You Need To Be Fully NIS2 Compliant In: 282 Days

Magdalena Mihalcea,
Sabika Ishaq
insight featured image

First stop: CIRCULAR CSSF 24/847 on ICT-related incident reporting framework

Circular CSSF 24/847 introduces a comprehensive framework for reporting ICT-related incidents in the financial sector. The aim is to gain a more detailed understanding of the nature, frequency, significance, and impact of such incidents within the context of a highly interconnected global financial system. The circular addresses the evolving ICT and security risks by expanding the incident coverage and introducing a structured reporting mechanism.

NIS2 has established a revised incident reporting timeline. Essential and important entities are required to promptly notify any incident with significant impact. Within 24 hours, an early warning, along with initial presumptions about the incident type, should be conveyed to the competent authority or CSIRT. A comprehensive notification report, encompassing the incident assessment, severity, impact, and indicators of compromise, must be communicated within 72 hours. A final report is mandated to be submitted after one month.

Key Changes and Framework Overview

  • Expanded Incident Coverage: The circular broadens the scope of incident reporting beyond fraud and external computer attacks, as outlined in Circular CSSF 11/504. It includes a wider range of ICT operational and security incidents while avoiding redundant reporting for incidents covered by other frameworks.
  • Classification-Based Reporting: Supervised Entities are mandated to classify ICT-related incidents based on criteria specified in the circular. Notifiable cases include those classified as major or significant incidents, enhancing the precision and relevance of incident reporting.
  • New Incident Reporting Form: A new incident reporting notification form is introduced to gather data in a structured manner. Supervised Entities are required to complete and submit this form for incidents classified as major or significant, ensuring a standardized reporting process.

Framework Applicability

  • General Requirements (Chapter 2): Applicable to all Supervised Entities, including their branches in Luxembourg, and entities incorporated in third countries with branches in Luxembourg.
  • Specific Requirements under NIS Law and CSSF Regulation No 24-01 (Chapter 3): Applicable to Supervised Entities classified as OES (Operators of Essential Services) or DSP (Digital Service Providers).

Confirmation of Status by CSSF

CSSF, in its role as the NIS authority, will reconfirm the status of Supervised Entities as OES or DSP by March 1, 2024.

Entities not receiving confirmation by this date are not designated as OES or DSP, with potential for future designation.

Incidents to be Notified

  • Successful malicious unauthorized access to network and information systems is considered a major ICT-related incident.
  • Other incidents, classified as major ICT-related incidents according to specified criteria, are also notifiable.
  • Exceptions include incidents falling under PSD2 Major Incident Reporting, Cyber Incident Reporting for Supervised Entities directly supervised by the ECB (excluding OES), and incidents outlined in Commission Delegated Regulation (EU) 2017/392.

Entering into force

1 April 2024

  • Credit institutions and professionals of the financial sector within the meaning of the LFS
  • Approved publication arrangements (APAs) with a derogation and authorised reporting mechanisms (ARMs) with a derogation within the meaning of the LFS
  • Payment institutions and electronic money institutions within the meaning of the LPS
  • Payment institutions and electronic money institutions within the meaning of the LPS
  • POST Luxembourg governed by the Law of 15 December 2000 on postal financial services
  • Central counterparties (CCPs) within the meaning of Article 2(1) of EMIR9, including Tier 2 third-country CCPs within the meaning of Article 25(2a) of EMIR, complying with the relevant requirements of EMIR in accordance with point (a) of Article 25(2b) of EMIR
  • Central securities depositories within the meaning of the CSD Law
  • Administrators of critical benchmarks within the meaning of point (b) of Article 20(1) of the Benchmark Regulation
  • Crowdfunding Service Providers within the meaning of the Law of 16 July 2019 on the operationalisation of European regulations in the area of financial services;
  • Credit institutions and the financial market infrastructures for which according to Article 3 of the NIS Law the CSSF is the competent authority in terms of network and information security and that have been identified as OES
  • Support PSF authorised in accordance with Article 29-3 of the LFS for which according to Article 3 of the NIS Law the CSSF is the competent authority in terms of network and information security and that have been informed by the CSSF of their consideration as DSP under the NIS Law.

1 June 2024

  • Management companies incorporated under Luxembourg law and subject to Chapter 15 of the UCITS Law
  • Management companies incorporated under Luxembourg law and subject to Articles 125- 1 or 125-2 of Chapter 16 of the UCITS 2010 Law
  • Luxembourg branches of IFMs subject to Chapter 17 of the UCITS Law
  • Investment companies which did not designate a management company within the meaning of Article 27 of the UCITS Law
  • Alternative investment fund managers authorised under Chapter 2 of the AIFM Law
  • Internally managed alternative investment funds within the meaning of point (b) of Article 4(1) of the AIFM Law.


We value your satisfaction and are here to assist you. Should you require any support or have inquiries regarding the discussed topic, please do not hesitate to reach out to us. Our dedicated support team is ready to provide prompt and comprehensive assistance to ensure your concerns are addressed effectively. Feel free to contact us at your convenience, and we look forward to serving you with the highest level of support and expertise.