Luxembourg law expands ICT outsourcing for insurers
LUXEMBOURG CITY, LUXEMBOURG — In a significant move, Luxembourg has enacted a new law that broadens the scope for insurance and reinsurance undertakings (Undertakings) to engage ICT providers both within and outside the country, provided these providers adhere to the highest IT security standards.
This development marks a pivotal shift in the regulatory landscape, aiming to enhance the flexibility and security of digital operations in the insurance sector.
Key provisions of the new law
The law, referenced as Law 2024, amends Article 80 of the Law on the Insurance Sector, dated December 7, 2015.
Previously, Luxembourg insurance and reinsurance undertakings were required to maintain their accounts, ledgers, and other business-related documents within the Grand Duchy at all times.
The new legislation introduces an exemption allowing these undertakings to outsource the digital storage and processing of documents and data to third-party ICT service providers located either in Luxembourg or other EU Member States.
These providers must be supervised by a European Supervisory Authority, as per Article 31 of the Digital Operational Resilience Act (DORA).
Implications for professional secrecy and data protection
The amendment to Article 80 facilitates a legal exemption from the professional secrecy duty traditionally upheld in the insurance sector.
This adjustment means that the disclosure of confidential information — when outsourced legally — does not breach professional secrecy obligations. However, undertakings must still comply with the General Data Protection Regulation (GDPR) as the processing of personal data is involved.
Regulatory compliance and future considerations
Undertakings opting to outsource their IT functions must adhere to specific regulatory guidelines depending on the nature of the outsourcing.
For cloud-based solutions, compliance with Circular 21/15 on cloud outsourcing is required. For non-cloud outsourcing, Circular 22/16 concerning the outsourcing of critical or important operational functions must be followed.
This legislative change is poised to offer more operational flexibility and potentially lower overhead costs for Luxembourg-based undertakings. However, it also necessitates careful consideration of regulatory and tax implications, particularly when outsourcing IT systems extensively.