The Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union (hereafter “NIS Directive”) has been transposed into the Luxembourgish Law of 28 May 2019 (hereafter “NIS Law”).
According to Article 3 of the NIS Law, the CSSF is the competent authority in terms of network and information security for the credit institutions, the financial market infrastructures, and Digital Service Providers (hereafter “DSP”) which are already under the supervision of the CSSF.
Amongst the responsibilities of the CSSF are the designation of essential services by means of regulation and the subsequent identification of Operators of Essential Services (hereafter “OES”). The CSSF has duly listed the essential services in CSSF Regulation N° 20-04.
By this Communiqué, the CSSF informs the supervised institutions that the ones identified as OES have been notified of this decision on 15 September 2020.
At present, the supervised institutions which have not received this notification are therefore not designated as OES and are not required to comply with the requirements of the NIS Law.
In case of questions, please contact firstname.lastname@example.org.