Introduction
In January 2022, we published a client alert1 examining the initial FAQ issued by Luxembourg’s financial sector regulator—the Commission de Surveillance du Secteur Financier (CSSF)—on the use of what it then called “virtual assets” by investment funds and credit institutions. That FAQ set out a cautious but constructive framework, permitting limited indirect exposure for undertakings in collective investments (UCITS) and opening the door to direct investment for certain alternative investment funds (AIFs).
Since then, the regulatory landscape has changed considerably. Most notably, the European Union’s Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) (MiCAR) has entered into force, bringing crypto-assets within a comprehensive EU-wide regulatory framework for the first time.2 Against that backdrop, the CSSF published Version 7 of its FAQ on 4 February 2026—a root-and-branch revision of the entire document, updating every single question and replacing all references to “virtual assets” with “crypto-assets.”
This alert summarises the key developments since 2022 and highlights the most significant changes fund managers, depositaries and compliance officers need to be aware of.
A New Framework: MiCAR
The most visible change is terminological: “virtual assets” has been replaced throughout by “crypto-assets,” using the definition in article 3(1)(5) of MiCAR. This is not merely cosmetic—it signals a shift from an ad hoc CSSF approach to one grounded in harmonised EU law. All substantive changes in the 2026 FAQ flow from MiCAR.
UCITS: Core Rules Unchanged, Framework Sharpened
The fundamental position for UCITS has not changed: direct investment in crypto-assets remains prohibited. Indirect investment—through transferable securities with crypto-assets as an underlying asset, provided those securities do not embed derivatives—remains permitted up to 10% of net asset value (NAV).
What is new is that these rules are now expressly anchored in MiCAR, providing greater legal certainty. Although already expected in 2022, the following are now more explicitly stated in the 2026 FAQ: (i) prior CSSF notification before investing in crypto-assets, (ii) case-by-case risk assessment as well as establishment of adequate internal control functions, and (iii) investor disclosure obligations.
Key Point for UCITS Managers
Given that MiCAR excludes financial instruments within the meaning of the Luxembourg law of 5 April 1993 on the financial sector, as amended, from its scope, the investment in securities, which qualify as financial instruments, in order to gain exposure to the crypto-asset sector, is not restricted under the CSSF’s FAQ framework.
AIFs: Broader Permissions, Now Under MiCAR
AIFs have always been permitted to invest directly in crypto-assets, subject to applicable requirements and—for retail-accessible funds—a 10% NAV cap. This has not changed. What is new is the explicit statement that AIF investments fall “under the scope of MiCAR,” bringing the full MiCAR framework into play. Unlike for UCITS, no specific prior notification requirement for AIFs has been introduced.
Fund Manager Authorisation: New MiCAR Consideration
Under the framework established before 2022, Luxembourg investment fund managers (IFMs) managing AIFs investing in crypto-assets were required to obtain prior CSSF authorisation under the “Other-Other Fund-Crypto-assets” strategy. That requirement has now been loosened in that a prior CSSF authorisation is only required where the AIF is investing in crypto-assets beyond 10% of its NAV.
In addition, the 2026 FAQ introduces an important additional obligation: IFMs must now analyse the services they perform in connection with crypto-assets against the activities listed in article 60(5) of MiCAR. This provision of MiCAR deals with financial entities (including IFMs) that may, by virtue of their activities in relation to crypto-assets, be providing crypto-asset services. Depending on the outcome, this may trigger additional authorisation or notification obligations under MiCAR, over and above existing fund management authorisations.
Fund of Funds
The 2026 FAQ (building on a clarification first introduced in 2023) confirms that IFMs managing fund-of-funds structures are not required to hold the “Other-Other Fund-Crypto-assets” licence. However, they must assess each target fund manager’s ability to manage crypto-asset risks—including custody and operational risks—and must be able to produce those assessments to the CSSF on demand.
Depositaries: The Most Significant Changes
The depositary framework has undergone the most substantial transformation since 2022. The January 2022 FAQ first confirmed that Luxembourg depositaries could act for funds investing directly in crypto-assets. The 2026 FAQ replaces that general framework with a structured two-model approach under MiCAR.
In both models, where crypto-assets qualify as “other assets,” the depositary’s liability is limited to safekeeping duties regarding ownership verification and record keeping.
Model 1
Depositary Does Not Offer MiCAR Custody Services
Where the depositary does not itself provide custody and administration of crypto-assets under MiCAR, the fund or its manager directly appoints a specialised crypto-asset service provider for that purpose. Under this model:
- The crypto-assets are not recognised on the depositary’s off-balance sheet;
- The depositary is not liable for the restitution of the crypto-assets; that liability remains with the crypto-asset service provider; and
- The fund or IFM must have a direct contractual relationship with the crypto-asset service provider.
Model 2
Depositary Offers MiCAR Custody Services
Where the depositary itself provides custody and administration of crypto-assets for the fund, this triggers either a full authorisation as a crypto-asset service provider under article 62 of MiCAR or a notification procedure available to certain financial entities under article 60 of MiCAR. Under this model:
- The crypto-assets are recognised on the depositary’s off-balance sheet; and
- The depositary has specific obligations under article 75 of MiCAR in respect of custody services.
Two distinct notification obligations apply—both new since 2022:
- All depositaries must notify the CSSF in advance before acting for a fund investing directly in crypto-assets.
- Depositaries intending to directly safeguard crypto-assets (Model 2) must separately inform the CSSF of that plan in a timely manner.
AML/CFT: Requirement for ML/TF Risk Scoring
The core anti-money laundering/countering the financing of terrorism (AML/CFT) position has not changed. Investing in crypto-assets—directly or indirectly—increases the risk of money laundering, terrorist financing and proliferation financing, and designated compliance officers are expected to demonstrate an adequate understanding of all three.
What is new is the operational detail introduced by the 2026 FAQ, which is now expressly grounded in article 34 of CSSF Regulation 12-02, as amended. IFMs must compute a money laundering/terrorist financing (ML/TF) risk scoring for each crypto-asset investment and calibrate due diligence accordingly, taking into account the type of crypto-asset and the method of acquisition. The fund’s designated compliance officers must demonstrate an adequate understanding of all three financial crime risk categories as they apply to crypto-assets.
What Should You Do Now?
The February 2026 update warrants a careful review of existing arrangements. In particular, you should:
- Review fund documentation and risk management policies for MiCAR compliance.
- As an IFM, conduct a fresh analysis of your activities under article 60(5) of MiCAR.
- As an IFM of a fund of funds, ensure target fund manager due diligence is documented and available for CSSF inspection.
- As a depositary, determine which custody model applies and give the required CSSF notifications.
- Ensure AML/CFT frameworks use ML/TF risk scoring in line with CSSF Regulation 12-02.
How We Can Help
Our investment funds and financial regulatory team advises fund managers, depositaries and institutional investors on Luxembourg fund law and the evolving crypto-asset regulatory framework. Please do not hesitate to get in touch.
This alert is for general information purposes only and does not constitute legal advice.
