IT incident reporting rules updated for Luxembourg financial services

In a new circular it issued on 5 January, the Commission de Surveillance du Secteur Financier (CSSF) set out updated classification and notification requirements for such incidents, which will include but are not limited to “any successful malicious unauthorised access to the network and information systems”.

The CSSF’s circular 24/847 outlines related procedural requirements and deadlines and further contains a list of data fields that firms subject to the rules should complete to comply with their notification duties.

Banks, payment service providers, investment fund managers and crowdfunding platforms are among the financial services firms subject to the new rules, which will take effect from 1 June for investment fund managers and internally managed alternative investment funds (AIFs), and from 1 April for the other supervised entities. Operators of IT systems and networks used by financial service firms are also subject to the requirements.

The rules envisage firms subject to the new circular classifying major ICT-related incidents speedily – “without undue delay after the information required for the classification of the ICT-related incident is available” – and notifying the CSSF within 24 hours of detecting those incidents. The rules, however, provide for the information to be delivered in stages, with the specific information the CSSF wants to receive at each stage outlined in an annex to its circular.

Luxembourg-based technology law expert Aurélie Caillard of Pinsent Masons said more incidents will be reportable under the new rules than financial firms have been used to to-date. Current incident reporting rules, which were introduced in 2011, only apply to fraud and incidents due to external computer attacks.

Caillard said: “The new rules will apply to many entities that fall subject to supervision by the CSSF in Luxembourg. Those businesses would be advised to carry out a gap analysis to identify how the new rules differ from the old rules, which will be repealed, and further review and, as necessary, update their incident reporting policies and procedures to ensure they will be able to comply with the new framework when it takes effect in April or June.”

“The inclusion of a list of data fields that the CSSF expects firms to complete when submitting relevant notifications under the new regime is a welcome step, as it should support greater standardisation in reporting processes in industry – and make it easier for the regulator to quickly understand the type, nature and severity of an incident,” she added.

Published alongside the new circular on the same day was a new regulation that also takes effect on 1 April and relates to incident reporting within Luxembourg financial services.

The CSSF regulation supplements earlier Luxembourg legislation that implements the EU’s Network and Information Security (NIS) Directive. The regulation has more limited application than the CSSF’s circular in that it only applies to certain banks and providers of financial markets infrastructure designated as ‘operator of essential services’ (OES), and to certain operators of IT systems and networks used by financial service firms considered to be ’digital service providers’ (DSP), which are already subject to the NIS regime, but the type of incidents reportable under the regulation is broader than the major ICT-related incidents that the CSSF circular specifically relates to.

For example, the relevant banks and financial market infrastructures subject to the regulation are required to notify the CSSF of incidents having a significant impact on the continuity of the essential services they provide, without undue delay.

For the IT providers in-scope, the regulation similarly requires notification of incidents having a substantial impact on the provision of a digital service they offer within the EU, without undue delay.

The classification and notification of such incidents follow the rules of the new CSSF circular.

The EU’s NIS regime is in the process of being updated. A revised framework, NIS2, came into force early last year and needs to be transposed into the national law of EU member states by 18 October 2024, after which the new rules will take effect. Separate new EU legislation – the Digital Operational Resilience Act (DORA) – will begin to apply in early 2025 and, in the case of financial services firms, will take precedence over NIS2 reporting requirements.