The CSSF Circular 24/847 establishes a new ICT-related incident reporting system with the goal of obtaining a more comprehensive and organized understanding of the characteristics, occurrence rate, importance, and consequences of ICT-related incidents. This initiative also takes into account the escalating ICT and security threats within the framework of an increasingly interconnected global financial system.

Scope & Implementation Date:

Universal Provisions (Chapter 2 of Circular) apply to all Supervised Entities listed below, including their Luxembourg branches and third-country entities with Luxembourg branches.

Specific Provisions (Chapter 3 of Circular) under NIS Law and CSSF Regulation No 24-01 apply to Supervised Entities identified as OES (Operators of Essential Services) or DSP (Digital Service Providers).

The CSSF circular is applicable (and replace CSSF circular 11/504) from April 1, 2024 for :

  • Credit institutions;
  • Professionals of the financial sector within the meaning of the LFS:
    • Investment firms;
    • Specialized PFS;
    • Support PFS.
  • Approved publication arrangements (APAs) with a derogation and authorised reporting mechanisms (ARMs) with a derogation;
  • Payment institutions and electronic money institutions within the meaning of the LPS;
  • POST Luxembourg ;
  • Central counterparties (CCPs);
  • Central securities depositories;
  • Administrators of critical benchmarks;
  • Crowdfunding Service Providers;
  • Credit institutions and financial market infrastructures that have been identified as OES;
  • Support PSF that have been informed by the CSSF of their consideration as DSP under the NIS Law.

 

The CSSF circular is applicable (and replace CSSF circular 11/504) from June 1, 2024 for :

  • Management companies (Chapter 15 & Chater 16);
  • Luxembourg branches of IFMs subject to Chapter 17 of the UCITS Law;
  • Investment companies which did not designate a management company;
  • Alternative investment fund managers authorised under Chapter 2 of the AIFM Law;
  • Internally managed alternative investment funds.

Significant changes to the current incident reporting system:

  1. Expansion of Incident Coverage: The existing incident reporting scope, limited to fraud and incidents resulting from external computer attacks, as outlined in CSSF Circular 11/504, is expanded to encompass a broader range of ICT operational and security incidents.
    This expansion aims to prevent redundant reporting for incidents that should be reported under other incident notification frameworks.

  2. Classification-Based Reporting: Supervised Entities will now be required to classify ICT-related incidents based on predefined criteria set forth in this Circular. Additionally, they must notify the CSSF of incidents classified as major or significant.
    This classification-based approach enhances the granularity of incident reporting.

     

  3. Introduction of a New Notification Form: To streamline the collection of structured data, Supervised Entities must complete and submit an ICT-related incident notification form in instances where an ICT-related incident is classified as major or significant.
    This form facilitates the reporting process and ensures consistency in the data collected.

     

  4. Incorporation of NIS Law Requirements: A specific chapter is included in this Circular to consolidate incident notification requirements that were previously communicated via bilateral communications to Supervised Entities falling under the jurisdiction of the NIS Law. This integration allows for the application of the new incident reporting notification forms and practical requirements to incidents that have been assessed as significant under the NIS Law.
    This alignment ensures a unified and comprehensive approach to incident reporting and compliance.

Incidents to be notified

  • Any successful malicious unauthorized access to networks and information systems;
  • Other incidents deemed major according to the section 2.2. of CSSF Circular 24/847

Useful Resources

Discover our other publications :

News

Directive (UE) 2024/1640 (AMLD6)

La Directive (UE) 2024/1640 (AMLD6) réforme profondément les approches réglementaires, en se concentrant uniquement sur les responsabilités spécifiques des États membres, tandis que les obligations du secteur privé sont transférées au Règlement AMLR

More information
AMLR
News

Règlement (UE) 2024/1624 (AMLR)

Le Règlement (UE) 2024/1624, aussi connu sous le nom d’AMLR, ou de Règlement Unique, établit des exigences uniformes en matière de LBC/FT qui seront directement applicables dans tous les États membres.

More information
en_GBEnglish