Read our insights

The CSSF has recently reiterated a key message for all supervised entities: if a major ICT-related incident occurs, it must be reported—promptly and without exception.

The Commission de Surveillance du Secteur Financier (CSSF) has issued two Circulars — CSSF 25/893 and CSSF 25/892 — that reinforce Luxembourg’s commitment to implementing the Digital Operational Resilience Act (DORA). These circulars provide a comprehensive regulatory framework for ICT-related incident classification and reporting, as well as for estimating the financial impact of such incidents. Branches in Luxembourg of financial entities whose head office is based in another EU Member State (EU branches) are expected to report major ICT-related incidents, significant cyber threats and their estimations to the competent authority of their home Member State under DORA. As such, they are excluded from the scope of these circulars.

The three European Supervisory Authorities (EBA, EIOPA, and ESMA, collectively known as the ESAs) have unveiled the second batch of policy products under the Digital Operational Resilience Act (DORA). This latest release comprises four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS), and two guidelines, all designed to bolster the digital operational resilience of the European Union’s financial sector.

The CSSF and the CAA are authorised to impose administrative sanctions and measures for violations of specific articles of the EU regulation 2022/2554. These sanctions can be applied to both individuals and organisations, including directors and responsible persons within the entities.

As the deadline for compliance with Circular CSSF 24/847 on ICT-related incident reporting framework rapidly approaches, financial institutions are facing mounting pressure to ensure their systems are up to standard. With the 1st of April deadline just around the corner, it's imperative for organisations to act swiftly to avoid potential penalties and reputational damage.

Circular CSSF 24/847 introduces a comprehensive framework for reporting ICT-related incidents in the financial sector. The aim is to gain a more detailed understanding of the nature, frequency, significance, and impact of such incidents within the context of a highly interconnected global financial system. The circular addresses the evolving ICT and security risks by expanding the incident coverage and introducing a structured reporting mechanism.

In the rapidly evolving financial landscape, regulatory compliance is more than just a checkbox; it’s a fundamental pillar ensuring the stability and integrity of financial markets. Two key regulations governing outsourcing and third-party ICT services in financial entities are CSSF CIRCULAR 22/806 and DORA (Digital Operational Resilience Act). While they share a number of similarities, the unique features of DORA offer some important benefits.

The European Central Bank ("ECB"), on July 24th, announced a public consultation on Guide on effective Risk Data Aggregation and Risk Reporting (“RDARR”). The consultation is opened until October 6th and the ECB invites comments from Banks and other stakeholders on effective Risk Data Aggregation and Risk Reporting.

As the world grapples with the impacts of climate change, financial institutions and regulatory bodies increasingly recognise the importance of integrating sustainability into their operations. In response to this growing need, Luxembourg's Commission de Surveillance du Secteur Financier (CSSF) has recently outlined its supervisory priorities in sustainable finance, demonstrating its commitment to shaping a more environmentally and socially responsible financial sector.

From reporting periods starting 2024 onwards, the Corporate Sustainability Reporting Directive (CSRD) will require all large companies to report on sustainability policy and performance.

CSSF has released a new Circular on 14 October for IT/Cloud Outsourcing. This new Circular replaces the prior authorisation requirement with a prior notification requirement in the event of outsourcing material activity but not business process outsourcing.