CSSF Circular 24/847

The CSSF Circular 24/847 establishes a new ICT-related incident reporting system with the goal of obtaining a more comprehensive and organized understanding of the characteristics, occurrence rate, importance, and consequences of ICT-related incidents. This initiative also takes into account the escalating ICT and security threats within the framework of an increasingly interconnected global financial system.

Scope & Implementation Date:

Universal Provisions (Chapter 2 of Circular) apply to all Supervised Entities listed below, including their Luxembourg branches and third-country entities with Luxembourg branches.

Specific Provisions (Chapter 3 of Circular) under NIS Law and CSSF Regulation No 24-01 apply to Supervised Entities identified as OES (Operators of Essential Services) or DSP (Digital Service Providers).

The CSSF circular is applicable (and replace CSSF circular 11/504) from April 1, 2024 for :

Credit institutions;
Professionals of the financial sector within the meaning of the LFS:
- Investment firms;
- Specialized PFS;
- Support PFS.
Approved publication arrangements (APAs) with a derogation and authorised reporting mechanisms (ARMs) with a derogation;
Payment institutions and electronic money institutions within the meaning of the LPS;
POST Luxembourg ;
Central counterparties (CCPs);
Central securities depositories;
Administrators of critical benchmarks;
Crowdfunding Service Providers;
Credit institutions and financial market infrastructures that have been identified as OES;
Support PSF that have been informed by the CSSF of their consideration as DSP under the NIS Law.

The CSSF circular is applicable (and replace CSSF circular 11/504) from June 1, 2024 for :

Management companies (Chapter 15 & Chater 16);
Luxembourg branches of IFMs subject to Chapter 17 of the UCITS Law;
Investment companies which did not designate a management company;
Alternative investment fund managers authorised under Chapter 2 of the AIFM Law;
Internally managed alternative investment funds.

Significant changes to the current incident reporting system:

Expansion of Incident Coverage: The existing incident reporting scope, limited to fraud and incidents resulting from external computer attacks, as outlined in CSSF Circular 11/504, is expanded to encompass a broader range of ICT operational and security incidents.
This expansion aims to prevent redundant reporting for incidents that should be reported under other incident notification frameworks.
Classification-Based Reporting: Supervised Entities will now be required to classify ICT-related incidents based on predefined criteria set forth in this Circular. Additionally, they must notify the CSSF of incidents classified as major or significant.
This classification-based approach enhances the granularity of incident reporting.
Introduction of a New Notification Form: To streamline the collection of structured data, Supervised Entities must complete and submit an ICT-related incident notification form in instances where an ICT-related incident is classified as major or significant.
This form facilitates the reporting process and ensures consistency in the data collected.
Incorporation of NIS Law Requirements: A specific chapter is included in this Circular to consolidate incident notification requirements that were previously communicated via bilateral communications to Supervised Entities falling under the jurisdiction of the NIS Law. This integration allows for the application of the new incident reporting notification forms and practical requirements to incidents that have been assessed as significant under the NIS Law.
This alignment ensures a unified and comprehensive approach to incident reporting and compliance.

Incidents to be notified

Any successful malicious unauthorized access to networks and information systems;
Other incidents deemed major according to the section 2.2. of CSSF Circular 24/847

Useful Resources

Discover our other publications :

News

Autorité de Lutte contre le Blanchiment de Capitaux (ALBC)

Le 19 juin 2024, le règlement du Parlement européen et du Conseil établissant l’ALBC (AMLA pour Anti Money Laundering Authority en Anglais) a été publié dans le Journal Officiel de l’Union Européenne.

4 juillet 2024

News

Directive (UE) 2024/1640 (AMLD6)

La Directive (UE) 2024/1640 (AMLD6) réforme profondément les approches réglementaires, en se concentrant uniquement sur les responsabilités spécifiques des États membres, tandis que les obligations du secteur privé sont transférées au Règlement AMLR

4 juillet 2024

News

Règlement (UE) 2024/1624 (AMLR)

Le Règlement (UE) 2024/1624, aussi connu sous le nom d’AMLR, ou de Règlement Unique, établit des exigences uniformes en matière de LBC/FT qui seront directement applicables dans tous les États membres.

4 juillet 2024

Cookie	Durée	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Scope & Implementation Date:

Significant changes to the current incident reporting system:

Incidents to be notified

Useful Resources

Autorité de Lutte contre le Blanchiment de Capitaux (ALBC)

Directive (UE) 2024/1640 (AMLD6)

Règlement (UE) 2024/1624 (AMLR)

Do you want to stay informed?

Follow-us on Linkedin !