Out-Law News 1 min. read
Luxembourg delays notifying ‘in-scope’ financial entities required to report IT incidents on weekends
07 Mar 2025, 10:12 am
Luxembourg’s financial regulator has decided to postpone the process of identifying and notifying financial services firms that are obligated to report major cybersecurity incidents on weekends or bank holidays.
This delay should provide certain financial businesses with more time to test and develop their incident management systems, a legal expert has said.
These incident reporting duties are set out under Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (DORA), which came into force on 17 January 2025. DORA aims to strengthen the digital operational resilience of the European financial sector as a whole. Amongst other requirements, in-scope entities must report serious incidents in their information and communication technology (ICT) systems.
The regulatory technical standards (RTSs) of DORA specify the criteria for classifying major ICT-related incidents and outline the requirements on the content, format, templates, and timelines for reporting major ICT-related incidents and significant cyber threats.
In general, if the reporting deadline falls on a weekend day or a bank holiday, the financial entity may submit the notification by noon of the next working day. However, certain financial entities that are considered as “essential” or “significant” to the financial system, such as credit institutions, central counterparties, and operators of trading venues, must report major incidents even on weekends and bank holidays.
According to the new EU cybersecurity Directive, known as the NIS 2 Directive, competent authorities in member states are responsible for determining which financial institutions are “essential” or “significant”, and therefore are subject to the obligation to report incidents on weekends and public holidays.
The CSSF was expected to inform the financial entities that are ‘in-scope’ for the higher reporting duties before the end of February, but it recently announced that the notifications to concerned financial firms will not take place until the Directive is transposed into national law.
Aurélie Caillard, a technology lawyer at Pinsent Masons in Luxembourg, said: “Key players in the financial services sector in Luxembourg, which are likely to fall within the requirements, should not view the delay as an excuse to be unprepared for a possible notification from the regulator. Now is a good time to redo IT incident management tests and simulations with the crisis management team.”
The deadline for transposition of the NIS 2 Directive into national law was 17 October 2024. Luxembourg is in the consultation phase for transposing the rules.
Contact an adviser
