CSSF 2026 Supervisory Priorities for Investment Fund Sector

CSSF News

Published March 31st, 2026

Detected March 31st, 2026

Summary

The CSSF published its 2026 supervisory priorities for the investment fund sector, identifying governance/operational risks, ICT/cyber risks, and third-party risk management as key focus areas. The regulator will conduct supervisory actions including follow-up on ESMA Common Supervisory Actions on internal audit, compliance, and risk management functions, as well as a study on third-party risk compliance with ESMA's 14 principles. DORA implementation monitoring remains a priority for Luxembourg investment fund managers.

View original document View source feed page

What changed

The CSSF has identified three core supervisory priorities for 2026: (1) governance/operational risks, including follow-up on ESMA's CSA regarding internal audit and compliance functions, and a new CSA on risk management in H2 2026; (2) ICT/cyber risks with focus on DORA implementation monitoring per Circular CSSF 25/893; and (3) third-party risk management, with a new study assessing IFM compliance with ESMA's 14 principles on third-party risk supervision and Circular CSSF 18/698 delegation requirements.

Investment fund managers subject to CSSF supervision should review their internal control frameworks, ICT risk management procedures, and third-party delegation arrangements against the stated priorities. Compliance functions should ensure documentation is adequate for anticipated supervisory examinations. No specific compliance deadline is stated, but supervised entities should treat these priorities as indicative of where on-site and off-site scrutiny will focus throughout 2026.

What to do next

Review internal audit and compliance function arrangements against ESMA CSA findings
Assess third-party risk management frameworks against ESMA's 14 principles and Circular CSSF 18/698
Verify DORA implementation status and ICT incident reporting procedures per Circular CSSF 25/893

Source document (simplified)

Published on 31 March 2026 Communiqué

The CSSF’s 2026 priorities for supervising the investment fund sector

On the basis of the CSSF’s annual risk assessment to identify the main risks associated with the activities of investment funds and investment fund managers (“IFMs”) and giving due consideration to the broader economic and geopolitical context, the CSSF defined a number of key supervisory priorities and related actions to address these risks through its off-site and on-site supervisory work carried out under a risk-based approach. These priorities duly consider the core mission of the CSSF to ensure financial stability and investor protection. The actions also draw upon the Union Strategic Supervisory Priorities (USSPs) defined by ESMA and the IOSCO’s 2026 Work Program. In view of current geopolitical risks, specific risk surveillance for monitoring these risks and their impact on the investment fund sector will continue.

This document should not be considered exhaustive. It rather aims at drawing the attention of the market to a number of prominent matters that the CSSF will address in 2026. If deemed necessary, the CSSF’s supervisory priorities and related actions may be adjusted depending on emerging risks and regulatory developments.

Supervisory priorities and related supervisory actions

Governance/operational risks

The compliance of IFMs with the requirements relating notably to their organisational set-up and internal control functions has always been an important cornerstone of the CSSF’s off-site and on-site supervisory work. In this context, follow-up work in relation to the ESMA Common Supervisory Action (“CSA”) on the internal audit and compliance functions will be a priority for 2026. Furthermore, the CSSF will, in close coordination with ESMA and other national competent authorities, carry out in the second half of 2026 a CSA on the risk management function.

On 12 June 2025, ESMA published 14 principles on third-party risk supervision to promote a consistent and effective supervisory approach across the European Union. These principles address the growing risks associated with the use of third-party providers by supervised entities, aiming to provide a common basis for national competent authorities and ESMA to strengthen supervision frameworks and assist supervised entities in better understanding and managing these risks. As part of its oversight of IFMs, the CSSF will launch in 2026 a study among a sample of IFMs to assess their compliance with these principles and those related to delegation outlined in Circular CSSF 18/698. The review will cover the integration of a comprehensive and effective operational framework for third-party risk management into the overall risk management process.

ICT/cyber risks

The use of information and communication technology (“ICT”) in the value chain of investments funds and the growth of digitalisation expose IFMs to increased ICT-related risks (including cyber risks).

Against this backdrop, the incorporation of the EU Digital Operational Resilience Act (“DORA”) requirements in the supervisory working programs of IFMs and the risk-based monitoring of the implementation of these requirements by IFMs are key priorities. This includes the procedures and reports established by IFMs in relation to the management of ICT-related risks and considers the major ICT-related incidents notified to the CSSF in accordance with Circular CSSF 25/893 on reporting major ICT-related incidents and significant cyber threats.

Liquidity risks and credit risks

In the document “ Macroprudential Policy for Investment Funds: Considerations by the CSSF ” (“CSSF Macroprudential Policy Considerations“) of 10 June 2024, the CSSF informed that liquidity mismatch is one of the vulnerabilities identified in relation to open-ended investment funds. In view of the developments of open-ended private assets funds (so-called “semi-liquid funds”, including open-ended ELTIFs), the CSSF will conduct further thematic, sample-based reviews concerning the liquidity risk management processes employed by IFMs managing such funds. In that context, reviews will also cover the credit risk management process (including credit granting) pertaining to funds with material exposure to private debt.

Another focus area will be the compliance with the requirements relating to the selection and use of liquidity management tools by IFMs managing open-ended funds and their operational implementation (see CSSF communiqué of 18 March 2026). In this context, supervisory stress tests will be further developed, notably due to the geopolitical environment and rising market risks, to better monitor margin/collateral calls associated with the use of financial derivative instruments and repurchase agreement transactions (“repos”).

Contagion risks/Interconnectedness

As part of its Macroprudential Policy Considerations, the CSSF also pointed to the vulnerabilities of leverage and interconnectedness. Given the wider geopolitical context and associated large uncertainties weighing on financial markets, the CSSF will continue specific risk monitoring in relation to AIFs and UCITS with higher levels of leverage.

Asset valuation risk

Over the past years, against the backdrop of successive crisis episodes, the global geopolitical and economic environment and the substantial increase of assets under management of AIFs investing in less liquid/illiquid assets, the CSSF has intensified its focus and scrutiny on valuation risks within the asset management sector. Significant supervisory work has been carried out in that context (e.g. CSSF Feedback Report on the CSA, CSSF Feedback Report – Self-assessment questionnaire, separate report and management letter for funds, CSSF Annual Report 2024 sharing feedback from on-site controls). Valuation remains a key supervisory priority, with notably a focus on on-site controls pertaining to the valuation organisation of IFMs as well as thematic sample-based reviews relating to open-ended private assets funds (including continuation funds). The correct implementation of Circular CSSF 24/856 concerning NAV calculation errors, instances of non-compliance with the investment rules and other errors at UCI level will be monitored by the CSSF.

Sustainable finance

In accordance with the CSSF’s communiqué of 2 March 2026 setting out, amongst others, the supervisory priorities for the investment management industry in relation to sustainable finance, the CSSF will apply a risk-based approach by integrating both on-site and off-site supervisory work on the verification of the integration of sustainability risks in the organisational arrangements of IFMs as well as the compliance and consistency of the sustainability-related disclosures, including portfolio analyses.

Costs and fees

Supervisory work to verify that IFMs act in the best interest of investors and in particular in such a way as to prevent undue costs being charged to investment funds and investors has been a focus over the last years, as stated in the CSSF’s annual reports, but also in the ESMA successive reports pertaining to costs/performance (e.g. ESMA Market Report – Report on total costs of investing in UCITS and AIFs, ESMA Market Report – Costs and Performance of EU Retail Investment Products 2025). Based on the information collected by means of the Fund Self-Assessment Questionnaires/Separate Reports, thematic reviews will continue to identify fund outliers in relation to the overall level of costs/fees as well as to performance fees and transaction costs.

ML/TF/PF risks

The fight against money laundering, terrorist financing and proliferation financing remains a key priority. Our commitment to maintaining financial integrity involves the continuation of the CSSF’s risk-based supervision and the active contribution to defining international standards, notably at the level of the IOSCO AML Network to support supervisory convergence.