Throughout the financial sector, technology is an important topic and leads to major changes in procedures, with financial companies themselves and also with the regulators. The new rules in Luxembourg for prospectuses should make life easier. In the Netherlands, the regulators lay a focus on the Digital Operations Resilience Act which gives an additional layer of supervision.
Luxembourg: new e-Identification system
In March 2025, the Luxembourg financial regulator, the CSSF, issued a communication which detailed a new electronic process for Ucits, UCIs Part II, Sicar’s and SIF’s to be applicable as of April 2025.
The new procedure, which the CSSF denotes as evolution, consists of the assignment of (a) a unique identification number, and (b) an e-identification date, which both will be visible on the first page of each prospectus. So the old visa stamp procedure will no longer be in existence.
Main evolutionary element of the new procedure is the creation of a pre-defined nomenclature of amendments which can be integrated into the prospectus without prior approval from the financial regulator, in turn allowing more efficient and speedy updates of prospectus documents. It is to be noted, however, that the CSSF, based on its risk-based approach, may request documents in order to conduct an ex-post analysis of changes that have not been subject to its prior review.
Guide available
A detailed guide, currently available via the CSSF eDesk, outlines the new procedure, highlights permissible amendments (those not requiring prior approval), and provides the applicable conditions along with a FAQ section.
All prospectus amendments not covered by the aforementioned categories will require CSSF review and will therefore remain subject to the current administrative procedure.
Beyond simply modernizing its administrative procedures, the CSSF highlights that these upcoming changes will lead to greater efficiency and increased certainty around compliance. It also reiterates the clear responsibility of the funds’ governing bodies to ensure adherence to regulatory requirements.
The Netherlands: AFM and DNB start monitoring compliance with Dora
All financial companies, including investment funds, are obliged to comply with the Digital Operations Resilience Act (Dora) from 17 January 2025 onwards. Dora also applies in Luxembourg but the regulator has not yet indicated its supervisory agenda. In the Netherlands, the Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB) gave some guidance.
Both supervisors have outlined what financial institutions can expect from them, as well as from the European supervisory authorities. The AFM begins with a clear message: companies should already have started implementing the Dora requirements, including the related Regulatory Technical Standards (RTS), even though the European Commission has not yet formally adopted them. No major changes to the current RTS package are expected.
Supervision
The AFM has announced that it will initiate thematic reviews, examining multiple parties to determine whether a specific financial company complies with a particular regulatory requirement. In addition, institution-specific reviews will be conducted, focusing on each financial company’s ICT security compliance, based on documentation to be submitted upon request.
Certain financial companies will also be required to carry out a “threat-led penetration test” (TLPT). The European Commission has not yet adopted the detailed regulations governing this testing requirement.
The primary supervisor of each financial company — either the AFM or the Dutch Central Bank — will cooperate with the institution to determine the most appropriate supervisory approach.
The DNB has indicated that financial companies not designated to perform a TLPT must still have a robust and comprehensive testing programme in place to assess their digital resilience. This programme must clearly justify which tests are appropriate, taking into account the size, risk profile, and complexity of the institution’s activities.
AFM Portal
Furthermore, the AFM has a specific “Dora-portal” that all financial companies that fall within the ambit of Dora, should have access to by now. The portal is designed to receive serious ICT-incidents and agreements with ICT service providers. For financial companies, supervised by the DNB, notifications will be done through the existing DNB-portal.
Not only the AFM but also European supervisory authorities (ESAs) may collect and monitor information regarding Dora. The AFM is under the obligation to submit registers of information gathered from Dutch financial companies, containing all contractual agreements with ICT service providers) to the European supervisors. Financial companies will have received the request already. The AFM must submit these registers to the supervisors by 30 April 2025.
Conclusion
Financial services follow general developments and are constantly modernized in particular by technology driven solutions, which is important to be more efficient, flexible and customer-friendly. This leads on its turn, to new regulatory flexibility (as for the Luxembourg prospectus rules) or new regulatory procedures, necessary to deal with new issues arising from the all-encompassing importance of ICT in the financial sector, coming with serious threats. At present, the Luxembourg regulator focuses on making life easier whereas Dora imposes an administrative burden on financial companies. However, since Dora also applies in Luxembourg, the Luxembourg financial companies will sure face more or less the same supervisory workload.
Jan Saalfrank is partner beleggingsfondsen van Pinsent Masons Luxemburg. Lous Vervuurt is advocaat bij Pinsent Masons en adviseert cliënten over financiële regelgeving en de naleving van anti-witwaswetgeving. Het advocatenkantoor is deel van het expertpanel van Investment Officer.