Cloud services: changes on the way for Luxembourg insurers

in Industry Insights, 20.07.2020

Check out our lastest blog on this topic !

On 24 June 2020, Luxembourg’s insurance regulatory body (Commissariat aux Assurances – CAA) published Circular Letter 20/13 concerning the EIOPA guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002). Through this circular letter, the CAA clarifies that it fully intends to apply these guidelines, inviting all insurance and reinsurance entities to take the necessary steps to achieve compliance.

Given the growing importance of cloud services as a driver of innovation and the rising interest in outsourced cloud solutions within the insurance sector, this comes as a welcomed step. It clarifies the regulatory requirements that entities should apply when making cloud outsourcing arrangements.


As detailed below, the guidelines consist of 16 chapters, with the first 15 focused on companies and the last one concerning the CAA.

  1. Cloud services and outsourcing
  2. General principles of governance for cloud outsourcing
  3. Update of the outsourcing written policy
  4. Written notification to the supervisory authority
  5. Documentation requirements
  6. Pre-outsourcing analysis
  7. Assessment of critical or important operational functions and activities
  8. Risk assessment of cloud outsourcing
  9. Due diligence on cloud service provider
  10. Contractual requirements
  11. Access and audit rights
  12. Security of data and systems
  13. Sub-outsourcing of critical or important operational functions or activities
  14. Monitoring and oversight of cloud outsourcing arrangements
  15. Termination rights and exit strategies
  16. Supervision of cloud outsourcing arrangements by supervisory authorities


For those familiar with banking regulation, the guidelines do not feature a precise definition of cloud computing as seen in Circular CSSF 17/654 on cloud computing. In general, the requirements are similar to those of the European Banking Authority Guidelines on outsourcing (more on this).

It should be noted that the guidelines require entities to notify the CAA whenever a cloud outsourcing arrangement relates to a critical or important function.

Professional secrecy

Circular Letter 20/13 draws attention to professional secrecy, as defined in Article 300 of the Law of 7 December 2015 on the insurance sector. While the obligation of professional secrecy remains, the law was amended in 2018 to define compliance requirements in the cases of intragroup outsourcing arrangements and outsourcing abroad.


The guidelines apply to all cloud outsourcing arrangements entered into or amended on or after 1 January 2021 . Companies should review and amend existing cloud outsourcing arrangements related to critical or important functions by 31 December 2022.

Need a hand?

KPMG can help in a number of ways: cloud strategy and transformation services, internal upgrades and liaising with regulators. Please visit our website or contact me to find out more.