Clifford Chance

Luxembourg Insurance Regulator CAA Amends Cloud Outsourcing Rules

19 August 2021

On 5 August 2021, the Luxembourg insurance supervisory authority Commissariat aux Assurances ("CAA") adopted a new Circular Letter 21/15 on outsourcing to cloud computing service providers (the "Cloud Circular") that applies to CAA supervised insurance and reinsurance undertakings.

More than a year ago, the CAA had already issued a circular letter (20/13) which merely informed of the full application by the CAA of the EIOPA Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002) (the "Guidelines") and remembered (re-)insurance undertakings of their professional confidentiality ('insurance secrecy') obligations. The new Cloud Circular adopts the Guidelines by setting them out in the text of the Cloud Circular and integrates certain additional requirements of the CAA in it. The additional requirements relate to the setting up of an information security function, local expertise and competencies, the content of contracts and the related compliance assessment, the content of the cloud outsourcing notification to the CAA, insurance secrecy related aspects and the documentation in case of service interruptions.

This briefing is aimed at providing an overview of these CAA specific requirements that are additional to or further specifying the Guidelines and other legal or regulatory requirements relevant in this context. This briefing does not deal with the Guidelines themselves or such further legal or regulatory requirements.

Download PDF