The Luxembourg Commission de Surveillance du Secteur Financier (CSSF) has issued two circulars updating ICT-related incident classification and reporting following the entry into application of the Digital Operational Resilience Act (DORA). Circular CSSF 25/893 sets the practical modalities for reporting major ICT-related incidents and significant cyber threats, and the CSSF is also extending the same DORA-based incident reporting framework to payment service providers (PSPs) that are not in scope of DORA. Under Circular CSSF 25/893, DORA entities must follow the specified process when reporting major ICT-related incidents and significant cyber threats to the CSSF. PSPs that are outside DORA must meet their incident reporting obligations under Article 105-2 of the Law of 10 November 2009 on Payment Services by using the DORA classification and reporting procedures, and must apply the DORA requirements to all ICT-related incidents rather than only those connected to payment services in order to avoid dual reporting. As a result, DORA entities and PSPs not under DORA are no longer subject to Circular CSSF 24/847, while Circular CSSF 24/847 continues to apply to other entities and cannot be amended at this stage because it also covers reporting requirements under the NIS 1 law pending national transposition of the NIS 2 Directive. Separately, Circular CSSF 25/892 implements the Joint European Supervisory Authorities guidelines (JC 2024 34) on estimating aggregated annual costs and losses caused by major ICT-related incidents, applying to all DORA entities other than microenterprises as defined in Article 3(60) of DORA. Circular CSSF 25/893 provides a six-month transition period for PSPs that are not under DORA, and the existing Circular CSSF 24/847 framework remains in place for other entities until the NIS 2 Directive is transposed at national level.

Original source View in tracker