Luxembourg Financial Regulatory News:
Circular CSSF 25/892, effective May 31, 2025, informs financial entities in Luxembourg that the CSSF fully applies the Joint ESAs’ Guidelines on estimating costs and losses from major ICT-related incidents under the DORA regulation. The circular requires financial entities, except for microenterprises, to submit an estimation of their aggregated annual costs and losses to the CSSF upon request. This reporting must be done using a specific template provided in the guidelines and must follow the methodology for assessing gross costs and financial recoveries outlined in the DORA technical standards.
Read more at the official link at https://www.cssf.lu/en/Document/circular-cssf-25-892/
Basis and Inspiration for the Circular CSSF 25/892:
This Circular CSSF 25/892 is issued to apply the Joint Guidelines of the European Supervisory Authorities (ESAs) on the estimation of aggregated annual costs and losses caused by major ICT-related incidents (JC/GL/2024/34). These guidelines are mandated by Article 11(11) of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA).
Scope of Applicability of Circular CSSF 25/892:
The Circular CSSF 25/892 applies to a wide range of financial entities as defined in Article 2(1)(a) to (i), (k) to (m), (p), (r) and (s), and Article 2(2) of the DORA regulation. This includes credit institutions, investment firms, payment institutions, crypto-asset service providers, central securities depositories, and various types of fund managers.
Exemptions:
Microenterprises are exempted from the scope of this circular. Additionally, Luxembourg branches of financial entities whose head office is in another EU Member State are excluded, as they are expected to report to the competent authority of their home Member State.
Date of Applicability The Circular CSSF 25/892 applies as from May 31, 2025.
Main Subjects and Domains Covered The circular focuses on the reporting obligation for the estimation of aggregated annual costs and losses from major ICT-related incidents. It covers:
- The application of the ESAs’ Joint Guidelines by the CSSF.
- The requirement for financial entities to provide an estimation of costs and losses upon request.
- The use of a specific reporting template.
High-Level Requirements Upon request from the CSSF, financial entities must provide an estimation of aggregated annual costs and losses of major ICT-related incidents. This estimation must be performed in line with the ESAs’ Joint Guidelines and submitted using the defined “reporting template for gross costs and losses and financial recoveries in the reference year.”
Main Concerned Functions The primary functions concerned are those responsible for risk management and regulatory reporting within the financial entities.
List of Required Documents Institutions are required to submit the following upon request:
- Estimation of aggregated annual costs and losses of major ICT-related incidents.
The official “reporting template for gross costs and losses and financial recoveries in the reference year” as defined in Annex I of the Guidelines.
This news for Circular CSSF 25/892 can be considered beneficial under CSSF-Circulars, Central Securities Depositories (CSDs) News, Credit Institutions News, Crowdfunding service providers (CSPs) News, Crypto-Assets Service Providers (CASPs) and Virtual Asset Service Providers (VASPs) News, Data Reporting Service Providers (DRSPs) News, IFMs (AIFMs, ManCos) News, Investment Firms News, Issuers of Tokens (EMTs, ARTs) News, Must Read, Payment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs News, Pension funds News.
The pre-filled example templates for CSSF Circular 25/892 should be available at https://ratiofy.lu/templates/ from Christmas 2025.
