The Luxembourg Commission de Surveillance du Secteur Financier (CSSF) has reminded all supervised entities that they must submit ICT-related incident notifications in accordance with the relevant provisions of Circular CSSF 25/893 and/or Circular CSSF 24/847, following recent events that attracted public and media attention. The CSSF stressed that public awareness or press coverage of an incident does not remove the obligation to notify the supervisor. Supervised entities are urged to review the applicable rules to ensure they understand which ICT incidents trigger mandatory reporting, the relevant thresholds, the timelines for submission, and the procedures and designated channels for reporting. Entities are expected to comply with the established requirements without delay.
Luxembourg Commission de Surveillance du Secteur Financier 2025-07-25
Luxembourg Commission de Surveillance du Secteur Financier reiterates mandatory ICT incident notification requirements for supervised entities
The Luxembourg Commission de Surveillance du Secteur Financier (CSSF) has reiterated the obligation for supervised entities to report ICT-related incidents as per Circular CSSF 25/893 and/or Circular CSSF 24/847, regardless of public or media attention. Entities must review and adhere to the reporting thresholds, timelines, and procedures.