Technology

Reminder: ICT Incident Reporting – Execution Is the Real Challenge

By:
Sabika Ishaq,
Magdalena Mihalcea
insight featured image
The CSSF has recently reiterated a key message for all supervised entities: if a major ICT-related incident occurs, it must be reported—promptly and without exception.
Contents

Public attention or media coverage does not exempt you from regulatory obligations.

 

ICT Incident Reporting Timeline

  • Initial notification: Within 4 hours of classification (and no later than 24 hours after detection)
  • Intermediate report: Within 72 hours (3 working days) of the initial report
  • Final report: Within 1 month (20 working days), with full root cause, impact, and remediation details

 

Which Circular Applies to You?

CSSF 24/847

  • Applies to: Non-DORA supervised entities (e.g. entities under NIS 1)
  • Covers: Major ICT-related incidents such as cyber-attacks or system failures
  • Submission: CSSF incident reporting template

CSSF 25/893

  • Applies to: DORA-regulated entities and PSPs (Payment Service Providers), with a 6-month transition period for non-DORA PSPs
  • Covers: Major ICT-related incidents and significant cyber threats (aligned with DORA RTS 2024/1772)
  • Submission: Via CSSF eDesk portal or API (S3 protocol)

 

Clarity is not the issue. Execution is.

Ask yourself:

  • Can your teams detect, classify, and escalate incidents within hours?
  • Are legal, compliance, and IT aligned in real time?
  • Is your response plan actually tested — or just theoretical?

By the time you reach the CSSF’s submission portal, the hard work should already be done:

  • Clear roles
  • Practiced escalation workflows
  • No second-guessing under pressure

 

Contact

In any case of questions, please contact our Chief Information Security Officer Sabika Ishaq, or our Senior Information Security Manager, Magdalena Mihalcea.