- 05/01/2024 : CSSF circular 24/847 is published
- 01/04/2024 : Entry into force for some supervised entities (see below the list)
- 01/06/2024 : Entry into force for some supervised entities (see below the list)
The CSSF Circular 24/847 establishes a new ICT-related incident reporting system with the goal of obtaining a more comprehensive and organized understanding of the characteristics, occurrence rate, importance, and consequences of ICT-related incidents. This initiative also takes into account the escalating ICT and security threats within the framework of an increasingly interconnected global financial system.
Scope & Implementation Date:
Universal Provisions (Chapter 2 of Circular) apply to all Supervised Entities listed below, including their Luxembourg branches and third-country entities with Luxembourg branches.
Specific Provisions (Chapter 3 of Circular) under NIS Law and CSSF Regulation No 24-01 apply to Supervised Entities identified as OES (Operators of Essential Services) or DSP (Digital Service Providers).
The CSSF circular is applicable (and replace CSSF circular 11/504) from April 1, 2024 for :
- Credit institutions;
- Professionals of the financial sector within the meaning of the LFS:
- Investment firms;
- Specialized PFS;
- Support PFS.
- Approved publication arrangements (APAs) with a derogation and authorised reporting mechanisms (ARMs) with a derogation;
- Payment institutions and electronic money institutions within the meaning of the LPS;
- POST Luxembourg ;
- Central counterparties (CCPs);
- Central securities depositories;
- Administrators of critical benchmarks;
- Crowdfunding Service Providers;
- Credit institutions and financial market infrastructures that have been identified as OES;
- Support PSF that have been informed by the CSSF of their consideration as DSP under the NIS Law.
The CSSF circular is applicable (and replace CSSF circular 11/504) from June 1, 2024 for :
- Management companies (Chapter 15 & Chater 16);
- Luxembourg branches of IFMs subject to Chapter 17 of the UCITS Law;
- Investment companies which did not designate a management company;
- Alternative investment fund managers authorised under Chapter 2 of the AIFM Law;
- Internally managed alternative investment funds.
Significant changes to the current incident reporting system:
- Expansion of Incident Coverage: The existing incident reporting scope, limited to fraud and incidents resulting from external computer attacks, as outlined in CSSF Circular 11/504, is expanded to encompass a broader range of ICT operational and security incidents.
This expansion aims to prevent redundant reporting for incidents that should be reported under other incident notification frameworks. - Classification-Based Reporting: Supervised Entities will now be required to classify ICT-related incidents based on predefined criteria set forth in this Circular. Additionally, they must notify the CSSF of incidents classified as major or significant.
This classification-based approach enhances the granularity of incident reporting. - Introduction of a New Notification Form: To streamline the collection of structured data, Supervised Entities must complete and submit an ICT-related incident notification form in instances where an ICT-related incident is classified as major or significant.
This form facilitates the reporting process and ensures consistency in the data collected. - Incorporation of NIS Law Requirements: A specific chapter is included in this Circular to consolidate incident notification requirements that were previously communicated via bilateral communications to Supervised Entities falling under the jurisdiction of the NIS Law. This integration allows for the application of the new incident reporting notification forms and practical requirements to incidents that have been assessed as significant under the NIS Law.
This alignment ensures a unified and comprehensive approach to incident reporting and compliance.
Incidents to be notified
- Any successful malicious unauthorized access to networks and information systems;
- Other incidents deemed major according to the section 2.2. of CSSF Circular 24/847
Useful Resources
Discover our other publications :
RC Report of RAIFs
The AED has launched a campaign to invite the RC of all RAIFs to communicate their 31/12/2023 summary report before 31/05/2024. The AED has also specified, on its website, the minimal content of this report.
CSSF Circular 24/854
CSSF Circular 24/854 provides guidelines for the collective investment sector on the AML/CFT Summary Report of the RC (“SRRC”). It introduces a template of SRRC that must be used by the RC.
Insights from the CSSF 2024 AML/CTF conference (Specialised PFS)
The 2024 AML/CFT Conference for Specialised PFS offered deep insights into the challenges and best practices in anti-money laundering and counter-terrorist financing.
French 
English