Who is in scope?
Circular 24/847 introduces a new supervisory regime for ICT-related incidents, i.e., unplanned events threatening the network and information system security and jeopardising the availability, authenticity, integrity and confidentiality of data and/or services provided by in-scope entities.
The new requirements apply to most supervised entities of the financial sector in Luxembourg, including notably:
- credit institutions and all types of professional of the financial sector;
- payment and electronic money institutions;
- investment management companies;
- alternative investment fund managers;
- approved publication arrangements with a derogation and authorised reporting mechanisms with a derogation within the meaning of the LFS;
- POST Luxembourg;
- central counterparties;
- central securities depositories;
- benchmark administrators; and
- crowdfunding service providers.
Circular 24/847 also applies to Luxembourg branches of entities whose head office is located in a third country. As regards such entities whose head office is established in another EU Member State (and thus subject to the supervision of the relevant national competent authority), Circular 24/847 shall apply to the extent that the ICT-related incidents relates to aspects remaining under the CSSF’s oversight, such as AML/CFT and certain MiFID-restricted competences.
Additional obligations are also provided for entities qualifying as operators of essential services (providing services essential for the maintenance of critical societal and/or economical activities, such as in the banking and financial markets and infrastructures sectors, which heavily rely on network and information systems) and digital service providers (providing digital services, such as an online marketplace, an online search engine, and a cloud computing service), as both are defined under the Law of 28 May 2019 transposing Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Law).
Circular 24/847 will replace the current reporting framework contained in Circular CSSF 11/504 of 11 March 2011 on frauds and incidents due to external computer attacks.
New obligations imposed
Classification of ICT-related incidents
Upon occurrence of an ICT-related incident, in-scope entities are required to internally assess its impact, by taking into account criteria relating to such incident, such as:
- the number and criticality of clients, financial counterparts, transactions, services and operations affected;
- potential reputational effects;
- its duration, particularly when entailing an interruption in the provision of the relevant entity’s services;
- its geographical spread, particularly when several EU Member States are affected;
- any data losses and breaches of availability, authenticity, integrity or confidentiality; and
- the direct and indirect economic impact (costs and losses).
On this basis, in-scope entities shall consider ICT-related incidents as
“major” or not. This assessment must be conducted within twenty-four (24) hours as from the incident’s detection (or the next working day if the deadline is during a weekend day and/or public holiday), otherwise adequate explanation should be provided to the CSSF for this delay.
In case of doubt as regards an ICT-related incident’s impact, it shall be notified to the CSSF as if it was classified as “major”.
Reporting of ICT-related incidents
ICT-related incidents qualifying as “major” shall be notified to the CSSF within the following timeframes:
- within four (4) hours upon the classification of the ICT-related incident as “major” (or the next working day if the deadline is during a weekend day and/or public holiday), the supervised entity must send an initial notification (“Initial information”) comprising general information such as contact details of the in-scope entity, geographical spread of detected ICT-incident, date and time of detection, criteria considered for its classification as “major”, etc.;
- within three (3) working days as from the submission of the above initial notification, the supervised entity must send an intermediate notification (“Incident cause, classification and impact”) including, in particular, a complete description of the relevant ICT-related incident, its cause and type, its actual or estimated economic impact and number of users and customers affected, any remedial measures activated (e., business continuity plan, disaster recovery plan), as well as any updates on previous notifications submitted to the CSSF on the incident concerned;
- within twenty (20) working days as from the submission of the above intermediate notification, the supervised entity must send a final notification (“Root cause, follow-up and additional information”) including details of the completed analysis of the root cause of the ICT-related incident in question and the vulnerabilities and weaknesses identified, updates on the status of such incident, an assessment of the effectiveness of the implemented mitigation measures, etc.
For the purpose of the above notifications, any successful malicious unauthorised access to an in-scope entity’s network and information systems shall be deemed as a “major” and be communicated to the CSSF accordingly. Similarly, ICT-related incidents with proven or potential serious impacts on the operations of the relevant entity (i.e., total service downtime), must be notified to the CSSF as soon as possible, even prior to the formal submission of any of the above notification forms.
All relevant data fields to be filled out and submitted to the CSSF as part of the above notifications are annexed to Circular 24/847. To the extent that all such fields can be completed as early as of the time of the initial notification, then they shall be submitted to the CSSF all at once. Further guidance on the submission process is expected to be published by the CSSF at a later stage.
The CSSF shall also be notified when ICT-related incidents are found to no longer satisfy the conditions for their qualification as “major”; in such case, the relevant entity shall be required to re-classify the incident in question.
ICT-related incident reporting may be delegated by in-scope entities to third-party service providers, with the in-scope entity remaining fully responsible at all times for the relevant notifications regardless of such outsourcing.
For the avoidance of doubt, the CSSF notes that if any of the ICT-related incidents classified as “major” as per the above are already notifiable to the CSSF pursuant to other regulations and/or circulars (for example in case of major incident reporting under PSD2 pursuant to Circular CSSF 21/787), in-scope entities are not required to report them under the new Circular 24/847.
Additional requirements for certain professionals
Operators of essential services
With respect to in-scope entities also qualifying as operators of essential services, the number of users affected by the disruption to the essential service provided shall be additionally taken into consideration when assessing the potential qualification of an ICT-related incident as “significant”.
Incidents classified as “significant”, including any malicious unauthorised accessed to the network and information systems of the relevant operator which are deemed as such, shall be notified to the CSSF “without undue delay”. The CSSF considers that compliance with the timeframes provided for the notifications of “major” ICT-related incidents by all other in-scope entities satisfies the concept of “without undue delay”.
For incidents qualifying as both “significant” (for the purpose of the internal assessment conducted by operators of essential services) and as “major” (pursuant to the classification undertaken by all in-scope entities, as described under the previous section above), no double reporting of the incident to the CSSF shall be necessary. Nonetheless, “major” cyber incidents reported by significant credit institutions directly supervised by the European Central Bank and also qualifying as operators of essential services shall also be reported to the CSSF pursuant to Circular 24/847.
Digital service providers
The above classification of ICT-related incidents as “significant” and notification obligation to the CSSF also applies to in-scope entities qualifying as digital service providers.
Such entities shall also consider during their ICT-related incident assessment the number of users affected by such incident and particular users who utilise the digital service provided by the in-scope entity to further provide their own services.
Next steps for in-scope entities
In-scope entities are now required to take all necessary steps to prepare for their compliance with the new obligations imposed under Circular 24/847, which shall become applicable as from 1 April 2024 (and as from 1 June 2024 for investment funds and fund managers). ICT and reporting policies and procedures should be reviewed and updated.
As the regulatory toolbox for the digital domain is rapidly advancing at an EU level, further changes to the above ICT-related incident reporting framework may be introduced in the near future. The upcoming application of Regulation (EU) 2022/2254, widely known as the Digital Operational Resilience Act (DORA), as from 17 January 2025, as well as the anticipated reform of the NIS Law (pursuant to DORA), are expected to bring forward further ICT-related obligations that may lead to a revision of the current regime. For the time being, though, the CSSF has clarified that such upcoming regulations remain irrelevant to the obligations imposed under Circular 24/847.