New ICT incident reporting requirements under Circular 24/847 (Circular) of the Commission de Surveillance du Secteur Financier (CSSF), Luxembourg’s financial regulator, will come into effect on April 1. This introduces a new ICT-related incident reporting framework and underscores the critical importance of proactive measures in safeguarding financial institutions against ICT and cyber threats.
Who does the Circular apply to?
The Circular applies to most supervised entities in the financial sector, including credit institutions, payment institutions, electronic money institutions, investment firms, alternative investment fund managers, central securities depositories, and crowdfunding service providers, among others.
The Circular also applies to Luxembourg branches of those entities with a head office in a third country or, where an entity’s head office is in another European Economic Area member state, to the extent that the ICT-related incident impacts areas under the CSSF’s oversight.
In respect of investment funds and fund managers, the requirements will apply from June 1, rather than April 1.
Incident Reporting
The Circular will require reporting to the CSSF of major ICT-related incidents.
The Circular includes criteria for classification of an ICT-related incident as major, based upon whether unauthorized access to an entity’s information technology systems was malicious or, if not malicious, the number of clients affected, the criticality of the services, the data losses entailed and the economic impact (among other considerations). Incidents must be assessed as “major” or not within 24 hours from detection, or the next working day if that deadline falls on a weekend of public holiday. This approach is intended to streamline reporting procedures and enable organizations to allocate resources effectively according to the incident's severity level.
Entities are required to report major incidents through specified channels, outlined in the Circular, and in accordance with the following timeframes:
- Within four hours of classification as “major,” the entity must submit an initial notification to the CSSF containing general information about the incident.
- Within three working days of the initial notification, the entity must submit an intermediate notification of, among other items, the incident cause, classification, and actual or estimated economic impact.
- Within 20 working days of the intermediate notification, the entity must submit a final notification of a root cause analysis, lessons learned, and any other relevant information.
The Circular underscores the importance of post-incident analysis and remediation measures. In-scope entities are expected to conduct thorough assessments to identify root causes, implement corrective actions, and fortify defenses against future incidents.
Comparison to EU-wide Regulatory Expectations
There is overlap between the requirements of this Circular and EU-wide regulatory expectations.
The European Banking Authority (EBA) Guidelines on Outsourcing include a general obligation to report “development that may have a material impact on the service provider’s ability to effectively carry out the critical or important function.” While this is not specific to cyber or information security-related incidents (though is instead specific to outsourcing), to the extent the incident itself affects an outsourcing service provider’s ability to provide the services, then this reporting obligation would apply.
The European Securities and Markets Authority (ESMA) Guidelines on Outsourcing to Cloud Service Providers include a general obligation to report incidents affecting the operation of the firm’s contracted service without undue delay. As with the EBA Guidelines above, while this is not specific to cyber or information security-related incidents, to the extent the incident itself affects a cloud service provider’s ability to provide the services, then this reporting obligation would apply.
The European Union’s Digital Operational Resilience Act (DORA), which aims to establish a comprehensive framework for digital operational resilience across the European Union, includes similar reporting obligations relating to “Major ICT-related incidents” (i.e., ICT-related incidents that have a high adverse impact on the network and information systems that support critical or important functions of the regulated entity). However, the reporting timeframes and content are still under consultation until summer 2024 and will not be effective until January 17, 2025, whereas the CSSF’s requirements will take effect from April 1 and June 1.
Summary
The Circular is intended not only to mitigate risks, but also to foster a culture of cybersecurity awareness and preparedness, safeguarding the stability and trustworthiness of the financial ecosystem in Luxembourg. These principles are consistent with the EBA Guidelines, the ESMA Guidelines, and, most closely, incoming requirements under DORA.
However, ahead of implementation of DORA, financial entities within scope of the CSSF’s Circular will need to ensure that they are prepared, both organizationally and in their contracts with ICT services provider, to comply with these incident reporting requirements by April 1 or June 1.