Relating to the notification of incidents according to the Law of 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union.

The Executive Board of the Commission de Surveillance du Secteur Financie

Having regard to Article 129(2) of the Constitution;

Having regard to the Law of 23 December 1998 establishing a financial sector supervisory commission (“Commission de surveillance du secteur financier”), as amended, and in particular Article 9(2) thereof;

Having regard to the Law of 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union (the “NIS Law”) and amending the Law of 20 April 2009 establishing the Government IT Centre, as amended, and the Law of 23 July 2016 establishing a High Commission for National Protection;

Having regard to Article 3 of the NIS Law designating the Commission de Surveillance du Secteur Financier (hereinafter, the “CSSF”), as the competent authority for the security of network and information systems covering the sectors of credit institutions and financial market infrastructures as defined in points (3) and (4) of the Annex to the NIS Law, as well as the digital services provided by an entity under the supervision of the CSSF;

Having regard to Article 8(5) of the NIS Law under which the competent authority may specify, by way of a regulation, the parameters, modalities and timeframes for notifications of incidents having a significant impact on the continuity of the essential services that operators of essential services provide;

Having regard to Article 11(3) of the NIS Law under which the competent authority shall determine, by way of a regulation, the modalities, format and timeframe for the notifications of incidents having a substantial impact on the provision of a digital service that digital service providers offer within the European Union;

Having regard to the opinion of the of the Consultative Committee for Prudential Regulation;

Decides:

Article 1

Definitions

1) For the purposes of this regulation, the following definitions shall apply:

a. “Credit institutions” means credit institutions as defined in point (12) of Article 1 of the Law of 5 April 1993 on the financial sector, as amended (the “LFS”).

b. “Financial market infrastructures” means operators of trading venues as defined in point (43) of Article 1 of the Law of 30 May 2018 on markets in financial instruments and/or central counterparties as defined in point (1) of Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories.

c. “Support PFS” means professionals of the financial sector authorised in accordance with Article 29- 3 of the LFS.

d. “Operator of essential services” means, in accordance with point (3) of Article 2 of the NIS Law, a public or private entity of a type referred to in the Annex to the NIS Law, and which meets the criteria laid down in Article 7(2) of the NIS Law.

e. “Essential service” means a service which is essential for the maintenance of critical societal and/or economic activities and which is listed as essential service in Article 2 of CSSF Regulation No 20-04 of 15 July 2020.

f. “Digital service provider” means, in accordance with point (5) of Article 2 of the NIS Law, a legal person that provides a digital service as defined in point (4) of Article 2 of the NIS Law.

Article 2

Incident classification and major incident notification requirements

1) Credit institutions and market infrastructures designated as operator of essential services under Chapter 3 of the NIS Law shall classify their incidents in accordance with Article 8(5) of the NIS Law.

2) In accordance with Article 8(4) of the NIS Law, credit institutions and market infrastructures designated as operator of essential services shall notify, without undue delay, the CSSF of incidents having a significant impact on the continuity of the essential services they provide.

3) Support PFS that are also digital service providers shall classify their incidents in accordance with Article 11(4) of the NIS Law.

4) In accordance with Article 11(3) of the NIS Law, support PFS that are also digital service providers shall notify, without undue delay, the CSSF of incidents having a substantial impact on the provision of a digital service they offer within the European Union.

5) The classification of incidents referred to in points (1) and (3) of this article, as well as the notification of incidents referred to in points (2) and (4) of this article shall comply with the arrangements further specified in a CSSF circular.

Article 3

Publication and entry into force

1) This regulation shall be published in the Journal officiel du Grand-Duché de Luxembourg and on the CSSF’s website. It shall enter into force on 1 April 2024.