top of page

Understanding the CSSF Circular 21/769 on Teleworking

Updated: Dec 14, 2022

A girl sitting on the carpet working on her pc.png

Teleworking is now gaining ground in most workplaces. This implies the need for guidelines to regulate processes based on teleworking solutions. In this regard, on April 9, the CSSF published Circular 21/769 on Governance and security requirements for Supervised Entities.

The Circular focuses on three purposes:

  • To contribute to prudent management of teleworking.

  • To ensure the proper organization of entities supervised by the CSSF.

  • To ensure the preservation of information security.

Whom does it address?

The Circular is limited to the regulatory requirements of the financial sector. It does not apply to any contractual relationships between supervised entities and their employees. All entities under CSSF supervision in Luxembourg, including abroad branches, and Luxembourg branches of entities based outside the European Economic Area, will be targeted by the Circular's requirements. However, its scope excludes extraordinary scenarios, such as the current pandemic situation, or contexts that require Disaster Recovery or Business Continuity Plan activation. In addition, no CSSF approval will be required to implement, maintain, or extend teleworking solutions for the staff of a supervised entity.

CSSF Circular on teleworking: what are the guidelines?

1. Teleworking

Teleworking is defined as any activity carried out regularly, or on an occasional and voluntary basis, during established working hours and in a different place from the official workplace. The work must be provided using advanced technological solutions, with the approval of the employer.

2. Criteria

The Circular underlines that, unless impediments to regular operations prevent it, all employees can telework, independently of their role.

For teleworking to be considered as such, entities must assess:

  • Legal risks

  • ICT risks

  • Compliance risks

  • Reputational risks

  • Risks associated with labor, tax, corporate, and social security law

  • Risks of the execution of tasks by users involved in confidential execution

  • Data protection risks

Furthermore, entities must ensure:

  • Computer network security

  • Confidentiality and integrity protection

  • Accessibility to data and information systems

The Circular sets out further criteria that define teleworking:

  • A solid central administration in Luxembourg

  • Critical tasks performed continuously by a responsible member of staff on site

  • Limited teleworking time

  • Presence of at least one authorized manager in the corporate office

3. CSSF Monitoring

To evaluate proper implementation, the circular recommends that statistics and operational incidents related to teleworking should be included in the entity's annual reports to be stored and reported to the CSSF.

4. Security Measures

The CSSF lists some additional security measures to guarantee the confidentiality of information used during teleworking:

1. Teleworking security policy and risk awareness

Supervised entities must apply security rules to the ICT system. Similarly, they are obliged to educate their employees about the risks and duties of teleworking, e.g., through training courses.

2. ICT security requirements

The Circular also highlights additional security standards that supervised entities must implement on their ICT systems.

  • Implementation of the "need-to-know" principle and security rules guaranteeing access to internal data and information of the supervised entity.

  • Control over the security of devices used to connect remotely to the ICT system.

  • Essential steps for accessing internal data:

- proper authentication of the remote worker;

- identification of the device used for the remote connection;

- the remote location of the connection;

- the connection time.

  • Connection security.

  • Logging process for successful monitoring of connections.

  • Proper communication chain operation from the remote device to enterprise infrastructure.

  • Technological audit for new security weaknesses.

The CSSF Circular 21/769 will become effective on September 30, 2021. Our IT regulatory specialists can help you ensure these requirements are fully understood and met when implementing or maintaining your telecommuting solutions. Don't hesitate to contact us!

119 views0 comments


bottom of page