Communiqué regarding ICT-related incident reporting

The CSSF released today two important documents regarding the ICT-related incident reporting framework, in order to acquire a better and more structured overview of the nature, frequency, significance and impact of ICT-related incidents, also considering the growing ICT and security risk in the context of a highly interconnected global financial system.

This CSSF regulation was published in the memorial on 5 January 2024 and shall enter into force on 1 April 2024. In its Article 2 it informs Operators of Essential Services (“OES”) and Digital Service Providers (“DSP”) subject to the Law of 28 May 2019 (the “NIS Law”), and for which the “NIS authority” is the CSSF according to article 3 of the NIS Law, of the incident classification and major incident notification requirements under the NIS Law. These have been further specified in the circular CSSF 24/847 referred to in point 2 below, in order to have one uniform document detailing the process for classification and reporting of ICT-related incidents for all entities under CSSF supervision in accordance with financial sector regulatory frameworks and/or with the NIS Law.

In its competence as NIS authority, the CSSF already notified respectively informed the relevant Supervised Entities of their identification as OES, or of their consideration as DSP, when the NIS Law entered into force.

The CSSF will reconfirm the relevant Supervised Entities of their status as OES or DSP respectively at the latest by 1 March 2024. The Supervised Entities which will not receive this notification respectively information at that date, are therefore not designated as OES, or not considered as DSP, without prejudice to potential future designation or information.

This circular shall enter into force on 1 April 2024 for the Supervised Entities as defined in point 2 a) to d) and k) to p) in Section 1.1., and on 1 June 2024 for the Supervised Entities as defined in point 2 e) to j) in Section 1.1.

The Circular will repeal and replace Circular CSSF 11/504 on “Frauds and incidents due to external computer attacks” on 1 April 2024 for the Supervised Entities as defined in point 2 a) to d) and k) to p) in Section 1.1. and on 1 June 2024 for the Supervised Entities as defined in point 2 e) to j) in Section 1.1.

• Increases the incident coverage, currently limited to fraud and incidents due to external computer attacks as per Circular CSSF 11/504, by covering more broadly ICT operational and security incidents while avoiding double reporting for incidents to be notified under other incident notification frameworks.
• Introduces reporting based on classification. Supervised Entities will be required to classify ICT-related incidents based on the criteria indicated in this Circular and to notify to the CSSF the cases where ICT-related incidents are classified as major or significant incidents.
• Introduces a new incident reporting notification form. To obtain data in a structured form, Supervised Entities will be required to complete and submit an ICT-related incident notification form in case the ICT-related incident is classified as a major or significant incident.
• Introduces a specific chapter to cover in the same Circular the incident notification requirements (previously communicated via bilateral communications to Supervised Entities that are under the scope of the NIS Law) in order to apply the new incident reporting notification forms and practical requirements to the notifications of incidents assessed as significant under the NIS Law.

ICT-related incident notifications shall be submitted by considering the time limits and the data fields respectively laid down in the Annex I and II of the Circular CSSF 24/847 as from 1 April 2024 and 1 June 2024 respectively, as indicated in point 2 above. Further guidance related to the submission channels and related submission procedure will be published at a later stage.

Further information can also be found on the ICT Risk page of the CSSF Website – section Incident reporting.

Any question relating to the Regulation, the Circular or the new ICT-related incident notification process should be addressed to ictrisksupervision@cssf.lu.