Published on 24 July 2025
Reminder regarding ICT-related incident reporting requirements
CSSF
In response to recent events that have received public and media attention, the CSSF reminds all supervised entities of the obligation to submit ICT-related incident notifications in line with the relevant provisions outlined in Circular CSSF 25/893 and/or Circular CSSF 24/847.
Supervised entities are strongly encouraged to thoroughly review the applicable provisions to ensure a clear and comprehensive understanding of the reporting obligations. This includes knowing which types of ICT-related incidents trigger mandatory notification, the specific thresholds that apply, the required timelines for submission and the proper procedures for reporting through the designated channels. While certain incidents may be publicly known or reported by the press, the CSSF emphasises that such public knowledge does not exempt supervised entities from their obligation to report these incidents. Supervised entities are expected to act in accordance with the established requirements without delay.