ICT-related incident reporting – CSSF new requirements

On 5 January 2024, the CSSF published Circular CSSF 24/847 to update its requirements on ICT-related incident reporting. This new framework aims to acquire a better and more structured overview of ICT-related incidents considering the increased ICT and security risks in a highly interconnected global financial system. Alongside the entry into force of the new Circular, the CSSF will repeal Circular CSSF 11/504 on frauds and incidents due to external computer attacks.

In a nutshell

This Circular applies to all entities subject to the prudential supervision of the CSSF (i.e., the vast majority) and brings the following changes to the current incident reporting mechanism:

• Increased scope – the reporting scope is broadened to major ICT operational incidents and to any security incidents resulting from successful malicious unauthorized access (whereas the existing requirements focused on external computer attacks)
• Incidents classification – ICT operational incidents shall be classified no later than 24 hours after their detection, and this classification should follow criteria outlined in DORA Regulation (i.e., impact on clients and transactions, duration, geographical spread, data losses, criticality of affected services, and economic impact)
• Phased reporting – ICT operational incidents classified as “major” and security incidents resulting from successful malicious unauthorized access shall be reported via a dedicated procedure on the CSSF's eDesk Portal following a three-phased timeline based on the NIS2 Directive, i.e.:

Interplay with existing regulations

To avoid duplicate reporting, supervised entities covered by this Circular don't have to report the same incidents under both this Circular and under Circular CSSF 21/787 on major incident reporting under PSD2, ECB's cyber incident reporting for significant institutions, or EU regulations 909/2014 and 2017/392 on central securities depositories.

By exception to the above, supervised entities explicitly designated by CSSF as Operator of Essential Services (OES) or Digital Service Provider (DSP) under the NIS1 Directive shall also report relevant incidents per this Circular. Regulation CSSF 24-01 has been published in parallel to bridge the gap between the NIS Law and this Circular.

Timeline

This Circular will enter into force on 1 April 2024 for most entities in scope. Investment Fund Managers (e.g., ManCos and AIFMs) benefit from a delayed entry into force on 1 June 2024.