Publication of two new circulars: ICT-related incident classification and reporting for DORA entities and other Payment Service Providers and adoption of ESA Guidelines on the estimation of aggregated costs/losses

The CSSF is hereby informing all supervised entities of updates concerning the provision of the ICT-related incident classification and reporting, following the entry into application of the DORA regulation. It must be noted that the updates not only concern entities falling under the scope of the DORA regulation and supervised by the CSSF¹ (“DORA entities”), but also concern Payment Service Providers not under the scope of DORA.

The CSSF issued today new Circular CSSF 25/893 providing the practical modalities to be followed by DORA entities when reporting major ICT-related incidents and significant cyber threats to the CSSF.

In addition, in order to apply the same incident classification and reporting framework to all Payment Service Providers (PSPs) under the Law of 10 November 2009 on Payment Services (LPS), the CSSF has decided that PSPs who are not under the scope of DORA shall also fulfil their obligation in this domain (as per Article 105-2 of LPS) by following the ICT-related incident and cyber threat classification and reporting procedures foreseen under DORA. PSPs not under the scope of DORA are therefore also under the scope of new Circular CSSF 25/893 and, to avoid a dual-reporting scheme, shall apply the DORA requirements for all ICT-related incidents (and not only the incidents related to payment services). A six-month transition period is granted, as further specified in the circular.

For the time being, Circular CSSF 24/847 cannot be modified until Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) is transposed at national level, as it also covers the reporting requirements under NIS 1 law. However, while the scope of Circular CSSF 24/847 has not been modified and as specified in new circular CSSF 25/893, DORA entities and PSPs not under the scope of DORA are no longer subject to Circular CSSF 24/847 (without prejudice to the transition period mention above for PSPs not under the scope of DORA).

For all other entities, Circular CSSF 24/847 continues to apply.

The approach taken by the CSSF is depicted below:

The CSSF publishes today Circular CSSF 25/892 on the application of the Joint ESA Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 (JC 2024 34). This circular applies to all DORA entities, other than microenterprises as defined in Article 3(60) of DORA.

For any further questions please contact: ictrisksupervision@cssf.lu.