The CSSF has published Circular CSSF 25/900, updating the annual reporting framework for UCI administrators (UCIAs) under Circular CSSF 22/811. The changes apply from 31 December 2025 and aim to simplify reporting while reflecting the EU framework on digital operational resilience.
Photo by CSSF
What is changing
- Annex B repealed: the standalone “list of information” on administration functions is removed.
- New Self-Assessment Questionnaire (SAQ): reporting moves to a more focused SAQ covering key requirements of the UCIA circular.
- More integrated reporting: for many entities (including banks, IFMs, investment firms, and specialized/support PFS), the SAQ will be integrated into existing annual reporting (LFR/SAQ), rather than submitted as a separate filing.
ICT, cyber and third-party risk (DORA alignment)
- Point 76: references move from a specific reliance on CSSF Circular 20/750 to a broader requirement to comply with DORA or Circular 20/750, as applicable.
- Point 80 (outsourcing / ICT third-party risk):
- DORA entities: follow DORA and Circular CSSF 25/882.
- Non-DORA entities: continue to apply the ICT and Cloud outsourcing requirements in Circular CSSF 22/806, as amended.
Overall, this strengthens the shift from local guidance to the EU DORA framework. UCIAs should confirm their DORA scope and review vendor/outsourcing governance ahead of year-end 2025.
Learn more
You can view the full communiqué from the CSSF here.