Luxembourg’s fund regulator is shifting its supervisory focus from rule-setting to enforcement, zeroing in on governance failures, operational fragility, and liquidity risks as structural vulnerabilities in the sector become harder to ignore.
The Commission de Surveillance du Secteur Financier’s 2026 priorities signal a move beyond compliance checklists toward how investment fund managers actually function in practice. Ensuring compliance with organisational set-up and internal control function requirements is, the CSSF said, a “cornerstone” of its work. Internal controls, staffing, and oversight are under particular pressure, with follow-up work on a European supervisory review of compliance and internal audit functions set to intensify.
At the centre of that shift is governance. Nearly 36 percent of on-site inspections — 19 of 53 — carried out by the CSSF in 2024 focused on governance issues, underlining the regulator’s concern that weaknesses in oversight structures remain widespread. Those inspections covered 20 percent of total assets managed by authorised investment fund managers.
The European Securities and Markets Authority launched a common supervisory action on compliance and internal audit functions for Ucits management companies and alternative fund managers in February 2025, selecting around 30 investment fund managers. The review covers policies and procedures related to compliance and internal audit functions, their delegation, authority and independence, and reporting lines to senior management. The final report is due in the second quarter.
Risk management
The CSSF plans a second common supervisory action on risk management for the second half of the year. Following Esma’s publication of 14 principles on third-party risks in June 2024, covering due diligence, contractual arrangements, and supply chain risks, the CSSF will launch a study to assess how investment fund managers comply and to understand how third-party risk is integrated into overall risk management processes.
Operational resilience has moved up the agenda alongside governance. The Digital Operational Resilience Act (DORA), in application since January 2025, is forcing managers to confront vulnerabilities in IT systems, outsourcing arrangements, and cyber preparedness.
Hybrid warfare
“Financial service providers are a primary target for attacks,” CSSF director-general Claude Marx said at a Luxembourg forum in March, pointing to sophisticated threats including Russian hybrid warfare tactics. The concern has real precedent. On 23 July last year, Post Luxembourg experienced major disruptions to internet, mobile, and landline services for several hours, with the 112 and 113 emergency numbers unreachable. Initially attributed to a technical fault, the attack was later confirmed by economy minister Lex Delles as “a targeted cyberattack of a particularly advanced and sophisticated technical nature.” The CSSF responded the same day, reminding supervised entities of their obligation to submit ICT-related incident notifications promptly.
Of the 53 on-site inspections at investment fund managers in 2024, five focused on IT security governance. Recurring shortcomings included obsolete IT systems, gaps in security testing frameworks, vulnerability management, IT change management, and internal audit coverage. Under Dora, these are supervisory priorities rather than technical shortcomings, with risk-based monitoring now embedded in ongoing oversight.
Liquidity tension
If governance and operational resilience reflect internal weaknesses, liquidity risk exposes structural tensions in the product set itself. Liquidity mismatch—where funds offer investors short-term redemptions while holding assets that cannot easily be liquidated—is, for the CSSF, a key vulnerability in open-ended investment funds.
The rise of semi-liquid structures, including open-ended Eltifs, is forcing regulators to confront the limits of periodic liquidity on inherently illiquid assets. That tension moved from theory to practice last year, when an Irish-domiciled Eltif suspended redemptions, followed by Blue Owl’s decision to halt redemptions on one of its funds earlier this year.
For the CSSF, this is now a core supervisory theme. The regulator plans targeted reviews of how managers handle liquidity risk, alongside scrutiny of credit risk in private debt strategies. Under AIFMD II and Ucits VI, transposed into Luxembourg law in early March, alternative investment fund managers of open-ended AIFs must select at least two liquidity management tools and notify the CSSF of their selection by 16 April. When activated, managers must also notify the regulator via a dedicated e-desk procedure.
ESG: still on the agenda
Sustainable finance remains a priority. “We will keep following up on the organisational arrangements made by managers in terms of ESG,” said Laurent van Burik, head of the enforcement, regulation and international investment fund unit at the CSSF, speaking at the Alfi Global Asset Management conference in late March. “It’s still a priority from the CSSF perspective.”
The regulator is focused on ensuring compliance with pre-contractual and periodic disclosures, with the ongoing revision of the Sustainable Finance Disclosure Regulation adding further complexity. Climate-related and environmental risk criteria have been incorporated into thematic inspections on governance and credit risk since 2024, aligning with one of the top three priorities set by the Single Supervisory Mechanism for 2024–2026, which addresses shortcomings in governance and climate and environmental risk management.
Enforcement has followed scrutiny. In November 2024, the CSSF imposed a fine of 56,500 euro on Aviva Investors Luxembourg for persistent breaches in its internal governance framework following an on-site inspection focused on ESG aspects. The regulator found that certain sub-funds had failed to comply with the investment strategy set out in pre-contractual disclosures.