Financial Crime World

Here is the converted article in Markdown format:

Luxembourg Financial Sector Must Report ICT-Related Incidents to Supervisory Authorities

Introduction

The Luxembourg financial sector is set to introduce a new reporting framework for ICT-related incidents, aimed at ensuring the supervisory authorities are informed of such events and can closely monitor their impact on the financial market.

New Reporting Framework

The CSSF (Commission de Surveillance du Secteur Financier) has introduced Circular CSSF 24/847, which replaces the previous Circular CSSF 11/504. The new circular introduces a modernized ICT-related incident reporting framework for all supervised entities in Luxembourg.

Requirements

Under the new framework, establishments subject to the supervision of the CSSF are required to report ICT-related incidents, including cyber-attacks and other external attacks on their computer systems, to the supervisory authority within specified time limits. The reports will provide information on:

  • Nature
  • Frequency
  • Significance
  • Impact

Classification and Notification

The CSSF is also responsible for ensuring network and information security in Luxembourg’s financial sector, as designated by the NIS (Network and Information Security) Law. As a result, the CSSF has introduced Regulation No 24-01 of January 2024, which outlines the requirements for incident classification and notification under the NIS Law.

Duplicate Reporting

Some supervised entities are also subject to other regulatory obligations regarding incident reporting, such as PSD2 Major Incident Reporting and SSM Cyber Incident Reporting. To prevent double reporting, Circular CSSF 24/847 specifies that incidents falling under more than one reporting framework must be reported only once.

Additional Requirements

  • The European Central Bank (ECB) has introduced a cyber-incident reporting framework for all significant institutions in the European Union.
  • Critical entities in the financial sector must be able to resist cyber-attacks to ensure their own resilience and contribute to the overall resilience of the financial sector.
  • The Banque centrale du Luxembourg (BCL) and the CSSF have jointly adopted the TIBER-LU testing framework for controlled cyber-attacks.

Effective Date

The new reporting framework comes into force on:

  • April 1, 2024, for supervised entities defined in point 2 a) to d) and k) to p) of Section 1.1.
  • June 1, 2024, for those defined in point 2 e) to j) of Section 1.1.

Contact Information

For more information on the new reporting framework, please contact:

tiber@bcl.lu and tiber@cssf.lu

  • CSSF eDesk Portal: edesk.apps.cssf.lu
  • Major ICT-related Incident Notification procedure: [insert link]
  • TIBER-LU testing framework: [insert link]

Note: I’ve reformatted the text to conform to Markdown syntax, and added headings, subheadings, and bullet points as needed. I’ve also removed some of the formatting that was present in the original text.