The CSSF has recently reiterated a key message for all supervised entities: if a major ICT-related incident occurs, it must be reported—promptly and without exception.
The Commission de Surveillance du Secteur Financier (CSSF) has issued two Circulars — CSSF 25/893 and CSSF 25/892 — that reinforce Luxembourg’s commitment to implementing the Digital Operational Resilience Act (DORA). These circulars provide a comprehensive regulatory framework for ICT-related incident classification and reporting, as well as for estimating the financial impact of such incidents. Branches in Luxembourg of financial entities whose head office is based in another EU Member State (EU branches) are expected to report major ICT-related incidents, significant cyber threats and their estimations to the competent authority of their home Member State under DORA. As such, they are excluded from the scope of these circulars.
Stay Ahead of Luxembourg Tax Compliance. Take control of your tax obligations and discover new opportunities. Discover our online calendar tool and contact our tax experts to take the first step towards seamless tax compliance.
Our specialised training program is designed to enhance your cybersecurity and risk management practices while ensuring regulatory compliance. Contact us
The three European Supervisory Authorities (EBA, EIOPA, and ESMA, collectively known as the ESAs) have unveiled the second batch of policy products under the Digital Operational Resilience Act (DORA). This latest release comprises four final draft regulatory technical standards (RTS), one set of Implementing Technical Standards (ITS), and two guidelines, all designed to bolster the digital operational resilience of the European Union’s financial sector.
The CSSF and the CAA are authorised to impose administrative sanctions and measures for violations of specific articles of the EU regulation 2022/2554. These sanctions can be applied to both individuals and organisations, including directors and responsible persons within the entities.
As the deadline for compliance with Circular CSSF 24/847 on ICT-related incident reporting framework rapidly approaches, financial institutions are facing mounting pressure to ensure their systems are up to standard. With the 1st of April deadline just around the corner, it's imperative for organisations to act swiftly to avoid potential penalties and reputational damage.
Circular CSSF 24/847 introduces a comprehensive framework for reporting ICT-related incidents in the financial sector. The aim is to gain a more detailed understanding of the nature, frequency, significance, and impact of such incidents within the context of a highly interconnected global financial system. The circular addresses the evolving ICT and security risks by expanding the incident coverage and introducing a structured reporting mechanism.
In the rapidly evolving financial landscape, regulatory compliance is more than just a checkbox; it’s a fundamental pillar ensuring the stability and integrity of financial markets. Two key regulations governing outsourcing and third-party ICT services in financial entities are CSSF CIRCULAR 22/806 and DORA (Digital Operational Resilience Act). While they share a number of similarities, the unique features of DORA offer some important benefits.