Reminder regarding ICT-related incident reporting requirements

In response to recent events that have received public and media attention, the CSSF reminds all supervised entities of the obligation to submit ICT-related incident notifications in line with the relevant provisions outlined in Circular CSSF 25/893 and/or Circular CSSF 24/847. Supervised entities are strongly encouraged to thoroughly review the applicable provisions to ensure a clear and comprehensive understanding of the reporting obligations. This includes knowing which types of ICT-related incidents trigger mandatory notification, the specific thresholds that apply, the required timelines for submission and the proper procedures for reporting through the designated channels. While certain incidents may be publicly known or reported by the press, the CSSF emphasises that such public knowledge does not exempt supervised entities from their obligation to report these incidents. Supervised entities are expected to act in accordance with the established requirements without delay.

5 January 2024
Circular CSSF 24/847

on ICT-related incident reporting framework Communiqué of 5 January 2024

CSSF circular

PDF (300.89Kb)

PDF (213.33Kb)
28 May 2025
Circular CSSF 25/893

on reporting of major ICT-related incidents and significant cyber threats under the Digital Operational Resilience Act (DORA)

CSSF circular

PDF (207.99Kb)

PDF (148.31Kb)

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes