The CSSF has recently reiterated a key message for all supervised entities: if a major ICT-related incident occurs, it must be reported—promptly and without exception.
Public attention or media coverage does not exempt you from regulatory obligations.
ICT Incident Reporting Timeline
- Initial notification: Within 4 hours of classification (and no later than 24 hours after detection)
- Intermediate report: Within 72 hours (3 working days) of the initial report
- Final report: Within 1 month (20 working days), with full root cause, impact, and remediation details
Which Circular Applies to You?
CSSF 24/847
- Applies to: Non-DORA supervised entities (e.g. entities under NIS 1)
- Covers: Major ICT-related incidents such as cyber-attacks or system failures
- Submission: CSSF incident reporting template
CSSF 25/893
- Applies to: DORA-regulated entities and PSPs (Payment Service Providers), with a 6-month transition period for non-DORA PSPs
- Covers: Major ICT-related incidents and significant cyber threats (aligned with DORA RTS 2024/1772)
- Submission: Via CSSF eDesk portal or API (S3 protocol)
Clarity is not the issue. Execution is.
Ask yourself:
- Can your teams detect, classify, and escalate incidents within hours?
- Are legal, compliance, and IT aligned in real time?
- Is your response plan actually tested — or just theoretical?
By the time you reach the CSSF’s submission portal, the hard work should already be done:
- Clear roles
- Practiced escalation workflows
- No second-guessing under pressure
Contact
In any case of questions, please contact our Chief Information Security Officer Sabika Ishaq, or our Senior Information Security Manager, Magdalena Mihalcea.
