Technology

Important Regulatory Update from the CSSF: Stay Informed and Supported

Magdalena Mihalcea
By:
Magdalena Mihalcea
insight featured image
The Commission de Surveillance du Secteur Financier (CSSF) has issued two Circulars — CSSF 25/893 and CSSF 25/892 — that reinforce Luxembourg’s commitment to implementing the Digital Operational Resilience Act (DORA). These circulars provide a comprehensive regulatory framework for ICT-related incident classification and reporting, as well as for estimating the financial impact of such incidents. Branches in Luxembourg of financial entities whose head office is based in another EU Member State (EU branches) are expected to report major ICT-related incidents, significant cyber threats and their estimations to the competent authority of their home Member State under DORA. As such, they are excluded from the scope of these circulars.
Contents

Circular CSSF 25/893: reporting of major ICT incidents and significant cyber threats

This Circular applies to all financial entities covered under DORA, as well as Payment Service Providers (PSPs) not directly within DORA’s scope — including POST Luxembourg and third-country branches operating in Luxembourg. These entities are now required to comply with DORA reporting obligations, streamlining the regulatory framework and avoiding fragmented reporting channels.

Payment Service Providers (PSPs) not under DORA must classify ICT-related incidents and cyber threats using the criteria and thresholds in Chapters I–III of the RTS on classification. They are also required to fully comply with the RTS and ITS on incident reporting for notifying major ICT-related incidents and significant cyber threats. Chapters IV and V of the RTS on classification do not apply to them.

Key Requirements

  • Entities must classify ICT-related incidents and cyber threats using criteria and thresholds defined in the relevant Regulatory Technical Standards (RTS).
  • Major incidents and significant threats must be reported in three phases: Initial notification, Intermediate report and Final report.
  • These must be submitted via the CSSF eDesk portal or through an API interface (S3).
  • As defined in the RTS on incident reporting, notifications must adhere to strict time limits, depending on the nature and severity of the incident.
  • Even when reporting is outsourced, the financial entity remains fully accountable for the accuracy and timeliness of submissions. Any third-party arrangements must be declared to the CSSF in advance.
  • The CSSF has explicitly disallowed aggregated reporting of incidents — each major ICT-related event must be individually documented.

For Payment Service Providers (PSPs), this circular will take effect six months after its publication. During the transition period, they must continue to follow the classification criteria and reporting procedures outlined in Circular CSSF 24/847 and Circular CSSF 21/787, which implement the EBA Guidelines (EBA/GL/2021/03) on major incident reporting under PSD2.

For all other financial entities, this circular takes immediate effect and supersedes Circular CSSF 24/847 on the ICT-related incident reporting framework. Additionally, Circular CSSF 21/787, which implemented the EBA Guidelines (EBA/GL/2021/03) on major incident reporting under PSD2, is no longer applicable to them.

Furthermore, six months after the publication date of this circular, Circular CSSF 21/787 on application of the EBA Guidelines (EBA/GL/2021/03) on major incident reporting under PSD2 will be repealed.

 

Circular CSSF 25/892: estimation of aggregated annual costs and losses

In line with Article 11(11) of DORA, this Circular adopts the Joint Guidelines (JC 2024 34) developed by the European Supervisory Authorities (ESAs) — EBA, EIOPA, and ESMA. These guidelines are designed to standardize how financial institutions estimate and report the financial impact of major ICT-related incidents. Microenterprises are not in scope of this Circular.

Upon request by the CSSF, financial entities must provide:

  • A comprehensive estimation of all costs and losses resulting from major ICT incidents.
  • This estimation must follow the official template provided in the ESA Guidelines.

Entities may choose between calendar year, or accounting year (as defined in their financial statements). However, once a method is selected, it must be used consistently in future reports.

Estimation Approach:

  • Only major incidents (as classified under DORA) are included.
  • Estimations must reflect data from financial statements or supervisory reports.
  • Any adjustments to previously reported incidents must be incorporated into the year when the adjustment occurred.

This circular will be applicable starting from 31 May 2025.

 

What should you do next?

  • Conduct a gap analysis of your existing ICT incident response framework.
  • Update internal policies and reporting workflows to reflect the new DORA-aligned requirements.
  • Test reporting readiness by simulating major incident reporting via the CSSF eDesk or API.
  • Prepare to track financial losses in line with ESA guidelines, using the provided reporting templates.

 

Need help with DORA compliance?

Our team offers tailored advisory and operational support to help you align with DORA requirements — from incident classification systems to ICT risk governance frameworks. Get in touch with our regulatory experts today.

 

Contact

In any case of questions, please contact our Chief Information Security Officer Sabika Ishaq, or our Senior Information Security Manager, Magdalena Mihalcea.