Further legal and regulatory developments

On 5 January 2024, in response to the evolving landscape of information and communication technology (“ICT”) risks and the interconnected nature of the global financial system, the CSSF published its Circular CSSF 24/847 introducing a new ICT-related incident reporting framework (the “Circular”) as well as the CSSF Regulation No 24-01 relating to the notification of incidents concerning measures for a high common level of security of network and information systems across the European Union (the “Regulation No 24-01”).

The Circular aims to provide a structured overview of ICT-related incidents, their frequency, significance, and impact, aligning with regulatory provisions outlined in various financial sector laws and strengthening the resilience of financial institutions in the face of evolving cybersecurity threats.

The scope of the Circular encompasses, inter alia, all supervised entities, in particular credit institutions and professionals of the financial sector, management companies and investment companies which did not designate a management company subject to the UCITS Law, AIFMs and internally managed AIFs subject to the AIFM Law (“Supervised Entities”).

The new incident reporting framework introduces several significant changes:

• Expanded incident coverage: The new legal framework extends beyond fraud and external computer attacks in the former CSSF Circular 11/504 to encompass a broader spectrum of ICT operational and security incidents. This expansion enhances risk awareness and management.
• Classification-based reporting: Supervised Entities must now categorise ICT-related incidents according to specific criteria. Major or significant incidents necessitate reporting to the CSSF, enabling targeted responses to critical issues.
• Structured reporting forms: A standardised ICT-related incident notification form is required for major or significant incidents. This structured approach facilitates efficient information sharing and analysis among Supervised Entities and regulatory bodies.
• Incorporation of NIS Law requirements: The incident reporting framework incorporates requirements outlined in the law of 28 May 2019 on Network and Information Systems (“NIS Law”), and Regulation No 24-01. This alignment ensures consistency and compliance across regulatory obligations, covering incident classification, notification procedures, and compliance measures for those Supervised Entities that are the subject of the NIS Law.

On 17 January 2024, ESMA published the ESAs release of the first set of finalised technical standards under the Digital Operational Resilience Act, Regulation (EU) 2022/2554 (“DORA”), to strengthen the digital operational resilience of the EU financial sector. These regulatory technical standards (RTS) focus on enhancing Information and Communication Technology (“ICT”) frameworks and third-party risk management, as well as improving incident reporting protocols.

The joint final draft technical standards include the following:

• Harmonisation of ICT risk management: The RTS outline essential components for financial entities' ICT risk management tools, including mandated policies and procedures such as ICT risk management, asset management, encryption, security operations, and vulnerability management. Additionally, they offer simplified frameworks for smaller entities exempted under Directive (EU) 2015/2366.
• Classification criteria for ICT incidents: DORA aims to standardise incident reporting across EU financial entities. The RTS introduce seven criteria to determine "major ICT-related incidents," with emphasis on critical service impact. Following consultation feedback, all criteria are now treated equally, ensuring clarity and simplicity.
• Policy content for critical ICT services: Financial entities must adhere to specific steps when contracting ICT Third-Party Providers (TPPs) for critical functions. The RTS outline governance, risk management, and internal control frameworks to maintain operational control, information security, and business continuity throughout contractual lifecycles.
• Information register templates: Detailed templates provided by the implementing technical standards (ITS) guide financial entities in maintaining and updating contractual information with ICT TPPs. Following public feedback, templates are streamlined and reduced, with a single set defined for both entities and (sub)consolidated levels. The register includes information on direct ICT TPPs and their subcontractors, particularly when supporting critical functions.

As part of its prudential supervision role, the CSSF conducts regular examinations to ensure financial entities adhere to established regulations. In the case at hand, the CSSF scrutinised the information provided by a registered AIFM. On 24 January 2024, the CSSF issued a communication regarding the imposition of a fine on said registered AIFM due to non-compliance with the registration conditions, taking into account the severity and duration of the infringement in accordance with Article 51(2) of the AIFM Law.

As a derogation from the authorisation regime, Luxembourg entities qualifying as ‘below-threshold AIFMs’ under Article 3(3) of the AIFM Law, i.e., AIFMs managing AIFs whose assets under management (AuM) do not in total exceed the thresholds outlined in Article 3(2) of the AIFM Law (i.e., EUR 100 million if assets are acquired through use of leverage, or EUR 500 million if assets are acquired without any leverage and no redemption rights are exercisable during a period of five (5) years following the date of initial investment in each AIF), are subject to the registration regime (the “Registered AIFMs”).

Registered AIFMs do not benefit from any of the rights granted under the AIFM Law unless they choose to opt in under this law, whereby the AIFM Law becomes applicable in its entirety.

It is emphasised that Registered AIFMs must ensure that the information provided in the initial registration application remains up-to-date.

Where the conditions are no longer met on a permanent basis (i.e., for more than three months), Registered AIFMs must promptly notify the CSSF of the threshold overrun (and in any event no later than thirty (30) calendar days from when the AuM were first identified as being in breach) and file an application for a fully authorised AIFM status within the same timeline. Non-compliance with the aforementioned requirements will lead to administrative sanctions.

On 6 February 2024, the CSSF published Circular CSSF 24/853 on the long form report focusing on practical rules concerning the self-assessment questionnaire to be submitted by investment firms and the mission and related reports of their approved statutory auditors.

The CSSF introduces the revised long form report (“LFR”). The LFR will be digital, in line with the CSSF's digital strategy, and emphasises proportionality, requiring investment firms to provide relevant information based on their business model while minimising redundancies with existing reports.

The LFR should include the following documents:

• a Self-Assessment Questionnaire (the “SAQ”), to be completed on a yearly basis by investment firms with relevant and precise information in digital form with respect to governance and MiFID II topics;
• in addition, investment firms will be required to mandate in writing their approved statutory auditors to prepare the following reports once a year:

- the agreed-upon procedures (the “AUP") report. The annual AUP report should focus on specific MiFID II aspects each year, while the three-year cycle ensures that all relevant MiFID II areas are covered within that timeframe.

- the MiFID II report, a copy of which will be provided to the CSSF, and

- the AML/CFT report, including a description of the AML/CFT policy, an assessment of the investment firm's analysis of AML/CFT risks to which the investment firm is exposed, a statement as to whether an audit of compliance with the investment firm's AML/CFT policy has been performed by the internal audit function, and a verification of the AML/CFT training and awareness-raising measures for employees.

As from the financial year ending after 31 December 2023, all investment firms will be subject to the revised LFR.

On 22 February 2024, the CSSF revised questions 1 and 2 of its CSSF FAQ on virtual Assets – undertakings for collective investment, clarifying that only AIFs and UCIs whose units are exclusively marketed to well-informed investors may invest directly or indirectly in virtual assets.

Additionally, investment managers must assess the impact of virtual assets on the risk profile of the investment funds and ensure transparent and timely communication with investors while updating relevant fund documentation accordingly.

On 28 February 2024, the CSSF announced in a communication the termination of the ad hoc reporting initiated on 25 February 2022, monitoring market risks affecting investment funds due to the Ukrainian conflict (the “Communication”). As previously reported, IFMs were required to report to the CSSF issues, significant developments, decisions, measures, and large redemptions relating to the managed investment funds. Considering recent market changes, the CSSF has decided to end this reporting by the end of February 2024. Nonetheless, IFMs are now instructed to revert to standard communication channels for reporting significant issues to the CSSF.

On 15 March 2024, ESMA published its updated consolidated questions and answers on the packaged retail and insurance-based investment products Key Information Document (“PRIIPs KID”). The additions include the following clarifications:

• The term "PRIIPs open to subscription" covers cases where new contracts for such PRIIPs can be concluded or shares in such PRIIPs can be subscribed to by retail investors

• The difference between a "benchmark" and a "proxy" within the meaning of the PRIIPs Delegated Regulation (EU) 2017/653, last amended by PRIIPs Delegated Regulation (EU) 2022/1666 (the “PRIIPs DR”), is that a "benchmark" is an index used to measure investment fund performance, requiring disclosure and past performance inclusion if applicable, whereas a "proxy" refers to substitutes like comparable AIFs used when historical data is lacking

• The duplication of wording between Article 2(2a)(b) and RTS Article 6 regarding product disinvestment procedures in the KID is necessary for compliance but can vary in language to ensure coherence and readability, with cross-references aiding navigation, as both sections serve distinct purposes within the document structure

• The duplication of wording between Article 2(2a)(b) PRIIPs DR of the ‘What is this product?’ section and Commission Delegated Regulation (EU) 2021/2268 Article 6 in the “How long should I hold it and can I take money out early?” section regarding product disinvestment procedures in the KID is necessary for compliance but can vary in language to ensure coherence and readability, with cross-references aiding navigation, as both sections serve distinct purposes within the document structure. In general, there are expected to be cases where the same product aspect or feature has implications for different sections of the KID

• An indication of whether the PRIIP manufacturer is allowed to cancel or redeem the product without the consent of the retail investor further to the market circumstances

• The indication to use five (5) years of historical data is intended where this is available. Where fewer than five (5) years of historical daily prices of the PRIIP are available, the historical daily prices of an appropriate benchmark or proxy can be used to supplement the data

• The use of synthetic or artificial proxies to generate price data is not consistent with the PRIIPs DR which refers to the use of actual historical prices

• If a PRIIP, including an investment fund, is available to retail investors in an EU Member State with a different currency to the currency of the product, then the KID needs to include the SRI narrative element C

• Where a PRIIP does not allow retail investors to exit before the recommended holding period, costs should be shown only at the recommended holding period

• Past performance information, as required by Article 8(3) of the PRIIPs DR, should be published no later than 35 business days after 31December each year, with UCITS and other PRIIPs having similar obligations outlined in Annex VIII of the PRIIPs DR

• The costs disclosed under Annex VII PRIIPs DR in table 1 – cost over time and table 2 – total cost should be aligned for year 1, with table 2 providing a breakdown of one of the figures included in table 1, ensuring consistency for both packaged retail investment products and insurance-based investment products, without including a “Total” row in table 2 as this figure should already be provided in table 1

The alternative investment fund managers directive (AIFMD), established over a decade ago, seeks to establish a unified regulatory structure for overseeing alternative investment funds (AIFs), with the goals of bolstering investor safeguarding, augmenting transparency, and fostering stability within the European Union (EU) financial landscape. Enacted by EU lawmakers and integrated into Luxembourg's legal framework through the AIFM law of 12 July 2013 (AIFM Law), AIFMD has demonstrated its effectiveness in cultivating a resilient market that garners international recognition.

Since its inception, the AIFMD was conceived as the EU's response to the 2008 global financial crisis, serving as one of several regulatory measures aimed at addressing the vulnerabilities and hazards highlighted during that period with the aim to manage risks and protect investor.

Over the past decade, there has been a substantial expansion in the size of the investment fund industry. Given this expansion, it was intuitive for AIFMD to undergo a revision to adapt and respond to changing market dynamics, including fluctuations in the economic and financial landscape.

On 26 March 2024, the EU's Official Journal published the final legislative text of AIFMD II, signifying the end of the AIFMD review process initiated in 2020. Despite this milestone, there are still outstanding rules to be finalized, allowing managers a transition period to adapt to the new regulations. AIFMD II aims to strengthen the existing regulatory framework by extending its coverage and promoting increased uniformity, while also introducing new regulations to effectively supervise emerging investment strategies such as debt funds.