CSSF Circular 15/611 relative to managing the risks related to the outsourcing of systems that allow the compilation, distribution and consultation of management board/strategic documents.

As such documents may contain sensitive data, and although it is the choice of the entity whether or not to store its data on a system hosted at operated by such a service provider, the entity must perform a thorough due diligence.

This check includes a detailed evaluation of the security aspects of the service provider.

It is the entity’s responsibility not to disclose any information that is considered confidential to a service provider who is not subject to professional secrecy obligations.

Concerning domiciliation agent entities, they are required to choose a service provider that complies with the conditions set out in Circular CSSF 05/178.

http://www.cssf.lu/fileadmin/files/Lois_reglements/Circulaires/Hors_blanchiment_terrorisme/cssf15_611eng.pdf