Entry into application of DORA regulation on 17 January 2025
The CSSF reminds the Financial Entities subject to the Digital Operational Resilience Act (“DORA”) that as from 17 January 2025 the requirements of the DORA regulation and its underlying regulatory technical standards and implementing technical standards as published in the EU official journal, take precedence over any overlapping elements or requirements present in CSSF circulars, notably in circulars:
- CSSF 20/750 specifying the requirements regarding information and communication technology (ICT) and security risk management;
- CSSF 22/806 on outsourcing arrangements (regarding ICT outsourcing arrangements);
- CSSF 24/847 on ICT-related incident reporting framework.
The CSSF would like to remind Financial Entities that other topics covered by the aforementioned circulars, not related to DORA, remain applicable in their current form, to the respective Financial Entities.
The ESA and the CSSF are proceeding with the updates of relevant texts (Guidelines and circulars), which will be published in due course. In the meantime, to provide Financial Entities with further guidance, practical modalities are already anticipated below.
Practical modalities regarding reporting obligations
1. Reminder of press release of 5 December 2024
The CSSF reminds Financial Entities of the previously published press release of 5 December 2024 in which Financial Entities were urged to (1) ensure that they have an LEI code to be able to submit their required reporting, and (2) create the specific eDesk role of “IT incident notifier” to be able to submit the incidents via eDesk. It is imperative that these elements are in place to be able to fulfil the reporting obligations as of 17 January 2025.
2. Major ICT-related incident and significant cyber threats reporting
As of 17 January 2025, Financial Entities subject to DORA are required to notify major ICT-related incidents and significant cyber threats via a new dedicated procedure encompassing two different notification forms, available in eDesk, following the process already in place for reporting incidents under Circular CSSF 24/847:
- through the dedicated procedure “DORA Major ICT-related incident and significant cyber threat notification” available on the CSSF eDesk Portal (edesk.apps.cssf.lu); or
- via the API interface (S3) provided by the CSSF.
The existing user guide on Major ICT-related incidents, available in eDesk, will be updated accordingly and available as at this date to help Financial Entities with the submission of their notifications.
Given that the goal of the new procedure is to harmonise the reporting requirements, this new procedure replaces the following previous reporting for Financial Entities now subject to DORA:
- eDesk procedure “24/847 Major ICT-related incident”
- PSD2 major incident reporting via Sofie channel under Circular CSSF 21/787
- Reporting by significant institutions of significant cyber incidents directly to the ECB
- Reporting by CSDs of material operational incidents1 in relation to ICT risk
Furthermore, the CSSF informs Financial Entities of the following instructions:
1. Outsourcing of the reporting obligations according to Article 6 of the draft ITS on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat (ITS) and possibility for aggregated reporting by third party providers under Article 7 of the ITS
Financial Entities intending to outsource the reporting obligations to a third party shall inform the CSSF prior to the first notification or reporting and at the latest as soon as the outsourcing arrangement has been concluded. In this regard, the following details must be provided to ictrisksupervision@cssf.lu:
- Name, contact details and an identification code of the third party that will submit the notifications on behalf of the Financial Entity;
- Name, contact details and the related function of the persons at the third party to whom the role of the “IT incident notifier” will be assigned in eDesk.
Note that Financial Entities remain solely responsible for the protection of their sensitive data in line with applicable regulations.
The CSSF informs Financial Entities and third parties that, after having carefully evaluated the conditions of Article 7, no aggregated reporting by third party providers is permitted for the time being.
2. Weekend or bank holiday reporting requirement according to Article 5(5) of the draft RTS on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents (RTS)
Whilst the RTS specify that most Financial Entities may be exempted from reporting major incidents on weekend days or bank holidays (according to Article 5(4)), Article 5(5) specifies that specific Financial Entities will nevertheless be required to report major incidents during weekends and bank holidays. In this regard, the CSSF has identified the list of Financial Entities that are impacted and will notify them by the end of February 2025.
3. Reporting of the register of information
The CSSF is required to submit the register of information by 30 April 2025 to the European Supervisory Authorities (ESAs)2. The reference date of the register for the first year of submission is 31 March 20253.
Financial Entities are required to submit their register of information to the CSSF from 1 April 2025 to 15 April 2025 via eDesk. Additional information related to the eDesk procedure will be published at a later stage.
Submitted registers will be subject to certain validation checks by the CSSF between 15 and 30 April 2025. In case errors are detected, the submitting Financial Entity will be invited to fix the detected errors and re-submit its register before 30 April 2025.
During the month of May 2025, the ESAs will perform additional checks. Should they detect additional errors and consequently refuse the register on their side, the submitting Financial Entity must fix the detected errors and re-submit its register to the CSSF, which will then communicate the re-submitted register to the ESA.
The CSSF highlights that the register of information must be submitted in plain CSV format (as during the Dry Run exercise). To note that the ESA will not provide Financial Entities, as they did during the Dry Run exercise, with a tool/script to generate their register of information.
1 Article 45(6) of Regulation (EU) No 909/2014 and Article 71(4) (b) of the Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014
2 Article 5 of the joint ESA decision published on 15 November 2024
3 Article 4.3 of the same joint ESA decision published on 15 November 2024