Practical guide to teleworking in Luxembourg

On the 31 March 2022, the CSSF published the Circular on telework¹. The new rules apply as of 1 July 2022 to all supervised entities in Luxembourg.

As mentioned by Kathrin Moules, Deputy Head of the CSSF’s Supervision of Information Systems and Support PFS Department, the Circular was published to address the market concerns and questions surrounding working conditions and provide guidance to supervised entities focusing of two main recurring topics: “the governance and security requirements that supervised entities should respect when implementing and using processes based on telework solutions”. ²

What is teleworking?

Telework is defined in the Circular as “a form of organising and/or carrying out work, using information and communication technologies within the framework of an employment contract authorising work, which would ordinarily be carried out on the employer’s premises³, to be performed outside of the premises of the employer.”

For a work relationship to be considered teleworking, it shall involve:

1. Work that is delivered by means of information and communication technologies as previously approved by an employer;

2. Work that is performed on a regular or occasional and voluntary basis; and

3. Work that is conducted within defined working hours at a predetermined place that differs from the employer’s premises.

Who does it apply to?

The Circular applies to supervised entities, the scope of which extends to the branches of supervised entities both in Luxembourg and abroad. In case of the latter, this applies so long as telework is authorised in those countries and the supervised entities are compliant with national regulations (the Supervised Entities).

How will the policy be implemented?

According to the Circular, the Supervised Entities have the flexibility to create and implement their own internal Telework policy subject to the minimum criteria addressed below and the following process of implementation and monitoring:

1. Performing a risk assessment to identify the potential risks associated with Telework, considering in particular:

   • aspects related to social security requirements and labour, company and tax law;
   • risks associated with Telework of privileged users; and
   • adherence to the professional secrecy and data protection requirements.

2. Definition of a Telework policy and a specific Telework security policy in relation to the security risk by the board of directors, which sets out the operational framework that enables the effective monitoring of teleworking staff.

3. Implementation of the Telework policy taking into consideration the wide range of laws that the Supervised Entities should comply with and/or consider in particular:

   • Legal provisions that are part of the wider mandatory public policy provisions (règles d’ordre public) in Luxembourg;
   • EU and national regulations regarding freedom of establishment and freedom to provide services; and
   • National, foreign and international laws and regulations relating to tax, companies, professional secrecy, data protection and social security especially, specifically in the context of Telework for non-resident staff.

4. Annual review of the Telework policy based on the reviewed risk analysis and appropriateness of the implemented mitigating measures.

The Supervised Entities do not require approval of the CSSF to implement their Telework policy, however, as the CSSF monitors compliance of Supervised Entities with this Circular, the Supervised Entities should collect evidence in preparation of receiving a possible request from the CSSF to provide evidence of such compliance.

The review of the Telework policy, process flows and compliance with legal and regulatory requirements needs to become part of the internal control functions of the Supervised Entities and its annual reports shall cover significant operational incidents in relation to Telework.

What are the minimum criteria?

The CSSF has set out some minimum governance and security requirements for Supervised Entities to follow when creating an internal Telework policy and framework to avoid jeopardising the regular operation functioning of the Supervised Entities.

Governance controls

When defining their Telework policy, the Supervised Entities should ensure that a “robust central administration” remains in place, meaning that the decision-making centre and administrative centre of the business should be based in Luxembourg keeping sufficient substance at the central administration⁴.

In order to maintain this under the Teleworking policy, the following criteria shall be adhered to according to the CSSF:

1. The staff will at all times be able to return to the Supervised Entities’ premises, or if located in a branch outside of Luxembourg, return to the entity’s branch on short notice;

2. The number of teleworkers at one time must be in compliance with the central administration requirements;

3. There should be a limit on the amount of working hours each staff member is allowed to telework;

4. At least one authorised manager⁵ shall be on-site at the head office at all times;

5. Key functions shall be represented every day in the premises and performance of critical activities⁶ shall be guaranteed;

6. There should be a minimum number of physical meetings held at the Luxembourg head office; and

7. The head office remains the “decision-making centre”.

ICT and security risks

In the Circular, particular emphasis is placed on the importance of assessing ICT and security risks and adapting existing user and management procedures as well as access rights proportionally by taking into account the nature, scale and complexity of the Supervised Entities.

To provide remote accessibility to its teleworkers, a Supervised Entity must put in place control procedures to monitor work performance through telework and to ensure the remote access devices used are secure.

To ensure such security, the Supervised Entities should put in place a specific security Telework policy specifying that access rights are (i) granted on need-to-know basis and (ii) re-certified annually for non-privileged users and bi-annually for privileged users⁷.

When implementing these control procedures, Supervised Entities also need to introduce mitigating measures, especially when teleworkers use remote access devices, such as storage media encryption and security mechanisms that cannot be altered, removed, or circumvented by staff members and these devices must be securely managed by a centralised management solution.

The CSSF proposes to use company-owned devices, in particular when conducting critical activities and when accessing or administering ICT systems however remote access can be established on both company-owned and privately-owned devices. It should be noted that the use of the latter shall be (i) evaluated by the Supervised Entity in a specific risk assessment, (ii) monitored through a controlled professional environment or using a virtual desktop infrastructure allowing the entity to mitigate any ICT and security risk and (iii) subject to regular independent tests to check the security parameters of these privately-owned devices.

In addition to the technical measures to be introduced, the Supervised Entities must raise awareness of staff of the inherent risk associated with Telework, introduce them to best practices and lay out their duties and responsibilities with the purpose of implementing a Telework security policy that maintains the integrity, confidentiality and proper functioning of the Supervised Entity and its staff while teleworking.

When will the rules be implemented?

These rules will apply from 1 July 2022 with the CSSF intending to review the Circular at the latest 12 months after its entry into force in order to address any deficiencies and/or potential abuses that may have arisen.

Why is it important?

This Circular extends Telework and the flexibility of working remotely beyond a necessary measure resulting from the Covid-19 pandemic and instead seeks to abolish limitations of general working conditions and guide Supervised Entities to implement a secure, compliant, and efficient Telework policy.

¹ CSSF 21/769 (the Circular) on governance and security requirements for supervised entities to perform tasks or activities through telework, as amended by Circular CSSF 22/804 , following the entry into force of the Law of 11 March 2022 amending the Law of 17 July 2020 on the measures to fight against the Covid-19 pandemic, as amended, and the abolishment of the general working condition limitations (https://www.cssf.lu/wp-content/uploads/cssf21_769eng.pdf)
² Podcast: https://www.cssf.lu/en/Document/listen-to-kathrin-moules-deputy-head-of-the-cssfs-supervision-of-information-systems-and-support-pfs-department-speak-about-the-challenges-addressed-by-circular-cssf-21-769-on-telework/
³ On page 5 of the Circular: “the employer’s premises include the head office and any additional premises in Luxembourg that Supervised Entities use as well as, in the case of branches, the premises of branches of Supervised Entities or Luxembourg branches of entities”.
⁴ Under heading V. Baseline requirements
⁵ On page 5 of the Circular: “Authorised management means persons authorised by the CSSF for the day-to-day management or persons authorised by the CSSF to effectively conduct the business of a supervised entity.”
⁶ On page 5 of the Circular: “critical activities are activities in respect of which the occurrence of a problem may have a significant impact on the Supervised Entity’s ability to meet the regulatory requirements or even to continue its activities (eg, transaction processing, order input/upload, 4-eye validations, remote administrative access to ICT systems by the ICT team, etc.).”
⁷ On page 5 of the Circular: “privileged users are users with access rights enabling them to carry out sensitive operations, both for ICT operations (eg system administrators) and for business operations. These sensitive activities are typically related to the provision of critical services.”