A close-up of a hand with a pen analyzing data on colorful bar and line charts on paper.

Circular CSSF 25/893 aligns Luxembourg’s financial entities and payment providers with DORA’s new digital incident reporting framework.

CSSF-Circulars, Central Securities Depositories (CSDs) News, Credit Institutions News, Crowdfunding service providers (CSPs) News, Crypto-Assets Service Providers (CASPs) and Virtual Asset Service Providers (VASPs) News, Data Reporting Service Providers (DRSPs) News, IFMs (AIFMs, ManCos) News, Investment Firms News, Issuers of Tokens (EMTs, ARTs) News, Must Read, Payment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs News, Pension funds News / Leave a Comment / / 3 minutes of reading

Luxembourg Financial Regulatory News:

Circular CSSF 25/893 establishes the reporting framework for major ICT-related incidents and cyber threats under the DORA regulation for a wide range of financial entities in Luxembourg. It details the practical requirements for classifying and reporting incidents and threats via the CSSF eDesk portal or API. The circular also mandates that Payment Service Providers (PSPs) not directly covered by DORA must follow these same procedures, simplifying their reporting obligations. For most entities, the circular applies immediately, while for some PSPs, a six-month transition period is provided, after which previous reporting frameworks are repealed.

Read more at https://www.cssf.lu/en/Document/circular-cssf-25-893/

Basis and Inspiration for the Circular

This Circular CSSF 25/893 is issued to provide practical modalities for the classification and reporting of major ICT-related incidents and significant cyber threats as defined in Articles 18 and 19 of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). It also requires certain Payment Service Providers (PSPs) not under DORA to follow these procedures to fulfill their obligations under the Law of 10 November 2009 on payment services (LPS).

Scope of Applicability

The Circular CSSF 25/893 applies to a wide range of financial entities as defined in Article 2(1) of DORA, including credit institutions, investment firms, payment institutions, and crypto-asset service providers. It also applies to all Payment Service Providers (PSPs) as referred to in Article 1(37) of the LPS.

Exemptions Luxembourg branches of financial entities

whose head office is in another EU Member State are excluded from this circular, as they are required to report to the competent authority of their home Member State.

Date of Applicability

For most financial entities (points 1(a) to 1(j)), the Circular CSSF 25/893 applies with immediate effect from its publication date. For PSPs not under DORA (point 1(k)), it applies six months after its publication date.

Main Subjects and Domains Covered

The Circular CSSF 25/893 focuses on the reporting of major ICT-related incidents and significant cyber threats. It covers:

  • The obligation to classify and report these incidents and threats.
  • Practical modalities for notification, including the use of the CSSF eDesk Portal or API.
  • Rules for PSPs not under DORA, requiring them to follow DORA procedures for all ICT-related incidents.

High-Level Requirements

Financial entities must classify and report major ICT-related incidents and, if applicable, significant cyber threats to the CSSF. Notifications must be submitted via the CSSF eDesk Portal or an API interface (S3). Entities are responsible for the content and timeliness of reports, even if outsourced. Aggregated reporting is not permitted for major ICT-related incidents.

Main Concerned Functions

The primary functions involved are those related to ICT risk management, cybersecurity, and regulatory reporting. The Circular CSSF 25/893 is addressed to all financial entities and payment service providers.

List of Required Documents

Institutions must submit the following electronic forms via the CSSF portal or API:

  • An initial notification of a major ICT-related incident.
  • Intermediate report(s).
  • A final report.
  • A voluntary notification for significant cyber threats, if applicable.
  • Notification of the outsourcing of reporting obligations to a third party.

This news for Circular CSSF 25/893 can be considered beneficial under CSSF-CircularsCentral Securities Depositories (CSDs) NewsCredit Institutions NewsCrowdfunding service providers (CSPs) NewsCrypto-Assets Service Providers (CASPs) and Virtual Asset Service Providers (VASPs) NewsData Reporting Service Providers (DRSPs) NewsIFMs (AIFMs, ManCos) NewsInvestment Firms NewsIssuers of Tokens (EMTs, ARTs) NewsMust ReadPayment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs NewsPension funds News.

The pre-filled example templates for CSSF Circular 25/893 should be available at https://ratiofy.lu/templates/ from Christmas 2025.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *