arrangements with us meet the CSSF’s expectations.

In Summary

CSSF Circular 22/806 sets strict rules for how financial institutions must manage outsourcing — especially when it involves cloud services or critical IT providers. While Aginion is not itself CSSF-regulated, we fully support our customers in:

  • Documenting and classifying outsourcing relationships

  • Building compliant contracts and clauses

  • Meeting technical, legal, and security requirements

  • Preparing for CSSF audits

Looking to outsource IT or Private Cloud services and stay compliant with 22/806? Get in touch — we’re happy to help.