CTG Luxembourg Authorised as a Cloud Resource Operator for Office 365

The good news arrived at the start of March for CTG Luxembourg, when the company received authorisation from the CSSF (Commission de Surveillance du Secteur Financier) to offer regulated players in the finance sector a service based on Office 365, a public cloud platform. "The idea is to allow our regulated customers to use the solutions offered by Office 365, such as direct mailing, collaboration, storage, file-sharing, and workflows," explains Frédéric Warrant, Solution Architect at CTG Luxembourg. "As simple as this may seem, these tools placed on public cloud could not be used by supervised financial institutions before the CSSF's first cloud circular in 2017."

Capitalising on Past Work

It took the CSSF three months to grant CTG Luxembourg this authorisation. The conditions to be met for sub-contracting cloud solutions such as Office 365 are drastic and, in addition, it takes time to verify their implementation. Fortunately, CTG Luxembourg was able to capitalise on its past experience. "The main condition is to be able to provide a Cloud Officer, a reference person for cloud services," explains Frédéric Warrant. "It is also necessary to prove that a series of good governance rules have been set up: to have carried out a risk assessment, organised external backup, defined an exit strategy, etc. That said, we had already performed some major migrations to Office 365 for certain large non-regulated structures. Therefore, in technical terms, we were qualified to meet the CSSF's requirements."

Real Benefits for Customers

Rather than completing the complex procedures for obtaining their authorisation themselves, companies regulated by the CSSF can ask CTG Luxembourg to perform their migration to the Office 365 public cloud platform and also to manage it. "This is particularly useful for the very smallest structures that do not have a large compliance team able to manage this process," explains Warrant. "Therefore, they can request packaged services from us with Office 365 products and their administration. As such, their role is limited to notifying the CSSF, a much easier and less restrictive process than the authorisation request initially required." That said, CTG Luxembourg can also work as a cloud resource operator for larger companies that have already obtained their own authorisation from the CSSF.

In the future, CTG Luxembourg wants to continue to develop its cloud offer for regulated players by requesting authorisations from the CSSF for other products based on public cloud.