The Luxembourg Financial Sector Supervisory Commission (CSSF) a formal reminder on 15 January 2025 regarding the upcoming application of the digital operational resilience act (Dora), which will take effect on 17 January 2025. The CSSF stressed that Dora, along with its associated technical standards published in the EU Official Journal, will “take precedence over any overlapping elements or requirements” in existing CSSF circulars. However, it clarified that circular elements unrelated to Dora will remain valid and enforceable.
To prepare for Dora’s implementation, the CSSF and the European Supervisory Authorities are working to update the relevant guidelines and circulars. While publication dates for these updates are yet to be announced, the CSSF has provided interim practical guidance to help financial entities meet their obligations under the new framework.
Reporting obligations
In a dated 5 December 2024, the CSSF urged financial entities to ensure compliance with two critical preparatory steps: securing an legal entity identifier (LEI) code for report submissions and assigning the role of “IT incident notifier” in the eDesk system. Both are necessary to fulfil the reporting requirements effective from 17 January 2025.
Incident reporting procedure
Starting 17 January, financial entities must report major ICT-related incidents and significant cyber threats through a new dedicated process. This process can be accessed via the “Dora major ICT-related incident and significant cyber threat notification” procedure on the CSSF eDesk portal, or the API interface (S3) provided by the CSSF.
The existing user guide for major ICT-related incidents will be updated to reflect these changes. This new procedure replaces several prior reporting channels, CSSF noted, including:
- The eDesk procedure “24/847 major ICT-related incident”.
- PSD2 major incident reporting via the Sofie channel under circular CSSF 21/787.
- Direct reporting by significant institutions of cyber incidents to the European Central Bank.
- Reporting of material operational incidents related to ICT risk by CSDs.
Read also
Outsourcing reporting obligations
Entities intending to outsource reporting responsibilities under article 6 of the draft ITS must notify the CSSF before their first report submission. They must provide details such as the name, contact information and identification code of the third-party provider handling notifications, as well as the personnel assigned to the “IT incident notifier” role. Despite outsourcing, financial entities will retain full responsibility for protecting sensitive data. Aggregated reporting by third-party providers, as outlined in article 7 of the ITS, is prohibited for the time being.
Weekend and bank holiday reporting
While article 6(4) of the draft RTS exempts most entities from reporting incidents during weekends and public holidays, article 6(5) specifies that certain entities must report during these periods. The CSSF plans to notify affected entities by the end of February 2025.
Register of information submission
The CSSF is required to submit the first register of information to the ESAs by 31 April 2025, with a reference date of 31 March 2025. To meet this requirement, financial entities must submit their registers via eDesk between 1 and 15 April 2025.
The CSSF will conduct validation checks between 15 and 31 April 2025. If errors are detected, entities will be required to correct and resubmit their registers before the final deadline. Following this, the ESAs will carry out additional validation checks in May 2025. If errors are identified during this phase, entities will need to make corrections and resubmit their registers to the CSSF, which will forward the updated versions to the ESAs.
All registers must be submitted in plain CSV format. Unlike during the dry run exercise, the ESAs will not provide tools or scripts to assist entities in generating the required register of information.