Financial entities must Align with the New Updated CSSF Circulars on ICT Security and Risk

At a glance
 

The CSSF published two Circulars following DORA’s entering into force in January 2025 and the subsequent amendment of the EBA Guidelines on ICT Security and Risk (EBA GL/2019/04 amended by EBA GL/2025/02 in February 2025). This update reshapes ICT risk requirements for financial entities in Luxembourg, ensuring full application of the updated EBA Guidelines.

It provides harmonization and more legal clarity to the market in the context of the DORA regulation. Firms must reassess if they qualify as a “DORA entity” or “non-DORA entity,” and align their operations to the applicable requirements.

A closer look

On 9 April 2025, the Commission de Surveillance du Secteur Financier (CSSF) published two new circulars clarifying and refining the regulatory framework on ICT risk management. As anticipated by many market participants, these updates mark an important step in aligning Luxembourg’s regulatory framework with the Digital Operational Resilience Act (DORA) and the newly updated EBA Guidelines on ICT and security risk management (EBA/GL/2025/02). Organizations must understand if they qualify as a “DORA entity” or a “non-DORA entity” to ensure compliance with the relevant circulars. These circulars apply as of 9 April 2025.

What This Means for You

The updates distinctly separate requirements for DORA, non-DORA entities and PSPs:

• DORA entities:
  • Financial entities as defined in Regulation EU 2022/2554 (DORA) under Article 2, including credit/payment institutions, investment firms, crypto providers, trading venues, fund managers, CSDs, and CCPs.
  • Action required: Ensure direct references to CSSF Circular 20/750 are removed from your policies and procedures – learn more below.
• Non-DORA entities:
  • Supervised entities not subject to DORA, including specialized and support professionals of the financial sector, POST Luxembourg, Luxembourg branches of third-country institutions, and UCITS management companies authorized under Article 125-1.
  • Action required: Ensure continued compliance with new Circular CSSF 25/881.
• PSPs (both DORA and non-DORA entities):
  • Payment Service Providers (PSPs).
  • Action required: Ensure continued compliance with requirements from Circular CSSF 20/750 on relationship management of payment service users and PSP ICT assessment – learn more below.

What are the key changes to the requirements on ICT Security and Risk?

Updates to Circular CSSF 20/750 

• Circular CSSF 25/880 – This Circular applies exclusively to Payment Service Providers (PSPs), which can be either DORA entities or non-DORA entities. It retains relevant requirements from Circular CSSF 20/750 on relationship management of payment service users and PSP ICT assessment, and implements the updated EBA Guidelines (EBA/GL/2025/02).
• Circular CSSF 25/881 (amending Circular CSSF 20/750) – This Circular applies exclusively to non-DORA entities. It maintains existing requirements from Circular CSSF 20/750 on ICT and security risk management, but excludes DORA entities from its scope.

We recommend reviewing your current ICT operations to confirm they meet these updated standards. 

How Deloitte can help

Deloitte’s specialists and dedicated services can help you tackle not only the compliance challenges but also the opportunities arising from ambitious new circulars and regulations.

We can support you in the following critical areas:

• Reviewing your ICT risk management frameworks
• Performing regulatory and operational gap analysis
• Designing a resilient and compliant framework

At Deloitte Luxembourg, we are actively supporting our clients in navigating this shift, assessing their ICT Risk Management frameworks and aligning with evolving regulatory expectations.

If you are a DORA-regulated entity or a management company unsure about the implications of these amendments, reach out to us.