Luxembourg CSSF Updates Crypto Stance Post-MiCAR

Luxembourg’s financial regulator, the Commission de Surveillance du Secteur Financier (CSSF), issued Version 7 of its Frequently Asked Questions (FAQ) on February 4, 2026, revising its stance on crypto-assets for investment funds and credit institutions. This update, a “root-and-branch revision” according to K&L Gates LLP, integrates the European Union’s Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114), commonly known as MiCAR, into the national framework. MiCAR became fully applicable in all EU member states on January 24, 2025.

The CSSF replaced its initial FAQ from January 2022, which first outlined a framework for “virtual assets.” The latest revision updates every question and replaces all references to “virtual assets” with “crypto-assets,” adopting the definition from article 3(1)(5) of MiCAR. This terminological shift signifies a move from an ad hoc regulatory approach to one aligned with harmonized EU law, with all substantive changes in the February 2026 FAQ flowing directly from MiCAR.

The 2026 FAQ introduces several key adjustments and clarifications for various financial entities:

• UCITS: Direct investment in crypto-assets remains prohibited for Undertakings in Collective Investments (UCITS). Indirect investment, through transferable securities with crypto-assets as an underlying asset (provided derivatives are not embedded), is still permitted up to 10% of net asset value (NAV). These rules are now explicitly anchored in MiCAR, enhancing legal certainty. New explicit requirements include prior CSSF notification before investing, case-by-case risk assessment, establishment of adequate internal control functions, and investor disclosure obligations.
• AIFs: Alternative Investment Funds (AIFs) continue to be permitted to invest directly in crypto-assets, subject to applicable requirements and a 10% NAV cap for retail-accessible funds. The significant change is the explicit statement that AIF investments now fall under the scope of MiCAR, bringing the full MiCAR framework into play. Unlike UCITS, no specific prior notification requirement for AIFs has been introduced.
• Fund Manager Authorisation: The requirement for Luxembourg investment fund managers (IFMs) managing AIFs investing in crypto-assets to obtain prior CSSF authorisation under the Other-Other Fund-Crypto-assets strategy has been loosened. Authorisation is now only required when an AIF invests beyond 10% of its NAV. Additionally, IFMs must analyze their crypto-asset-related services against activities listed in article 60(5) of MiCAR, which may trigger further authorisation or notification obligations under MiCAR beyond existing fund management authorisations.
• Fund of Funds: The 2026 FAQ confirms that IFMs managing fund-of-funds structures are not required to hold the Other-Other Fund-Crypto-assets licence. However, they must assess each target fund manager’s ability to manage crypto-asset risks, including custody and operational risks, and be able to produce these assessments to the CSSF upon request.
• Depositaries: The depositary framework has undergone substantial transformation, replacing a general framework with a structured two-model approach under MiCAR. In both models, where crypto-assets qualify as other assets, the depositary’s liability is limited to safekeeping duties concerning ownership verification and record keeping.
  • Model 1 (Depositary Does Not Offer MiCAR Custody Services): The fund or its manager directly appoints a specialized crypto-asset service provider. Under this model, crypto-assets are not recognized on the depositary’s off-balance sheet, and the depositary is not liable for their restitution. The fund or IFM must maintain a direct contractual relationship with the crypto-asset service provider.
  • Model 2 (Depositary Offers MiCAR Custody Services): If the depositary itself provides custody and administration of crypto-assets, this triggers either full authorization as a crypto-asset service provider under article 62 of MiCAR or a notification procedure available to certain financial entities under article 60 of MiCAR. Under this model, crypto-assets are recognized on the depositary’s off-balance sheet, and the depositary assumes specific obligations under article 75 of MiCAR.

  Two distinct notification obligations are new: all depositaries must notify the CSSF in advance before acting for a fund investing directly in crypto-assets, and those intending to directly safeguard crypto-assets (Model 2) must separately inform the CSSF in a timely manner.

• AML/CFT: The core anti-money laundering/countering the financing of terrorism (AML/CFT) position remains that investing in crypto-assets increases the risk of money laundering, terrorist financing, and proliferation financing. The 2026 FAQ introduces operational detail, explicitly grounded in article 34 of CSSF Regulation 12-02. IFMs must compute a money laundering/terrorist financing (ML/TF) risk scoring for each crypto-asset investment and calibrate due diligence accordingly, considering the type of crypto-asset and acquisition method.

The primary reason for these updates is the entry into force of the European Union’s Markets in Crypto-Assets Regulation (MiCAR). MiCAR establishes a comprehensive EU-wide regulatory framework for crypto-assets, necessitating a complete overhaul of Luxembourg’s existing guidelines to ensure alignment and compliance with the new harmonized rules.

The updated framework is expected to impact how investment funds operate within Luxembourg, particularly concerning their exposure to crypto-assets and their interactions with service providers. IFMs and depositaries will need to adapt their internal processes and compliance frameworks to meet the new requirements, ensuring adherence to both CSSF guidelines and MiCAR. The focus on ML/TF risk scoring suggests an increased emphasis on granular risk assessment in the crypto-asset sector.

Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates