Entities
Access the database
Information and communication technology (ICT) risks are an integral part of today’s financial institutions risk spectrum. No matter whether financial institutions are early adopters in new technologies or have implemented non-complex technologies, they are nevertheless exposed to risks related to their respective ICT strategy and ICT operational implementation. Gone are the days when financial institutions were able to perform their day-to-day business without the use of information and communication technology.
It is therefore fundamental that financial institutions shall manage the ICT risks that they are exposed to, in order to avoid potential adverse impacts on the operational functioning of the financial institution, potentially even leading to compromising a financial institution’s viability.
The following chapters aim to provide non-DORA financial institutions with guidance on various topics related to ICT risk. Non-DORA institutions include all CSSF supervised entities that do not fall within the definition of “financial entity” as defined in Article 2(2) of Regulation (EU) 2022/2554. Namely those non-DORA entities are specialised and support professionals of the financial sector (PFS) within the meaning of the Law of 5 April 1993 on the financial sector (LFS), POST Luxembourg governed by the Law of 15 December 2000 on postal financial services, and those management companies authorised only under 125-1 of Chapter 16 of the Law of 17 December 2010 relating to undertakings for collective investment.
For additional information related to new technologies, please consult the Financial innovation page.
Circular CSSF 20/750, as amended, reflects the expectations of the CSSF regarding the risk management measures and control and security arrangements mentioned in the Law of 5 April 1993 on the financial sector (“LSF”) and in the Law of 10 November 2009 on payment services (“LSP”). The circular specifies the information and communication technology (“ICT”) and security risk management requirements.
Circular CSSF 21/769 establishes governance and security requirements for supervised entities implementing telework solutions. A key baseline requirement is that entities must maintain robust central administration and sufficient substance at their Luxembourg premises. This includes ensuring that staff members working remotely, particularly cross-border commuters, are able to return to the entity’s premises on short notice when necessary. The circular also mandates that entities define a telework policy outlining which activities can be performed remotely and which must remain on-site, as well as specifying the minimum number of staff required to be present at the premises to ensure operational continuity.
The increasing complexity of information and communication technology (ICT), paired with the rise in online services and interconnectedness of financial institutions renders the operations of financial institutions more and more vulnerable to ICT-related incidents. These incidents can include system failures, system intrusions and many other types.
Once ICT-related incidents occur, they can have a significant operational, financial and/or reputational impact on the financial institutions concerned and may even endanger the entire ecosystem. They may also serve as early warning indicators for future incidents.
As such, reporting obligations exist towards the supervisory authority as regards notification of ICT-related incidents to keep the supervisory authority informed of such incidents, and enabling the supervisory authority to closely follow the individual incidents as well as anticipate, if possible, potential impact and consequences for the financial market.
In 2024, Circular CSSF 24/847 introduced a modernised / enhanced ICT-related incident reporting framework. However, some support PFS also fall under the Law of 28 May 2019 (the “NIS 1 Law”) as Digital Service Providers (hereafter “DSPs”).
CSSF Regulation No 24-01 of 5 January 2024 relating to the notification of incidents according to the NIS 1 Law, in its article 2, informs DSPs of the incident classification and major incident notification requirements under the NIS 1 Law.
To have one uniform document, the regulation further refers to Circular CSSF 24/847 for the arrangements regarding the classification and notification of incidents under the NIS 1 Law. Consequently, the circular is detailing the process for classification and reporting of ICT-related incidents for entities under CSSF supervision in accordance with financial sector regulatory frameworks and/or with the NIS 1 Law.
However, entities that are also Payment Service Providers (PSPs) under the Law of 10 November 2009 (as amended) on payment services (LPS) are subject to Circular CSSF 25/893 and are required to follow the incident classification and reporting procedures foreseen under DORA.
The ICT-related incidents to be notified under Circular CSSF 24/847 are to be submitted to the CSSF within the time limits laid down in the Annex I of the circular either:
Major ICT-related incident notifications as well as, if applicable, significant cyber threats, to be notified under Circular CSSF 25/893 by PSPs shall be submitted according to the time limits laid down in Article 5 of the RTS on incident reporting either:
A dedicated user guide named “Major ICT-related Incident Notification – User Guide” is available in the eDesk portal to help Supervised Entities with the submission of their notifications subject to both circulars.
The TIBER-EU (Threat Intelligence-based Ethical red teaming) framework provides comprehensive guidance on how authorities, entities, threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks. TIBER-EU promotes collaboration between the involved stakeholders to ensure a consistent and effective testing process. It is a voluntary framework, and any potential interested parties can express their interest to the CSSF. The outcome of a TIBER-EU test is not a pass or fail but provides valuable insights into an entity’s strengths and areas for improvement, fostering a culture of continuous learning and enhancement of its cybersecurity practices.
In November 2021, the Banque centrale du Luxembourg (BCL) and the Commission de surveillance du secteur financier (CSSF) decided to jointly adopt the testing framework for controlled cyber-attacks, namely TIBER-LU, in line with their respective financial stability mandates. The TIBER-LU implementation document was revised following the entry into force of DORA and will be published shortly.
Financial institutions have increasingly taken the opportunity to outsource ICT activities. They are taking advantage of economies of scale, grouping efforts with group entities or making use of external service providers providing solutions adapted to their business models and processes. Nevertheless, outsourcing ICT activities can create challenges to the governance framework of financial institutions, particularly to internal controls, data management and protection, and may even lead to security issues.
In 2022 the CSSF published its Circular CSSF 22/806, as amended, on outsourcing arrangements, which transposes the EBA Guidelines on outsourcing arrangements published in 2019. The CSSF has chosen to extend the scope of application to promote convergence on a national level by including supervised entities subject only to local laws. The circular contains in one single document the supervisory requirements on outsourcing arrangements related to information and communication technology. Regarding ICT outsourcing arrangements, the circular applies to the financial institutions as defined under point 2 of the circular.
Under this circular In-Scope Entities shall, according to point 59, if they intend to outsource a critical or important function, as defined in the circular, notify the competent authority using the instructions and, where available, the forms on the CSSF website. To note that notifications shall be submitted at least three (3) months before the planned outsourcing comes into effect, unless when resorting to a Luxembourg support PFS governed by Articles 29-1 to 29-6 LFS, where this notice period is reduced to one (1) month.
With regards to notifications of ICT outsourcing the following applies:
Circular CSSF 22/806 on outsourcing arrangements also contains in its Part II a specific chapter (Chapter 2) on ICT outsourcing arrangements relying on a cloud computing infrastructure, providing a definition of “cloud computing” in points 135 and 136, and the specific requirements to be respected when outsourcing to a cloud computing infrastructure.
Point 141.b. describes in particular the requirement for authorisation for a support PSF authorised as OSIRC under Article 29-3 of the LFS in case they want to market activities in relation to the use of cloud computing infrastructure. Concerned support PSF shall contact the agent in charge of their supervision to obtain feedback on the information to be submitted.
The Commission Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the “RTS”), as well as the Commission Delegated Regulation (EU) 2022/2360 amending the RTS as regards the 90-day exemption for account access, set key requirements to improve the security of payment services across the European Union. The payment service providers (“PSPs”) concerned by the new obligations are the ones defined in points (i), (ii), (iii) and (iv) of Article 1(37) of the Law of 10 November 2009 (as amended) on payment services and for which the CSSF is the designated competent authority for supervisory purposes under the law:
i) Credit institutions
ii) Electronic money institutions
iii) POST Luxembourg
iv) Payment institutions
The RTS also requires all payment services providers who offer payment accounts accessible online to offer at least one access interface enabling secure communication with, and access, by account information and payment initiation service providers (AISPs and PISPs) to the payment service user’s payment account data. The PSPs that have opted to offer access via a dedicated interface are required to implement a contingency mechanism (also called fallback mechanism), unless they receive an exemption from the CSSF in accordance with the four conditions set out under Article 33(6) of the RTS.
All PSPs concerned that would like to obtain such an exemption are required to refer to Circular CSSF 19/720 adopting the EBA Guidelines specifying further the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of the RTS and to fill in the form for exemption authorisation request available on the CSSF website. This form must be submitted via email to the address psd2‑exemption@cssf.lu.
Circular CSSF 25/880 on relationship management of payment service users and PSP ICT assessment outlines detailed requirements for PSPs, covering both the management of relationships with payment service users and the requirement to conduct a PSP ICT assessment and submit it using the standardised form via the CSSF’s eDesk portal.