Agefi Luxembourg - mai 2026

Mai 2026 43 AGEFI Luxembourg IA & Tech I n today’s hyperconnected world, trust is the foundation of digital transformation. As cyber threats grow more sophisticated and data be­ comes a strategic asset, INCERT GIE stands as a key player in securing Eu­ rope’s digital future. Based in Luxem­ bourg, INCERT operates at the intersection of cybersecurity, digital sovereignty, and critical infrastructure protection, ensuring that trust remains at the heart of progress. The Growing Importance of Digital Trust The digital landscape is evolving rapidly, driven by increasing cyber risks, stricter Euro­ pean regulations (DORA, NIS2, eIDAS 2.0), and the acceleration of digitalization. In this context, digital trust has become a strategic priority for governments, institutions, and businesses alike. INCERT is at the forefront of this challenge, de­ livering solutions that secure identities, protect digital exchanges, and strengthen the resilience of critical systems. At its core, INCERT’s mission is to build trust in a digital world. Its solutions are structured around four key pillars: 1. Trusted Identity Management – Ensuring the authenticity and security of identities. 2. Secure Digital Exchanges – Protecting sen­ sitive communications and transactions. 3. Infrastructure Resilience – Fortifying sys­ tems against cyber threats. 4. Regulatory Compliance – Helping organiza­ tions meet stringent European standards. What Makes INCERT Unique? INCERT isn’t just another cybersecurity provider —it’s a trustedpartner for Europe’s digital ecosys­ tem. Here’s what sets INCERT apart: Global Reach with Local Expertise: Trusted in over 90 countries, INCERT’s solutions secure more than 4 billion identity documents, from passports to digital credentials. Innovative Technology: INCERT’s VISOGOso­ lution leads the way in identity verification, au­ thenticating data in electronic identity and travel documents to prevent fraud and enable secure transactions. Comprehensive Solutions: Fromdigital identity wallets to secure event management platforms, INCERT offers a diverse portfolio tailored tomeet the needs of various sectors. Driving Impact Across Key Sectors INCERT’s expertise spans multiple domains, each critical toEurope’sdigital sovereigntyandsecurity: 1. Financial Services: Identity verification and fraud prevention are top priorities for financial institutions and public or­ ganizations. INCERT’s VISOGO technology en­ sures the authenticity of electronic identity documents, enabling secure transactions and seamless digital onboarding. 2. Travel &Mobility: International travel demands both security and convenience. INCERT supports the production of secure identity documents and develops dig­ ital identity wallets, making crossborder jour­ neys smoother while enhancing border security. 3. Foreign Affairs: INCERT secures diplomatic communications be­ tween governments, embassies, and interna­ tional organizations, ensuring confidentiality, integrity, and reliability in all exchanges. 4. Event Management: For highprofile events, security and efficiency are nonnegotiable. INCERT’s SaaS platforms handle participant registration, accreditation, badge issuance, and access control, ensuring seamless operations. 5. Critical Infrastructure: INCERT’s technologies, including certificate management and cryptography, protect Eu­ rope’s most vital systems, ensuring resilience in the face of cyber threats. Securing Europe’s Digital Future As Bruce Schneier famously said, “Security is a process, not a product.” INCERT embodies this philosophy, continuously innovating to meet the evolving challenges of the digital age. By combining cuttingedge technology with a deep commitment to trust and sovereignty, INCERT is helping to build a more secure and resilient European digital ecosystem. INCERT at the Crossroads of Cybersecurity and Sovereignty ©Magnific I n recent years, financial institu­ tions have increasingly relied on thirdparty providers for key operational and support functions. The EBA’s draft Guidelines on nonICT thirdparty riskmana­ gement clarify that these arrangements pose mate­ rial prudential and gover­ nance risks and introduce a harmonized supervisory frameworkwhich, for Luxembourg institutions, aligns as far as possible with DORAwhile limiting addi­ tional supervisory burden. Fromoutsourcing to structural dependency Thirdparty service provision has evolved from a tactical outsourcingdecision intoa structural feature of financial institutions’ operating models. Admin­ istrative services, fund operations, internal control activities, customer servicing, accounting, treasury or groupprovided functions are increasinglydeliv­ ered by external or intragroup entities. The draft EBA Guidelines (or “ Guidelines ”) on the Sound Management of ThirdParty Risk reflect a clear su­ pervisory conclusion: risk arises not from the con­ tractual label applied to an arrangement, but from the degree of dependency it creates. The Guidelines deliberately move beyond the tra­ ditional concept of outsourcing.Any arrangement whereby a thirdparty service provider performs or supports a function on a recurrent basismay fall within scope, regardless of whether it is labeled outsourcing, delegation or service provision. This broader approach is particularly relevant in Lux­ embourg, where crossborder group structures and shared service centers are common. From a regulatory perspective, such arrangements can materially affect the institution’s risk profile, gov­ ernance and ability to remain compliant with au­ thorization conditions. Management body accountability cannot be delegated Acentral pillar of theGuidelines is the reaffirmation ofmanagement bodyaccountability. TheGuidelines make explicit that responsibility for all activities of the institution can never be delegated to thirdparty service providers. Even where functions are per­ formed externally, the management body remains fullyaccountableforoversight,decisionmakingand riskmanagement. This principle aligns closely with the CSSF’s long­ standing supervisory focus on substance, effective management and local oversight. In practice, Lux­ embourgbased institutions, today, are expected to demonstratethatseniormanagementandboardsre­ tainsufficient understandingof outsourcedor exter­ nally supported functions to effectively challenge performance, risk assessments and incidents. Re­ liance on contractual assurances or grouplevel re­ porting alone is no longer sufficient. NonICT thirdparty risk as a governance risk NonICT thirdparty risk is therefore first and fore­ most a governance risk. Excessive reliance on third parties for operational or control functions can weaken internal governance arrangements, dilute accountability and impair the effectiveness of inter­ nal control functions. In Luxembourg, where institutions often rely on group entities or specialized service providers lo­ cated abroad, supervisors will increasingly expect clear evidence that local management retains suffi­ cient authority, decisionmaking power and re­ sources.Thisincludestheabilitytointervene,request changes,activateexitstrategiesand,wherenecessary, reintegrate functions without undue disruption. Preventing “Empty Shell” and LetterBox institutions The EBAGuidelines introduce an explicit pruden­ tial concern: the riskof “empty shell” or “letterbox” institutions. Where critical activities, control func­ tions or decisionmaking processes are predomi­ nantly performed by third parties, an institution mayno longer demonstrate the substance required to support its license. This risk is particularly relevant in Luxembourg’s internationally oriented financial center, where business models often rely on delegation and group servicing. For CSSFsupervised entities, thirdparty arrangements are no longer assessed solely through an operational lens, but as a factor directly linked to authorization sustainability, re­ solvability and supervisory confidence. Concentration risk beyond technology AnotherkeydimensionaddressedbytheGuidelines is concentration risk. While digital concentration is covered by the Digital Operational Resilience Act (DORA), theEBAhighlights that nonICT concentration can be equally disruptive. Dependence on a limited number of ser­ vice providers for critical operational or governance functions may create vulner­ abilities at both entity and sector level. In Luxembourg’s ecosystem, where multiple institutions may rely on the same admin­ istrators, depositaries or group service providers, such risks can have broader finan­ cial stability implications. The Guidelines therefore require in­ stitutions to identify, assess and actively manage concentration risks, including substitutability and exit feasibility. Documentation as a supervisory controlmechanism Toaddresstheseconcerns,theGuidelinesimposero­ bustdocumentationandtransparencyrequirements. Institutionsmust maintain comprehensive registers of all thirdparty arrangements, including assess­ ments of criticality, subcontracting chains, substi­ tutability and exit strategies. ForCSSFsupervisors,thisdocumentationisnotafor­ mal exercise: it is a core supervisory tool, enabling in­ formed dialogue, targeted interventions and a clear understanding of groupwide dependencies. Weak documentationincreasinglysignalsweakgovernance. Anecessary complement toDORA Importantly,theEBAframeworkcomplements,rather thanduplicates,theDigitalOperationalResilienceAct. While DORAfocuses on ICT services and digital re­ silience, the EBAGuidelines ensure that nonICTde­ pendencies are governedwith equal rigor. Together, these frameworks reflect a holistic super­ visoryviewof operational resilience, extendingwell beyond technology to organizational design, gover­ nance and strategic control. For instance, the Guide­ lines ensure consistency with the DORA register by allowing financial institutions to store consistent in­ formation for both ICTandnonICTservices, includ­ ing the possibility of using one single register. Taking into account the application of proportionality, the level of information to be documented has been lim­ itedtoreducetheburdenonbothfirmandregulators. Bringing this together operationally, when youhave ICT andnonICT service providers Based on experience supporting banks and asset managers operatingunder both frameworks,webe­ lieve that an integrated approach that builds on syn­ ergies between the DORA’s requirements for third partiesandtherequirementsoftheseGuidelinesrep­ resents the most effective path forward. A stream­ lined approach is even more important given the breadthofnonICTserviceprovidersthatfirmshave a govern, including administrative services, cash management services, customer services, depositary tasks and administration for UCI, finance, treasury, accounting and reporting, internal control functions, investment services, lending, payment services and securities services. In practice, this approach is applied across both ICT and nonICT thirdparty service providers through a single, integrated thirdparty risk management framework, while applying DORA and the EBA nonICTGuidelinesinparallelandwhereeachisrel­ evant. The approach starts by building a common foundation covering criticality assessments, multi­ vendor strategies, concentration risk, exit feasibility and overarching thirdparty governance. On this basis, suppliers are then differentiated according to the nature of the services provided. ICT thirdparty service providers are assessed against DORAspe­ cific requirements, including ICTriskcontrols, oper­ ational resilience measures, register of information updates, resilience testing expectations and, where applicable, CSSF notification obligations for critical or important ICT outsourcing. NonICT thirdpartyserviceproviders aregoverned under the EBAGuidelines through enhanced due diligence, governance arrangements, contractual safeguards, ongoingmonitoring and structuredexit planning, addressing risks that fall outside DORA’s scope but remain prudentiallymaterial. By leverag­ ingsharedframeworkcomponentssuchascriticality checklists, due diligence questionnaires, contractual clause reviews, risk assessments, exit plans, service level monitoring and harmonized registers, institu­ tions can avoid duplicationwhile ensuring full reg­ ulatory coverage. This allowsDORAand theEBAGuidelines tobe op­ erationalizedconsistentlyratherthaninsilos,provid­ ing supervisors with a coherent view of thirdparty dependencies across the entire operatingmodel.Ap­ plied to a selected and riskbased set of suppliers, the model supports a continuous “ Plan, Remediate and Comply” cycle, enabling institutions to demonstrate effectivegovernance, resilience andcontrol over both ICTandnonICTthirdpartyriskswithinasingle,sus­ tainable operating framework. Conclusion: Astrategic andprudential imperative For Luxembourg’s financial institutions, once these Guidelines come into effect, managing nonICT thirdparty riskwill no longer be a compliance exer­ cise delegated to procurement or operations. It will become a strategic and prudential imperative, di­ rectly linked to governance quality and supervisory trust. Institutions that fail to address the Guidelines will not only remainexposed tononICT thirdparty risks that fall outsideDORA’s scopebutwill also face weakened governance, increased exposure to nontraditional thirdparty dependencies, and an erosion of supervisory confidence. Norman FINSTER, Partner, Alternative Investments, EY Luxembourg Johann LOBO, Senior Manager, Governance, Risk & Compliance, EY Luxembourg Managing Non-ICTThird-Party Risk as a Prudential Imperative