Luxembourg Financial Services Regulator CSSF Updates Its Position on Crypto-Assets in Investment Funds: What Has Changed Since 2022?

•March 25, 2026

National Law Review – Employment Law•Mar 25, 2026

Why It Matters

The overhaul gives Luxembourg fund managers clear, EU‑harmonised rules, reducing regulatory uncertainty and shaping compliance, custody, and authorisation strategies across the industry.

Key Takeaways

•CSSF FAQ now references MiCAR definition of crypto‑assets.
•UCITS indirect crypto exposure capped 10% NAV, direct still prohibited.
•AIFs can invest directly; authorisation only above 10% NAV.
•Depositaries must notify CSSF; two custody models defined.
•Managers must assess services under MiCAR article 60(5).

Pulse Analysis

The European Union’s Markets in Crypto‑Assets Regulation (MiCAR) finally provides a continent‑wide framework for digital tokens, and Luxembourg’s CSSF has embraced it by rewriting its 2022 FAQ. By adopting MiCAR’s definition of "crypto‑assets," the regulator moves from an ad‑hoc approach to a harmonised legal basis, giving fund sponsors and investors a clearer view of permissible activities. This shift also standardises disclosure, risk‑assessment, and notification obligations, aligning Luxembourg’s market with the broader EU landscape and reducing the compliance burden of navigating divergent national rules.

For collective investment schemes, the updated guidance draws a sharp line between UCITS and AIFs. UCITS can continue to hold crypto‑linked securities indirectly, but the 10 % NAV ceiling and prohibition on direct holdings remain unchanged, now reinforced by explicit MiCAR references. AIFs enjoy broader latitude, with direct crypto‑asset investments permitted and authorisation only triggered when exposure exceeds the 10 % threshold. Fund managers must now evaluate their activities against MiCAR article 60(5), potentially invoking additional licensing or notification steps, and they must embed detailed crypto‑risk assessments into their governance frameworks.

The most consequential change concerns depositaries, which now operate under a two‑model system. Model 1 delegates custody to specialised crypto‑service providers, limiting the depositary’s liability to record‑keeping, while Model 2 sees the depositary itself providing MiCAR‑compliant custody, invoking full authorisation or notification under articles 62 and 60. Both models require prior CSSF notification, and AML/CFT regimes now demand granular risk‑scoring for each crypto‑asset transaction. Practically, fund sponsors should audit existing documentation, update risk‑management policies, and ensure that all required notifications are filed to avoid regulatory penalties and maintain investor confidence.