CSSF Circular 24/847 advances ICT reporting, nearing DORA compliance milestone

At a Glance

The Commission de Surveillance du Secteur Financier (CSSF) published the Circular 24/847 on the Information and Communication Technology (ICT) -related incident reporting framework on 5 January 2024. This Circular applies to credit institutions, Professional of the Financial Sector (PFS), payment institutions, Electronic Money Institutions (EMIs), Management companies, Alternative Investment Fund Managers (AIFM), Central Counterparties (CCPs), Central Securities Depositaries (CSDs), POST Luxembourg, Approved Publication Arrangements (APAs), Authorized Reporting Mechanisms (ARMs), administrators of critical benchmarks and crowdfunding service providers in Luxembourg.

The Circular 24/847 takes effect on 1 April 2024 for all supervised entities, excluding Investment Fund Management Companies (incl. AIFM) until 1 June 2024. The Circular 24/847 repeals – when it becomes applicable – the CSSF Circular 11/504 on “Frauds and incidents due to external computer attacks.”

The Circular 24/847 brings the following changes:

1) Expands ICT incidents coverage previously limited to “frauds and incidents due to external computer attacks.”
2) Introduces reporting based on ICT incident classification
3) Introduces ICT incident reporting stages and timeline
4) Introduces new incident notification forms

A Closer Look

ICT incidents coverage

A wider range of ICT-related incidents will have to be reported to the CSSF. The Circular 24/847 extends the scope of the incident reporting from “any frauds and any incidents due to external computer attacks” in the former CSSF Circular 11/504 to encompass ICT operational and security incidents. These include either “any successful malicious unauthorized access to the network and information systems” or “any ICT-related incident classified as major based on the criteria detailed in the Circular 24/847.”

To prevent double reporting, in-scope entities are not required to notify CSSF the incidents already reported under the revised Payment Services Directive (PSD2), the Cyber Incident Reporting for the European Central Bank (ECB) and under the scope of reporting done by central securities depositories.

ICT incident classification

The Circular 24/847 refines the criteria for classifying ICT incidents as major. An ICT incident should be classified as major as a result of an assessment based on 6 criteria’s, aligning with Draft Regulatory Technical Standards of Digital Operational Resilience Act.¹

If a supervised entity cannot classify the ICT incident based on the abovementioned criteria, the incident is to be deemed as a major incident.

ICT incident reporting stages and timeline

The Circular 24/847 introduces a 3-stage notification process: initial, intermediate and final. It provides a notification timeline and required information for each stage, aligning with future DORA reporting requirements.

ICT incident notification form

The ICT-related incident notification will be structured through the use of a form with three sections to complete at each stage of the notification.

In-scope entities can outsource the reporting obligation to a third party provider but they remain fully responsible for outsourced reporting .

Specific requirement for entities under NIS Law and CSSF Regulation No 24-01

Credit institutions and financial market infrastructure are considered Operators of Essential Services under the Network and Information System (NIS) Law. For these entities, a major ICT-related incident reported to the CSSF corresponds to “significant incidents” under NIS Law. Hence, the same notification is used for both purposes (i.e., CSSF Circular as well as NIS Law).

Support PSF are Digital Service Providers under the NIS Law. For these entities, the reporting obligation expands to “significant incidents” as defined in Article 3 and 4 of the DSP Regulation of 30 January 2018.

How Deloitte can help

Deloitte can assist your organization throughout the resilience program to ensure compliance with regulatory requirements. In particular, we can (i) assess your current ICT Risk and resilience posture (and thus the current level of compliance with regulatory requirements), (ii) define the future desired state, (iii) define the roadmap to reach this future state (and compliance with the requirements) and (iv) to assist in the execution of the roadmap.

Below are some examples of assistance that Deloitte can provide as point solutions for the specific subject targeted by CSSF Circular 24/847:

• Enhance your incident management framework to comply with CSSF Circular 24/847 requirements
• Assist you in reporting ICT related incidents to competent authorities
• Assist you in the development of the ICT Incident classification
• Support you in the optimization of data collection process of for ICT incident classification

¹ a) the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT related incident, and whether the ICT-related incident has caused reputational impact;
b) the duration of the ICT-related incident, including the service downtime;
c) the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
d) the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data;
e) the criticality of the services affected, including the financial entity’s transactions and operations;
f) the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.