Governance and operational resilience critical to outsourcing compliance

Financial institutions supervised by Luxembourg regulator CSSF have until the end of March to submit data on their contractual arrangements with third-party technology providers to comply with the EU's Digital Operational Resilience Act, with early filing recommended in case errors are detected. L3A has drawn up outsourcing guidelines to facilitate compliance under DORA, guidance developed in collaboration with our colleagues at the Luxembourg Private Equity & Venture Capital Association (LPEA).

In April 2025, the CSSF updated its guidance on outsourcing arrangements, with Circular CSSF 22/806 being amended by CSSF 25/883. Both our and the regulator's guidance publications are aimed at a wide audience, including fund and company administrators, in-house compliance and risk teams, and others involved in the outsourcing decision-making process.

Setting parameters

Any outsourcing arrangement starts with definitions of what is involved: the task and its parameters, followed by building in due diligence requirements to which service providers are subject, risk assessment and contractual considerations, and monitoring and oversight.

These definitions should be documented, including the company's interpretation of regulatory terminology, for which Circular CSSF 22/806 provides a baseline to build from. For consistency, entities not covered by the DORA legislation should apply the same definitions, information and cloud service lists as those that are in scope of the EU legislation.

From those definitions, outsourced functions can be set out in detail, including those that are not directly business-driven nor regulated, such as human resources and procurement services. The most critical functions are those whose failure or impairment have the biggest impact on operations, compliance, and the financial stability and reputation of the company. Defining what makes each task critical, or otherwise, should also take into account any technology-related impact, as well as the sensitivity of the data involved. Assessment of the critical nature of tasks will also affect how chains of command operate, and when and how issues should be escalated, internally and with service providers, or regulatory bodies should be informed. Operational continuity and data sensitivity are typically viewed as critical aspects.

List, assess and repeat

Listing outsourced functions is not a one-off task; reassessments should take place on a regular basis. Nor should reviews be limited to a specific function or activity. In many cases, a single provider will provide support for multiple functions, while, conversely, multiple entities will use the same provider. In such cases, assessment should also be made at entity level, to ensure all concentration and systemic risks are considered.

Targeted stress tests can highlight likely weaknesses and contagion scenarios, where an outsourcing failure may have operational, financial, regulatory and reputational repercussions.

With so many moving parts, it makes sense to maintain an outsourcing inventory; a detailed list of all outsourcing arrangements, responsible personnel, key contractual terms and the frequency of monitoring for each. Again, distinction should be made between arrangements that are regulatory by nature or business-driven, and those that are not.

Selection process

In service provider selection, due diligence is critical. Reputation counts, so a sweep of digital footprints and other public information is required, along with a search of any enforcement actions by the CSSF or other regulators and legal authorities.

Speaking to providers' other clients and on-site visits will help to draw up in-depth risk assessments, which should be carried out on multiple levels, covering operational, compliance, legal, reputational and concentration risks, as well as IT and information security risks. An exit strategy risk assessment is also advised in the event that the worst happens and services need to be switched to another provider or moved back in-house at short notice.

Full line-by-line recommendations for service level agreements can be found in the full outsourcing guidelines. Contingency plans, detailing responsibilities and lines of communication, including those with regulatory and other authorities, should be spelled out clearly.

Taking responsibility

Managing and overseeing outsourcing relationships generate substantial financial, legal and reputational consequences. A senior manager should always be designated as responsible for outsourcing governance and have the human and financial resources to carry out the task effectively.

As outsourcing invariably crosses different functions, the governance team should comprise team members from different areas of the business. Thought should be given to continuous risk-based monitoring of subcontracting chains, to ensure that all direct service providers, their affiliates and sub-providers are covered.

Happily, many monitoring requirements and assessment of key performance indicators can now be automated. But irrespective of the level of automation, periodic reviews should be held, in addition to those related to specific incidents. Training and communication are also crucial. Senior and operational staff must understand the governance, risk assessment and data protection issues involved, and be regularly updated.

The CSSF circulars set robust audits and reporting as a legal requirement. Outsourcing reviews should also be integrated into standard internal audit cycles and compliance monitoring. Existing internal audit frameworks and checklists can be used as a starting point for self-assessment questionnaires sent to service providers.

Exit strategy

Nobody wants to have to initiate an exit strategy, but planning for such eventualities should help smooth the termination of any service provision should the need arise. The aim, as always, is to preserve operational resilience and minimise disruption to daily operations. Also vital is the designation of an exit 'owner' and clear definition of what might trigger such an event, including insolvency, significant regulation enforcement action or repeated breaches of agreed service levels.

The exit strategy may involve moving to  a different service provider, bringing functions back in-house, or a mix of the two. Full stress-testing of preferred scenarios and potential alternative service providers is recommended at the planning stage. Resources and finances should be allocated and available for immediate use.

An operational runbook should set out the steps involved in securing, extracting and transferring data and knowledge, blocking access to in-house systems, and determining whether interim manual processes will be needed. Inventories of data types, where they are located and backed up, along with details who is authorised to access them and how, should be updated regularly. If possible, the exit strategy owner should have alternative providers or in-house options already in mind.

Handling intra-group outsourcing

Intra-group outsourcing is not uncommon, but needs to be handled carefully. The CSSF circular makes clear that it can be a mistake to assume such arrangements are less risky.

To ensure that lines are not blurred by internal structures, personalities or politics, it is vital to have in place a clear and fully understood operating model that details which affiliates are involved, with transparent reporting lines for daily oversight, and escalation procedures. Defined reporting lines ensure accountability and effective communications – and need to be kept up to date on a regular basis. That applies equally to business-driven and regulatory functions, as well as shared resources such as finance functions or, again, human resources.

It is a credit to Luxembourg's ecosystem of service providers and their clients that outsourcing works so well. Incidents are few and far between, given the millions of transactions and processes handled daily in the grand duchy. Good governance and best practice are needed to ensure that such third-party outsourcing arrangements continue to work well in the future.

Article published in March 2026