Modernisation of the Luxembourg law on the insurance sector: what’s new and how does it impact the insurance secrecy regime?


On 2 April 2024, the law of 29 March 2024 modernising the Luxembourg insurance sector was published in the Official Journal of the Grand Duchy of Luxembourg (the “Law”). The Law will enter into force and start applying as from 6 April 2024.

General Overview

The Law aims at (i) implementing Directive (EU) 2021/2118 of 24 November 2021 relating to insurance against civil liability in respect of the use of motor vehicles, and the enforcement of the obligation to insure against such liability and (ii) amending several laws, notably the law of 7 December 2015 on the insurance sector, as amended (the “2015 Law”).

The Law provides for:

  • the establishment of a new public institution called Fonds d’Insolvabilité en Assurance Automobile[1] (FIAA) to compensate injured parties residing in Luxembourg in case of damage to property or personal injury caused by a vehicle insured by an insurance undertaking established in the European Union and which is subject to insolvency or winding-up proceedings,
  • updates to the law of 16 April 2003 on compulsory civil liability insurance for motor vehicles,
  • changes in the corporate governance of the Commissariat aux Assurances (the “CAA”),
  • specifications regarding domiciliation activities carried out by professionals of the insurance sector,
  • the extension to insurance holding undertakings subject to the CAA supervision of the requirement to have their accounts audited by an approved auditor (réviseur d’entreprises agréé) in the same way as insurance companies, reinsurance companies or pension funds,
  • amendments to the amended law of 15 March 2016 on OTC derivatives, central counterparties and trade repositories, to include corporate law restrictions on the resolution of a central counterparty and thus complete the implementation of Regulation (EU) 2021/23 on a framework for the recovery and resolution of central counterparties,
  • the possibility to outsource digital documents and data storage and processing (“ICT”) to critical ICT third-party service providers established in the European Union (“EU”), as defined under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”).
  • specifications relating to the consent requirement of certain life-insurance policyholders in case of outsourcings carried out by a relevant life-insurance undertaking.

Professional and Insurance Secrecy

The Law brings three significant amendments to the currently applicable professional secrecy regime which relate to: (1) the outsourcing of digital storage and processing of documents and data to critical third-party ICT service providers under DORA, (2) policyholders’ consent for outsourcings in the context of life-insurance policies; and (3) professional secrecy requirements applicable to auditors.

By way of background, the 2015 Law provides for a criminally sanctioned insurance secrecy obligation, applicable to certain natural and legal persons established in Luxembourg that are subject to the prudential supervision of the CAA or of a foreign supervisory authority. The 2015 Law sets forth limited exemptions to this obligation, notably in case of outsourcing. The Law further extends the scope of exemptions to the insurance secrecy obligation, as set out below. 

       (1) Outsourcing of digital storage and processing of documents and data to critical third-party ICT service providers under DORA

Currently, accounting ledgers and other documents relating to the business activities of Luxembourg insurance and reinsurance undertakings must be held in the Grand-Duchy of Luxembourg at all times. The Law introduces a new exemption to this rule, where Luxembourg insurance and reinsurance undertakings may outsource the digital storage and processing of documents and related data to critical third-party ICT service providers (as defined under DORA), provided that the critical third-party ICT service provider is (i) located in Luxembourg or in another Member State and (ii) is subject to the supervision of a European supervisory authority.

       (2) Policyholders’ consent for outsourcings in the context of life-insurance policies

The 2015 Law further provides that the obligation of secrecy does not exist with regards to entities in charge of the provision of outsourced services and with regard to employees and other persons working for such entities, insofar as the policyholder has accepted, in accordance with the law or with the information arrangements agreed between the parties, the following elements:

  • the outsourcing itself,
  • the type of information transmitted in the context of the outsourcing, and
  • the country of establishment of the entity or entities providing the outsourced services.

The Law introduces a new procedure, limited to certain life-insurance agreements, whereby life-insurance undertakings must send registered letters to policyholders to obtain their consent in the context of outsourcing arrangements. This requirement only applies to life insurance agreements falling under classes I, III or VI of Annex II of the 2015 Law and that were concluded before the entry into force of the Law. The Law further specifies that if the insurance undertaking is unsuccessful in its attempts to contact the policyholder, the silence of the policyholder is deemed to constitute a tacit acceptance of the outsourcing. 

      (3) Professional secrecy requirements applicable to auditors

Lastly, the Law amends the 2015 Law to provide that auditors (réviseurs d’entreprise) are expressly released from their professional secrecy obligation when providing documents and information requested by the CAA for supervisory purposes.

This amendment thus extends the previous exemption allowing auditors to communicate audit reports and annual accounts of insurance undertakings to the CAA.

*           *           *

Should you have any questions on the above, please do not hesitate to contact one of our experts of the insurance team.

[1] Motor Insurance Insolvency Fund