Circular 22/806 Outsourcing Arrangements




In 2022, the Commission de Surveillance du Secteur Financier (CSSF) published its Circular 22/806 (“The Circular”) on outsourcing arrangements. The Circular implements the requirements of the European Banking Authority (EBA) on outsourcing arrangements (EBA/GL/2019/02) and consolidates multiple circulars by providing clarity on many concepts applicable to outsourcing arrangements.

What does the new outsourcing framework mean for your firm? What steps should you take to make sure your firm is or remains compliant with Circular 22/806. This training aims at providing participants with an operational understanding of the EBA and CSSF outsourcing requirements.


No prerequisite is required


By the end of the training, participants should understand:

  • What constitutes an outsourcing arrangement?

  • Entities impacted by these new regulations

  • Expected governance of outsourcing arrangements

  • The notification process to CSSF in case of critical or important outsourcing activities

  • The cloud computing outsourcing framework and how to manage it appropriately

  • The criteria for assessing material changes 

  • Differences between EBA and CSSF regulations concerning outsourcing activities.

  • The responsibilities and roles of the outsourcing officer


1. Definitions of key outsourcing arrangement concepts

  • Critical or Important outsourcing activities according to EBA and CSSF

  • Vendor arrangements vs outsourcing

2. Criticality or important outsourcing assessment

  • Criticality assessment methodology

  • Pre-analysis assessment approach

  • Risk Assessment methodology

3. Notification process to CSSF

  • Requirements for outsourcing notifications 

  • Timeframe for notifying 

  • Material changes or Serious event requiring notification

  • Material changes in the context of article 18-20 Circular 22/806 

  • Material changes to new outsourcing arrangements

  • Material changes to existing outsourcing arrangements

4. Cloud computing outsourcing

  • Criteria for determining a cloud computing outsourcing

5. Sub-outsourcing arrangements

  • Cascade chain notion

  • Oversight obligations

6. Outsourcing oversight framework

  • Methodology for developing an outsourcing oversight framework

  • Pre-analysis assessment methodology

  • Risk Assessment framework – review/challenge/approve

  • The roles and responsibilities of various individuals in the framework

  • Intra-Group relationships management

  • Inherent risk, Residual or Target residual risks

  • Importance of conducting regular assessments to evaluate the framework's effectiveness.

  • Responsibilities of the outsourcing officer

Target audience

The course is mainly for control Newly appointed Oversight Officer, Internal control functions, Head of Operations and Senior management responsible for outsourcing activities.


Course Material

The training material will be handed out at the beginning of the course.

Classe virtuelle
A distance
Calculate the itinerary