CSSF regulation: Essential financial services under NIS Directive


CSSF publishes Circular 20/750 on requirements regarding information and communication technology (ICT) and security risk management

28 August 2020

Context and objectives

On 25 August 2020, the Commission de Surveillance du Secteur Financier (CSSF) published Circular 20/750 on requirements regarding information and communication technology (ICT) and security risk management (“the circular”), implementing in Luxembourg the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04, “the guidelines”). The guidelines establish the requirements for credit institutions, investment firms, payment institutions and electronic money institutions to mitigate and manage their information and communication technology (ICT) risks, aiming to ensure a consistent and robust approach across all European Union (EU) member states. However, the circular extends the scope of the guidelines to include all professionals of the financial sector (PFS).

The guidelines give financial institutions a better understanding of the supervisory expectations for risk management, covering areas such as ICT governance and strategy, ICT risk management frameworks, information security, ICT operations management, ICT project and change management, and business continuity management. The guidelines are principle-based and flexible enough to be applied to all the sector’s relevant institutions.

Key regulatory aspects

Along with implementing the guidelines, the circular:

  • Updates the existing CSSF Circular 12/552 to align it with the guidelines; 
  • Repeals Circular CSSF 19/713, which implemented EBA/GL/2017/17; and
  • Includes additional requirement for payment service providers (PSPs) which are required to provide an up-to-date and exhaustive risk assessment to the CSSF annually. The form and deadlines are as follows:

       o for credit institutions, this assessment, signed by the management body,
          must be submitted as soon as possible after the closing of the financial
          year and no later than 30 April of each year;

       o for payment institutions and electronic money institutions, this
          assessment must be included in a dedicated section of the management
          report on internal control, which must be published in accordance with
          the requirements set out in Circular CSSF 15/614, no later than the last day
          of the third month following the closing date of the financial year.

Find out more about the guidelines in our dedicated article “EBA Guidelines on ICT and security risk management—EBA/GL/2019/04”.

What’s in it for my institution ?

While the circular targets credit institutions, it is nevertheless advisable for any financial institution to make every effort to comply with its provisions in a way that is proportionate to, and takes account of, your financial institutions’ size, internal organization, and the nature, scope, complexity, and riskiness of the services and products that your financial institution provides or intends to provide.

Financial institutions must develop, document and operate strong ICT risk management practices to be able to comply with the guidelines.

Next steps

The circular came into force on 25 August 2020 and is directly applicable; therefore, the date of the first risk assessment is April 2021.

How can Deloitte help?

We remind you that financial institutions will only be able to comply with the guidelines by developing strong ICT risk management practices.

With this in mind, Deloitte can help organizations improve their ICT risk management practices’ maturity by assessing, designing, and implementing:

  • Regulatory compliance assessment—gap assessment against the regulatory requirements outlined in the guidelines.
  • ICT and security risk management capability enhancement—ICT and security risk management policies and standards, processes, tools and technologies.
  • ICT and security risk reporting and culture—ICT, business and board ICT and security risk reporting using key risk indicators (KRIs) to provide visibility to senior management.
  • ICT and security risk assessment—ICT and security risk assessment in the context of digital initiatives or major ICT changes, tailored to the organizations’ risk profile and integrated into the organizations’ risk management framework
  • Readiness ICT and security assessment—simulation of competent authorities’ onsite inspection to test the readiness of companies’ processes and practices towards regulatory requirements outlined in the guideline.

Deloitte’s Regulatory Watch Kaleidoscope service helps you stay ahead of the regulatory curve to better manage and plan upcoming regulations.


PDF - 116 kb


Subject matter specialists

Patrick Laurent
Partner – Technology Leader
Tel: +352 45145 4170

Roland Bastin
Partner – Risk Advisory
Tel: +352 45145 2213


Irina Hedea
Partner – Risk Advisory
Tel: +352 45145 2944

Stephane Hurtaud
Partner – Risk Advisory
Tel: +352 45145 4434

Onur Ozdemir
Director – Risk Advisory
Tel: +352 45145 2207

Frederic de Pauw
Senior Manager - Risk Advisory
Tel: +352 45145 4383

Regulatory Watch Kaleidoscope service

Simon Ramos
Partner – IM Advisory & Consulting
Tel: +352 45145 2702

Jean-Philippe Peters
Partner – Risk Advisory
Tel : +352 45145 2276

Benoit Sauvage
Director – Risk Advisory 
Tel : +352 45145 4220

Marijana Vuksic
Manager – Risk Advisory
Tel : +352 45145 2311


Did you find this useful?