IT Consulting

IT Consulting

In today's digital landscape, businesses face unprecedented challenges when it comes to safeguarding their sensitive information. The threat landscape is evolving rapidly, and regulatory requirements are becoming increasingly stringent. 

At BDO, we understand the critical importance of protecting your organisation's digital assets and ensuring compliance with industry regulations. Our team of highly skilled professionals specialises in providing comprehensive ICT Security & Compliance solutions tailored to meet the unique needs of your business. We provide you with expertise and guidance to support you in your compliance journey by helping you navigate the regulatory challenge through:

  1. Luxembourg Regulations
  2. EU Regulations
  3. SWIFT Customer Security Program

1. Luxembourg Regulations

IT Governance Circular CSSF 20/750 (as amended by Circular CSSF 22/828) Requirements regarding information and communication technology (ICT) and security risk management:

  • Entities in scope: 
    Credit Institutions, DRSP, Investment firms, Payment institutions/ Electronic money institutions /AISP, Specialised PFS, Support PFS.
  • The main purpose of this circular is to implement the requirements regarding information and communication technology (ICT) and security risk management outlined in 6 main domains:

  • ICT and security risk assessment: A gap assessment against the regulatory requirements outlined in the Circular 20/750
  • Optimised IT Governance framework: Based on identified gaps from the assessment we help you address the remediation and support you building a robust IT risk management framework. 
  • Awareness Training: We help you navigate the IT regulatory challenge by providing with a tailored training across all levels.
  • Constant Communication and Support: Offering ongoing communication, help, and support to ensure that financial institutions have a reliable and engaged consulting partner to assist with IT compliance needs.

IT Outsourcing

Circular CSSF 22/806 on outsourcing arrangements

Entities in scope:

AlFMs, CSDs, credit institutions, DRSP, E-money institution, SICAR, investment firms, Management Companies – Chapter 15, Payment institution, Pension Funds, Securitisation undertakings, SIF, Specialised PFS, Support PFS, UCI, UCITS



The main purpose of this circular is to:

  • Implement the requirements of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), that aims at providing a transparent, homogeneous and harmonised national framework for outsourcing arrangements. It also gathers the requirements for outsourcing arrangements relating to ICT whether IT traditional outsourcing or IT outsourcing based on cloud.

Circular CAA 21/15 on Cloud Outsourcing

Entities in scope:

Insurance & Reinsurance Companies



In the context of circular letter 20/13, in which the Commissariat aux Assurances informed the insurance and reinsurance companies subject to its supervision that it would fully apply the "Guidance on outsourcing to cloud service providers", circular 21/15 is intended to take up a set of guidelines and to integrate certain additional CAA requirements.

Circular CAA 22/16 on Traditional Outsourcing

Entities in scope:

Insurance & Reinsurance Companies



Luxembourg insurance and reinsurance companies are required to inform the CAA of their intention to outsource important operational activities or functions or compliance, internal audit or actuarial functions (deemed critical), as well as of any subsequent significant developments concerning these functions or activities. The purpose of this circular is to specify the CAA's requirements regarding the outsourcing of important or critical operational activities or functions, and their notification to the CAA. to the CAA.

  • Risk Management and Due Diligence: We provide you with expertise in assessing and managing the risks associated with outsourcing arrangements, including due diligence on third-party service providers.
  • Policy and Procedure Development: We support you in creating and refining policies and procedures related to outsourcing, ensuring they adhere to the circular's requirements.
  • Compliance Assessment and Gap Analysis: We conduct a comprehensive review of existing outsourcing arrangements to ensure alignment with each specific requirement.
  • Outsourcing Development Strategy: We assist you in formulating a strategic approach to outsourcing that complies with the circular's supervisory expectations and harmonised framework including but not limited to:
    • Materiality assessment / impact assessment
    • Outsourcing risk assessment framework
    • IT oversight framework

2. EU Regulations

DORA: Digital Operation Resilience Act

  • In 2020, the European Commission introduced the Digital Operational Resilience Act (DORA) to unify and enhance cybersecurity for financial entities and ICT service providers in the EU, supporting the region's digital financial strategy and empowering European Supervisory Authorities (ESAs) for effective oversight
  • On December 27, 2022, DORA was officially published, establishing consistent rules for the digital resilience of regulated financial entities and creating a framework for critical ICT third-party providers (CCTPs).
  • The finalised DORA came into effect on January 16, 2023, initiating a 24-month implementation period for entities to comply with its requirements. In 2024, alongside DORA, entities must track additional Regulatory Technical Standards (RTS) released by ESAs. Entities are to comply with the regulation by on January 17, 2025. The Regulation aims to unify guidelines on digital resilience in the financial sector across EU Member States. It seeks to bolster security measures, diminishing threats and risks associated with ICT use, while reinforcing operational resilience against ICT-related incidents.

    These goals are achieved through requirements outlined in five primary pillars:

    ICT risk management, ICT related incident management, including payment-related incidents, digital operational resilience testing, management of ICT third-party risks and oversight of critical ICT third-party service providers, and information and intelligence sharing.

NIS2: Network & Information Systems Directive 2022/0383

NIS 2, or the Network and Information Security Directive 2, is a European Union legislative framework aimed at enhancing cybersecurity across the EU. It builds upon the original NIS Directive (2016) and seeks to address emerging cyber threats and improve the resilience of critical infrastructure. NIS 2 expands the scope to include more sectors, such as healthcare, digital infrastructure, and public administration, while imposing stricter security and reporting requirements. It aims to foster greater cooperation between EU member states and establish more consistent and effective cybersecurity measures across the union. The directive mandates that companies implement robust security measures, report incidents promptly, and undergo regular assessments to ensure compliance.

Its main goals are:

  • 1. Setting the bar for cyber security measures in critical industries for modern-day society through a significant expansion of the organizations in scope compared to NIS1
  • 2. Ensuring that the cyber security posture across the different EU member states and national governments significantly improves
  • 3. Strengthen the EU cooperation between the different cyber authorities

PSD2: Payment Services Directive

PSD2 is a game-changer in the financial sector, aimed at promoting competition, innovation, and enhancing consumer protection. It requires banks and other financial institutions to open up their payment infrastructure to third-party providers (TPPs) through Application Programming Interfaces (APIs). This means that customers can now securely share their financial data with authorised TPPs to access a range of innovative services, such as payment initiation, account aggregation, and personalised financial advice.

PSD3/PSR: Payment Services Directive/Payment Services Regulation

The Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR) are upcoming legislative frameworks by the European Union aimed at enhancing the payment services landscape.

The primary objectives include:

  • 1. Enhanced Consumer Protection: Strengthening safeguards to protect consumers from fraud and abuse in payment transactions
  • 2. Increased Competition: Encouraging competition by fostering innovation and removing barriers to entry for new market players
  • 3. Improved Security: Enhancing the security of payment transactions through stricter authentication and fraud prevention measures
  • 4. Transparency and Efficiency: Ensuring greater transparency in payment services and reducing costs for consumers and businesses
  • 5. Harmonisation: Aligning regulatory standards across EU member states to create a more cohesive and efficient payments market
  • 6. Innovation Support: Facilitating the development and adoption of new payment technologies and services

The Network and Information Security (NIS) Directive and the Digital Operational Resilience Act (DORA) are regulatory measures aimed at enhancing the digital resilience of the European Union (EU) and mitigating the impact of cyber incidents. To ensure a harmonious implementation, the European Commission has issued Guidelines clarifying the exemption of entities to which sector-specific legal acts apply from the NIS2 Directive. These Guidelines explicitly state that DORA has priority over NIS2 provisions on ICT risk management, cyber incident reporting, digital operational resilience testing, information-sharing, ICT third-party risk, supervision, and enforcement.

DORA incorporates a provision known as "lex specialis," granting it priority over the NIS2 Directive, which is considered a general law. This provision ensures that if there are any conflicts or overlaps between the two directives, DORA takes precedence. The "lex specialis" provision in DORA helps to avoid confusion and ambiguity in the regulatory landscape.

This clarification provides additional clarity on the exemption of the banking sector from the NIS2 Directive. Financial entities covered by DORA should adhere to its provisions instead of those outlined in the NIS2 Directive.

DORA: Digital Operation Resilience Act

  • DORA introduces clear and well-defined guidelines, offering the above regulated entities an opportunity to showcase their digital maturity. While some sectors, like banking, will primarily focus on updating existing measures, others, such as Investment Management, face more intensive implementation efforts. 
    • BDO will support you through a readiness assessment that is crucial, guiding entities in tailoring action plans for compliance.
    • While a readiness assessment is crucial, we support you implement a robust framework that addresses any potentially identified gaps.

PSD2: Payment Services Directive

  • At BDO, we specialize in providing comprehensive PSD2 compliance solutions tailored to meet the unique needs of our clients. Our team of experienced consultants possesses in-depth knowledge of the regulatory landscape and the technical expertise required to ensure a smooth implementation process. Here's how we can assist you:
    • Regulatory Guidance: We stay up-to-date with the latest PSD2 requirements and can provide you with clear and practical guidance on how to align your business operations with the regulation. Our experts will help you understand the specific obligations, such as strong customer authentication (SCA), secure communication channels, and access to account information, ensuring you remain compliant at all times.
    • Security and Risk Management: PSD2 introduces significant security and risk management considerations. We can conduct comprehensive risk assessments, identify vulnerabilities, and develop tailored security strategies to mitigate potential threats. Our goal is to help you build a secure environment that safeguards your customers' data and protects your business from unauthorized access or fraudulent activities.
    • Ongoing Compliance Support: PSD2 compliance is not a one-time effort; it requires continuous monitoring and adaptation to evolving regulatory demands. Our team provides ongoing compliance support, keeping you informed about any changes in the regulatory landscape and assisting you in maintaining a compliant and competitive position within the market.

3. SWIFT CSP

Swift CSP: Customer Security Program

The SWIFT CSP Independent Attestation is a process that involves an independent assessment of a financial institution's compliance with the security controls outlined in the SWIFT Customer Security Programme (CSP). The CSP is a framework designed to enhance the security and resilience of the global banking system.

Financial institutions are required to implement a mandatory set of security controls as established by the CSP. These controls serve as a baseline for the entire SWIFT community and are aimed at reinforcing the security of the global banking system.

By undergoing the SWIFT CSP Independent Attestation, financial institutions can better manage counterparty risk and implement additional protective measures for their core payment systems. It also helps enhance the effectiveness and reliability of assessments, ensuring that the security controls are consistently met across the SWIFT community.

  • At BDO, we assist clients throughout the SWIFT CSP Independent Attestation process. Our experienced consultants provide guidance on understanding the CSP controls, conduct gap analyses to identify areas of non-compliance, or support to implement necessary improvements to meet the requirements. 
  • We also assist in preparing the documentation and reports required for the attestation, ensuring that all relevant information is properly documented and presented.

Our goal is to support clients in achieving compliance with the SWIFT CSP controls, strengthening their cybersecurity posture, and ensuring the security and resilience of their financial operations.

Key Contact

Related Insights