Financial Crime World

Here is the converted article in Markdown format:

Luxembourg Banks Face Tighter Cybersecurity Requirements Amid NIS2 Implementation

European Commission Publishes Final Text of NIS2 Directive

On January 16, 2023, the European Commission published the final text of the NIS2 Directive, aimed at enhancing cybersecurity across the European Union. The directive sets a high common level of cybersecurity across the union and requires member states like Luxembourg to adopt and publish national legislation incorporating its provisions by October 17, 2024.

Expanded Scope of Entities

The NIS2 Directive significantly expands the scope of entities required to implement robust cybersecurity measures. According to the new rules, all medium and large-sized entities in 11 specified sectors, including banking, must adhere to strict cybersecurity standards. These sectors include:

  • Energy
  • Transport
  • Financial market infrastructure
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management
  • Public administration
  • Space

Categorization of Entities

Under NIS2, entities are categorized as either “Essential” or “Important”. Essential entities will be subject to an ex-ante supervisory regime, including:

  • On-site inspections
  • Off-site supervision
  • Random checks
  • Audits
  • Requests for evidence of implementation of cybersecurity policies

Important entities, while not required to document compliance with cybersecurity risk management requirements, must still take appropriate and proportionate technical and organizational measures to manage the risks posed to their network and information systems.

Cybersecurity Requirements for Luxembourg’s Banking Sector

In practice, this means that Luxembourg’s banking sector will need to:

  • Review and reinforce information system security policies
  • Set up incident handling processes
  • Ensure business continuity and crisis management
  • Address risks stemming from supply chains
  • Manage the security of networks and information systems
  • Review policies and procedures for cybersecurity risk management
  • Reinforce the use of cryptography and encryption

Incident Reporting Requirements

The NIS2 Directive also amends incident reporting requirements, imposing notification obligations in phases. Failure to comply with the directive can result in significant administrative fines of up to 10 million EUR or 2% of a company’s total global annual turnover. Additionally, entities may face binding instructions to bring security measures in line with NIS2 requirements and implement the recommendations of a security audit.

Deloitte’s Expertise

Deloitte, a leading professional services firm, is well-equipped to help Luxembourg’s banking sector navigate the implementation of these new cybersecurity requirements. Deloitte can assist organizations in creating a roadmap for compliance, aligning it with other applicable regulations and ensuring a seamless transition to the new standards.