The IT outsourcing market in Luxembourg was assessed by KPMG to be around EUR448 million, which represents 30% of the total information and communications technology (ICT) services in Luxembourg (worth EUR1.5 billion). IT outsourcing appears to be one of the most common types of outsourcing activities and continues to increase each year.
The Luxembourg regulatory authority for the financial sector, the Commission de Surveillance du Secteur Financier (CSSF), released a specific cloud circular (Circular 17/654) in 2017 regarding IT outsourcing based on a cloud-computing infrastructure. This was updated in 2019 in light of the release of the revised guidelines on outsourcing arrangements by the European Banking Authority (EBA).
Between 2019 and 2021, the CSSF saw requests for IT outsourcing authorisations increase by 40% and the demand for cloud outsourcing double. As a result, the CSSF abolished the prior authorisation requirement in 2021 and replaced it with a mere notification requirement for the outsourcing of critical or important functions. In 2022, the CSSF adopted a general outsourcing circular (Circular 22/806), which replaced the aforementioned cloud circular.
Furthermore, a survey on IT outsourcing in Luxembourg showed that IT contracts now tend to be implemented for a shorter period of time ‒ ie, usually for a maximum of three years, whereas the standard length for these contracts used to be five or seven years. The survey also showed that the average contract value of IT outsourcing agreements is decreasing, and customers are replacing single-sourcing contracts with multi-sourcing engagements.
It should be pointed out that cybersecurity and data protection are major concerns in the context of IT outsourcing. In 2012, the Luxembourg government issued a National Cybersecurity Strategy ‒ of which the latest version (IV) has been published for the 2021–2025 period.
In connection with the recent increase in outsourcing options permitted in the financial sector, the authors note that there is an increasing belief in, and use of, BPO in this sector. The BPO is mostly targeted at back-office operations, such as IT.
In 2014, the Luxembourg government launched the Digital Lëtzebuerg programme, aiming to establish Luxembourg as a “smart nation” ready to deal with a digital society. In 2015 and 2016, the World Economic Forum awarded Luxembourg the ninth overall ranking in its Global Information Technology Report. In this context, Luxembourg has established a strategic vision for AI that acknowledges the speed at which AI technologies deliver new services, and that has been based on Luxembourg’s ambitions to become a digital front-runner. AI is considered to be the facilitator between data and society’s most valuable products and services. However, data privacy and cybersecurity are of critical importance and increasingly need to be taken into account in the context of outsourcing activities ‒ especially where AI services rely on personal data.
Furthermore, AI could facilitate internal business processes in companies or hospitals, for example. The increasing use of AI by companies can lead to the insourcing of technologies; currently the same services are outsourced. It is part of Luxembourg’s strategic vision to make efforts to connect with relevant AI solutions and to insource technology and service providers from abroad – something that already occurs in the context of financial services.
In this respect, the CSSF released a White Paper at the end of 2018, setting forth AI trends in the financial sector and highlighting detected focal points from a financial regulatory perspective. In 2023, the CSSF launched a survey on the use of AI in the financial sector, which shows a general increase of investments across all the categories of innovative technologies compared with the budget of financial institutions in 2021. The CSSF noted the highest increase for machine-learning technology.
In the field of blockchain and smart contracts, the financial and fund sectors are engaged in proofs of concept ‒ some of them within the relevant professional associations. In 2022, the CSSF adopted a White Paper aimed at guiding professionals in their due diligence processes related to the use of distributed ledger technology and blockchain. On a more general note, the Luxembourg State is also actively looking into the matter and examining which use cases can run on blockchain technology. The State has been a driver for the Infrachain project, which builds a trustworthy infrastructure layer for blockchain applications and is a State-sponsored non-profit organisation involving service, consultancy and law firms (as well as potential blockchain service clients).
IT services, including cloud computing services, can be considered the most commonly outsourced services in Luxembourg. This is the case in the financial sector as well, where it is evident that KYC/KYT (know your customer/know your transaction) is the object of outsourcing, often based on technology-driven solutions.
There are no rules that specifically relate to outsourcing in a general manner ‒ ie, that apply to any type of outsourcing, irrespective of the sector. That being said, for any type of outsourcing, it is strongly recommended to verify the following.
The NIS (network and information systems) legal framework will also have an increasing impact on technology and outsourcing deals made by customers in essential sectors (energy, telecommunications, finance, public sector, etc). Outsourcing is regulated in more detail in some sectors (see 2.2 Industry-Specific Restrictions).
The public sector is, of course, bound by public procurement rules when outsourcing technology and services. There has been a radical change from traditionally choosing exclusive procedures for awarding contracts directly to an approach where contracts are awarded after a fully open tendering procedure (which may also not be adapted in all cases). The authors also note an increasing trend in litigation in this area.
Financial Sector
Outsourcing in the financial sector has traditionally been highly restricted owing to the criminally sanctioned Luxembourg banking secrecy ‒ ie, the obligation for Luxembourg financial institutions and their management and employees to “keep secret any information confided to them in the context of their professional activities or mandate” (Article 41(1) of the Act of 5 April 1993 on the financial sector, as amended (“the Financial Sector Act”) and Article 458 of the Luxembourg Criminal Code).
By means of the recent Luxembourg Act of 27 February 2018 (the “Financial and Insurance Sector Outsourcing Act”), which amended Article 41 of the Financial Sector Act, the outsourcing options have been significantly increased in the sense that any outsourcing (external and intra-group) to non-regulated Luxembourg companies and foreign companies is now also (explicitly) allowed, provided there is a service contract in place and there is acceptance of the clients in accordance with the law or the modalities agreed upon between the parties. Such acceptance should extend to:
Furthermore, the persons having access to confidential information covered by the professional secrecy obligation must be subject to a professional secrecy obligation or be bound by a non-disclosure agreement.
The new rules allow for some flexibility in relation to the prior acceptance of the clients concerned. This may be obtained pursuant to the methods contractually agreed between the parties if there is no specific legal requirement; hence, implied acceptance could – under certain circumstances – be allowed. The new rules give a legal basis to the existing legal theory and position of the CSSF that outsourcing is possible if the clients of the outsourcing financial institutions have consented to the outsourcing and have thus waived the benefit of the professional secrecy.
Stakeholders in the financial sector should pay close attention to provisions in the CSSF Circulars dealing with or having an impact on (IT) outsourcing (collectively, the “CSSF Outsourcing Circulars”), including the following.
Circular 22/806 on outsourcing arrangements (the “Circular”) combines, in one single document, the supervisory requirements on outsourcing arrangements in the financial sector that were previously spread over individual circulars on IT outsourcing. The Circular applies to all:
The Circular also applies to POST Luxembourg. Additionally, for ICT outsourcing, it applies to:
The Circular consists of general supervisory requirements for all outsourcing arrangements in general, as well as of a specific set of additional requirements for IT outsourcing (other than cloud outsourcing) and for cloud outsourcing.
Circular 17/655 updates the outsourcing provisions in Circular 12/552 on central administration, internal governance and risk management that are applicable to credit institutions.
Circular 20/758, as amended by Circular 22/806 on central administration, internal governance and risk management, applies to investment firms.
The above-mentioned CSSF Outsourcing Circulars set out specific requirements for central administration and internal governance that must be met in the event of an outsourcing, such as making sure that the outsourcing:
The authors note that the investment funds space has particular difficulties adapting to this framework, which is relatively new for it.
When financial institutions plan to outsource a critical or important function, they must notify the CSSF at least three months in advance (or one month when reporting to a Luxembourg-regulated support PFS). Furthermore, specific conditions apply to outsourcing arrangements relating to internal control functions and to financial and accounting functions.
By adopting Circular 22/806, the CSSF has integrated the 2019 EBA Guidelines on outsourcing arrangements into its administrative practice.
The CSSF is actively creating awareness around the imminent entry into force of the EU Digital Operational Resilience Act (DORA) on 17 January 2025, addressing the management, detection and remediation of ICT risks in the financial sector at large (including fund management and insurance). This new piece of legislation also contains important rules on the relation between financial sector players and third-party ICT service providers (ICT services being a broader concept than IT outsourcing). Furthermore, the Luxembourg legislature adopted the Law of 1 July 2024 to supplement DORA (the “DORA Law)” by (among other things) providing the CSSF with the powers to supervise the financial sector regarding compliance with DORA.
Finally, for reasons of completeness, it is important to point out that companies in the financial sector must also comply with Directive 2014/65/EU of 15 May 2014 (MiFID II), as amended, and its Luxembourg implementation law of 30 May 2018, as amended, when outsourcing call-recording.
Insurance Sector
A similar, criminally sanctioned, professional secrecy obligation exists for insurance companies, under Article 300 of the Luxembourg Act of 7 December 2015 on the insurance sector, as amended (the “Insurance Sector Act”) and Article 458 of the Luxembourg Criminal Code. The Financial and Insurance Sector Outsourcing Act foresees a similar enlargement of the exceptions to the professional secrecy obligation for insurance companies.
In August 2021, the Commissariat aux Assurances (CAA) adopted Circular LC 21/15, which contains requirements for outsourcing to cloud service providers. In August 2022, the CAA adopted Circular LC 22/16, which contains requirements for the outsourcing of critical or important functions. Both circulars include a notification requirement in relation to envisaged outsourcing arrangements, as well as obligations in relation to professional secrecy and risk assessments to be carried out.
The insurance sector will also be impacted by DORA, and the DORA Law also aims to provide the CAA with the powers to supervise the sector in this regard.
Firstly, to the extent that the outsourcing results in the processing of personal data (ie, any information relating to an identified or identifiable natural person) by the outsourcee, the GDPR will come into play, and a contract must be entered into between the data controller (typically the outsourcing party) and the data processor (typically the outsourcee). This contract must contain a mandatory set of clauses (Article 28 of the GDPR), including a clause that requires the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Article 32 of the GDPR. Measures should, as appropriate, include:
In this context, it is commendable to adhere to the norms of the ISO27000 family.
Where outsourcing implies a transfer of personal data outside the EU/EEA to a country that is not deemed by the EC to offer an adequate level of protection, the third-country transfer will be prohibited in principle, unless adequate safeguards are provided (Articles 44–50 of the GDPR). These include:
A number of exceptions can also be relied on to justify a third-country transfer, including (without limitation):
Secondly, Circular 22/806 contains specific requirements on data processing and security in respect of outsourcing in the financial sector, in particular. The outsourcing contract must contain a set of mandatory clauses concerning data processing and security, such as:
Furthermore, the outsourcing entity must adopt a risk-based approach to data storage, data-processing locations and information security considerations.
More generally, CSSF Circular 20/750 implements the EBA guidelines on ICT and security risk management (EBA/GL/2019/04) and extends its personal scope to all regulated financial sector professionals and payment service providers. These ICT requirements must also be complied with downstream along the whole ICT service and outsourcing chain.
Circular CSSF 24/847 on the ICT-related incident-reporting framework replaced the former CSSF Circular 11/504 on frauds and incidents due to external computer attacks of 11 March 2011, and is accompanied by a Q&A (clarifying certain aspects of this new circular) and a user’s guide to the notification form (limited to practical steps for filing a notification). The main aspect of this new circular is a broader scope of application covering any ICT-related incident, to align with the rules found under DORA. CSSF Circular 21/787, which transposes the requirements of the EBA guidelines on major incident reporting under the revised Payment Services Directive (PSD2), requires all payment service providers to report major operational or security incidents to the CSSF without undue delay.
For completeness, it must be pointed out that, in respect of operators of so-called essential services (eg, digital infrastructure providers, credit institutions and entities active in the transport, health and energy sectors), the Luxembourg NIS Act of 28 May 2019 (the “NIS Act”), implementing EU NIS Directive 2016/1148 on the Security of Network and Information Systems, sets out requirements in terms of security measures (for preventing risk, ensuring security of network and information systems, and handling incidents) and mandatory notification of serious incidents to the relevant authorities. EU NIS 2 Directive 2022/2555 will revamp this regulatory framework and will increase the sectors that must apply it. This framework must be implemented in Luxembourg by 17 October 2024, and a relevant bill of law (No 8364) is currently under consideration before the Luxembourg Parliament.
There is currently no standard supplier-customer model in the jurisdiction of Luxembourg. However, for outsourcing agreements in the financial sector, cloud service providers tend to use standardised templates of addenda for outsourcing agreements in order to comply with the CSSF and EBA outsourcing requirements (especially when it comes to the granting of extra audit rights).
Currently, the EC is looking into the issue of SCCs for cloud outsourcing by financial institutions, but it will probably be some years before there is a final draft in this respect. SCCs may also emerge under other regulatory frameworks for the financial sector, such as DORA.
The following outsourcing contract models are typically used in Luxembourg as an alternative to the conclusion of a service contract with a third party.
Service Contract With a Subsidiary
Here the customer is part of a group of companies, and outsources certain activities to one of the subsidiaries or one of the other group entities that already exists or is specifically set up for this purpose.
Advantages
The advantages of this contract model are:
Disadvantages
The disadvantages of this contract model are:
Joint Venture or Partnership
Here the customer sets up a joint venture or partnership with the supplier for the outsourced activity.
Advantages
The advantages of this contract model are:
Disadvantages
The disadvantages of this contract model are:
Build-Operate-Transfer Structure
This structure is a mixture of the above-mentioned structures. The third-party service provider, an independent contractor, initially establishes a dedicated team to build a service and starts operating it before transferring the service to the customer.
The advantage of this contract model is quick implementation. The cost and possible complicated transition process are its disadvantages.
Outsourcing transactions have become increasingly common in the IT context and as part of digital transformation. However, digital transformation has had no particular effect on the contract models used for outsourcing transactions in Luxembourg. The emergence of some standardisation is not driven by digital transformation as such but, rather, by the applicable legal framework (GDPR, DORA, etc).
Most technology transactions and outsourcing arrangements include the following provisions to protect the customer:
Regulatory changes in some sectors also drive the acceptance of certain types of contractual arrangements. In the financial sector, Circular 22/806 includes several requirements that aim to protect the customers of outsourcing services, such as:
Furthermore, based on general Luxembourg contract law, the customer could:
The customer can rely on the remedies that are available under general Luxembourg contract law. In the event of breach of contract by the supplier, the customer can be entitled to terminate the contract and seek damages before the competent court. The supplier will only be able to escape from damages if the supplier acted in good faith and is able to prove that the non-performance was due to an external cause or if the supplier validly limited or excluded its liability in the contract. Under Luxembourg liability law, limitation or exclusion of liability clauses are valid to the extent that they:
A large proportion of financial sector customers must be able to benefit from extended and more detailed rights in the case of termination (see 4.1 Customer Protections).
The concept of “indirect damages” is a common law rather than a continental law notion. In principle, under Luxembourg liability law, only direct damages are awarded. However, Luxembourg judges tend to interpret the notion of direct damages broadly, so it may also include damages that are typically considered as “indirect damages” in other jurisdictions (and especially in Anglo-Saxon jurisdictions). As a result, from a contractual point of view, the following is useful:
It is market practice in Luxembourg to contractually exclude liability for indirect damages and to stipulate that loss of profit, goodwill and business qualify as indirect damages. Furthermore, there is an increasing tendency for suppliers to contractually qualify “loss of data” as indirect damages. However, depending on the type of services/products that the supplier renders, this exclusion of liability may be rejected by Luxembourg judges. As mentioned in 4.2 Termination, under Luxembourg law, limitation or exclusion of liability clauses are only valid to the extent that they (among other things) do not erode the effects of the contract nor tarnish one of its essential obligations ‒ meaning that they do not deprive the contract of its essence.
Pursuant to Article 1134 of the Luxembourg Civil Code, all contracts need to be executed in good faith. The parties to an outsourcing contract have a duty to act in accordance with good faith and fair dealing throughout the entire duration of the contract. Based on this requirement of acting in good faith, courts can impose certain obligations on a contract party in order to ensure or restore a certain balance in the contractual relationship, or to provide certain information. Courts can also make use of the concept to neutralise the unfair exercising of a contractual right by one of the parties. The good faith requirement also includes an implicit obligation for parties to collaborate and, in many cases, an increased information obligation for the service provider.
Given that outsourcing contracts are bilateral contracts and thus contain reciprocal obligations, each contracting party may – under certain circumstances ‒ have the right to withhold performance of their obligations until the debtor has performed their obligations, without judicial intervention. This right does not need to be included in the contract for the creditor to be entitled to it. That being said, the contracting parties are nonetheless free to exclude this right in their outsourcing contract.
Being bilateral contracts, all outsourcing contracts also contain a tacit dissolution clause based on Article 1184 of the Luxembourg Civil Code, pursuant to which the creditor of a non-executed or inadequately executed obligation can bring an action to the court for the dissolution of the outsourcing contract. However, the contracting parties may agree on the situations under which the parties can terminate the agreement without judicial intervention.
Please note that there is, in principle, no implied or default warranty regime for most types of outsourced services unless the services result in a product (including some types of standardised or off-the-shelf software) ‒ in which case, the default rules foreseeing a warranty for hidden defects within the meaning of Article 1641 of the Civil Code could potentially apply.
This is a rapidly moving area, given that technology risks and the types of incident threats change all the time.
As the GDPR is one of the most horizontal frameworks with an impact on the adequate security measures to be adopted, there is an increasing trend of following the security measures advanced by data protection regulators, and given that those measures must take into account the state of the technology, general standardisation frameworks such as the ISO 27k standards are gaining in importance. The whole discussion around compliance with the GDPR provisions on international data transfers sparked a renewed interest in enhanced encryption solutions.
The significant widening of the scope of the NIS regulatory framework and sectoral requirements, such as those laid down for the financial sector (DORA, EBA guidelines, etc), will also have a positive spill-over effect on other sectors in terms of the emergence and adoption of best practices. By way of example, multi-factor authentication ‒ which is, in principle, compulsory for payment services under the payment service regulatory framework (PSD) ‒ seems to be an increasingly widespread requirement.
The assurance of business continuity remains traditionally an (underestimated) responsibility for the customer. However, and again under the impulse of the specific regulatory framework for the financial sector, customers are more and more sensitive to back-up, contingency and exit planning. In a cloud context, financial sector requirements not only require assurance of contingency within the same cloud environment but also require thinking about an exit strategy in the event of problems with the existing cloud solution, so as to ensure a proper transition to another cloud provider or even an on-premises solution.
More and more agreements (again, among other things, because of regulatory requirements in the financial sector in this respect) include KPIs in the SLA ‒ the problem being how to monitor the compliance with those KPIs. However, many cloud service providers foresee tools for the monitoring of KPI values in SLAs.
Generally speaking, the deployment of cloud solutions increases the risk of the transfer of personal data to non-EU/EEA countries. This adds a layer of regulatory complexity, which needs to be addressed in the contract terms.
When relying on cloud-based IT outsourcing, the CSSF has extra requirements for Luxembourg financial sector professionals (eg, the appointment of a cloud officer). There are also extra requirements for the contract terms ‒ in principle:
Employee transfers/usage for outsourcing should comply with the rules on transfer of undertakings and the illegal lending of workers.
Transfer of Undertakings
Article L 127-1 et seq of the Luxembourg Labour Code, based on EU Directive 2001/23/EC of 12 March 2001, applies to employee transfers when the outsourcing qualifies as a transfer of undertakings. The law defines a transfer of undertakings as the transfer of an economic entity – whereby it retains its own identity and thus organisational autonomy after the transfer – that consists of an organised grouping of resources (especially in terms of personnel or materials and equipment), with the objective of pursuing an essential or auxiliary economic activity.
Luxembourg and EU case law interprets the concept of transfer of undertakings rather broadly. Whether or not a transfer qualifies as a transfer of undertakings is to be decided by a judge based on the factual circumstances on a case-by-case basis.
The following elements can be taken into account when evaluating whether the conditions of a transfer of undertakings are met:
In general terms, the main principles applying to the transfer of undertakings are the following:
Illegal Lending of Workers
In accordance with Article L 133 of the Luxembourg Labour Code, the lending of workers to a third party that exercises hierarchical authority over such worker is prohibited, save for staff provided by an authorised temporary staffing agency and exceptional circumstances (subject to ministerial approval).
In the event of illegal lending of workers, the consequences shall be the following:
If the outsourcing leads to a transfer of undertakings in the sense of Article L 127-1 et seq of the Luxembourg Labour Code, both the former and new employer will need to fulfil certain information and consultation obligations towards the legal representatives of their employees before the actual transfer takes place. This includes:
In the absence of employee representation (trade union or workers’ council), the law requires that the employees themselves be provided with specific preliminary and written information. The transferor must also notify the transferee of all the rights and obligations that will be transferred to the transferee, and must submit a copy of this notification to the Luxembourg Labour and Mines Inspectorate (Inspection du Travail et des Mines).
Generally speaking, the demand for offshore outsourcing remains strong, particularly in the financial sector. However, taking into account the geopolitical situation and the regulatory requirements (especially those stemming from the GDPR on international data transfers after the seminal Schrems II judgment), there is a movement towards nearshoring. When it comes to cloud-based solutions, in particular, there is a tendency towards EU/EEA ring-fenced solutions (eg, the Microsoft EU Boundaries initiative) and sovereign cloud initiatives.
Remote working in Luxembourg raises significant tax and social security issues in Luxembourg, with a major part of the workforce (especially in support and back-office functions) being resident in neighbouring countries that impose strict quotas ‒ above which, personnel will be considered to be tax- and social security-resident in those countries. Besides that, remote working raises challenges in terms of IT organisation and risk management. The CSSF has laid down some requirements in this respect in its Circular CSSF 21/769 on teleworking. Remote working also requires the integration of a compulsory remote-working policy and arrangement in the terms of employment.
2 rue Jean Bertholet
L-1233
Luxembourg
+35 2261 2291
+35 226 122 990
ndlux@nautadutilh.com www.nautadutilh.com/en