Further legal and regulatory developments

On 18 August 2025, the CSSF issued Circular 25/896, adopting the European Banking Authority (EBA) Guidelines on internal policies, procedures and controls to ensure compliance with EU and national restrictive measures (sanctions). The circular applies to credit institutions, investment firms, payment and e-money institutions, as well as crypto-asset service providers (CASPs) and aims to ensure that that institutions freeze and do not make funds or other assets available to sanctioned persons, bodies or entities.

It requires firms to establish clear governance arrangements, with a senior manager accountable for sanctions compliance. Institutions must perform regular assessments and at least annual reviews of their exposure to sanctions risks covering customers, products, services and geographic areas. They must maintain up-to-date policies, procedures and screening systems, supported by regular staff training, monitoring and escalation processes.

Payment service providers (PSPs) and CASPs are subject to additional requirements, including the screening of payments and crypto-asset transfers, appropriate management of sanctions lists and the calibration of screening tools to detect potential hits and near matches. These measures are to strengthen the prevention, detection and reporting of sanctions breaches or attempts at circumvention. The circular will apply as from 30 December 2025.

By replacing Circular 15/612 with Circular 25/894, the CSSF has updated its reporting framework to cover all Luxembourg investment fund managers (IFM) (including authorised and registered IFMs, as well as management companies) managing investment funds not authorised by the CSSF. The new circular introduces updated forms for initial notifications, subsequent changes, and cessation of management, requiring detailed information on the investment funds’ structure, strategy, service providers and delegation arrangements. These forms must be submitted or updated within 10 working days of any significant change.

With respect to initial notification, it is worth noting that the CSSF considers that an IFM takes on the role of manager at the latest:

• at the date of execution or effective date of the IFM agreement even if the alternative investment fund (AIF) has not yet been launched;
• at the date of establishment of the AIF where the IFM also acts as managing general partner or manager of the AIF or where the fund initiator is the same or belongs to the same group as the initiator of the IFM; and
• at any other date on which it is demonstrated from a legal and factual point of view that the management of the AIF has been conferred to the IFM.

These measures aim to enhance supervisory oversight and ensure that the CSSF has up-to-date information on every unregulated investment fund not subject to CSSF supervision managed by Luxembourg IFMs. On top of that, on 3 October 2025 the CSSF also updated its FAQ on Circular 25/894.

On 11 July 2025, ESMA published guidance in relation to the Markets in Crypto Assets regulation (MiCAR). MiCAR, it will be recalled, provides that CASPs providing advice on crypto-assets must ensure that natural persons giving advice or information about crypto-assets or crypto-asset services on their behalf possess the necessary knowledge and competence to fulfil their obligations. ESMA is of the view that all CASPs, not just those providing advice, should ensure that natural persons giving information about crypto-assets or crypto-asset services possess the necessary knowledge and competence to fulfil their obligations. Therefore, ESMA issued guidelines setting criteria on the assessment of knowledge and competence under MiCAR to a broad extent. The guidelines include:

• a general outline of the requirements in connection with knowledge and competences;
• criteria for knowledge and competence of staff providing information about crypto-assets or crypto-asset services;
• criteria for knowledge and competence for staff giving advice;
• organisational requirements for the assessment, maintenance and updating of knowledge and competence; and
• illustrative examples of the application of certain aspects of the guidelines.

On 11 July 2025, ESMA published a public statement aimed at regulated CASPs offering both regulated and unregulated services. ESMA warns that the practice of CASPs offering Markets in financial instruments Regulation (MiCAR) regulated as well as unregulated products and services gives rise to investor protection risks. One of the most significant risks is that (prospective) clients misunderstand the connected protections. Safeguards with respect to the management of conflicts of interests, complaints handling, the safeguarding of clients’ assets, ongoing supervision by national competent authorities are not obligated for unregulated services. CASPS using their regulated status as ‘marketing instrument’ may create a so-called ‘halo effect’, giving the impression that all their services offer the same safeguards.

To mitigate such risks, ESMA calls on CASPS to take all necessary measures to ensure that clients are aware of the regulatory status of the specific product or service they are receiving.

On 11 July 2025, the Guidelines on outsourcing to cloud service providers, published by ESMA in 2020 and applicable starting from 2021 (the 2021 Guidelines), were revised. The 2021 Guidelines guide the identification, addressing and monitoring of risks that may arise from cloud outsourcing arrangements and support a convergent approach to the supervision of cloud outsourcing arrangements across the EU. As the purpose of the 2021 Guidelines coincides with DORA, the scope of the 2021 Guidelines is narrowed down to entities not in-scope for DORA. Consequently, only depositaries referred to in Article 21 of the Alternative Investment Fund Managers Directive remain in scope of the amended 2021 Guidelines. However, there are no material changes to the content of the 2021 Guidelines, which already were applicable to the aforementioned depositaries.

On 15 July 2025, the Digital Operational Resilience Act (DORA) introduced an oversight framework for critical third-party service providers of ICT services. The three ESAs are empowered to oversee critical third-party service providers on a pan-European scale, enhancing the overall digital operational resilience across the EU. The ESAs’ guidance on DORA oversight activities clarifies how the joint oversight of critical third‑party service providers is organised, including designation criteria, the role of the lead overseer, and a ‘toolkit’ (information requests, investigations/inspections, recommendations and remediation measures).