CSSF regulation: Essential financial services under NIS Directive


CSSF regulation: Essential financial services under NIS Directive

27 July 2020

Context and objectives

Following Luxembourg’s Law of 28 May 2019 transposing the NIS Directive1, on 20 July 2020, the Commission de Surveillance du Secteur Financier (CSSF) published its Regulation N° 20-04 of 15 July 2020 on the list of services considered as essential for maintaining critical societal and economic activities.

List of essential services

As Luxembourg’s competent authority for the security of networks and information systems covering credit institutions and financial market infrastructure sectors, the CSSF has adopted that:

  • For credit institutions, their essential services are:
    • a. Custodian bank functions;
    • b. Deposit management;
    • c. Credit granting;
    • d. Investment services; and
    • e. Payment services.
  • For financial market infrastructures, their essential service is the admission to trading of financial instruments on a regulated market-type trading platform or multilateral trading facility (MTF).

Additional information

For this Regulation, the CSSF also clarifies the definition of credit institutions, financial market infrastructures, and MTFs as follows:

  • Credit institutions: legal persons whose activities consist in receiving from the public deposits or other repayable funds and in granting credits for their own accounts2.
  • Financial market infrastructures
    • Trading venue: a regulated market, an MTF, or an organized trading facility (OTF)3.
    • Central counterparty (CCP): a legal person that interposes itself between the counterparties of contracts traded on one or more financial markets, becoming the buyer to every seller and the seller to every buyer4.
  • MTF: a multilateral system that is operated by a credit institution, investment firm or market operator, which brings together multiple third-party buying and selling interests in financial instruments—within the system and following nondiscretionary rules—in a way that results in a contract under the provisions of Title II of Directive 2014/65/EU5.

Next steps

This Regulation will enter into force on 1 August 2020.

How can Deloitte help you?

Deloitte’s cybersecurity and risk advisory specialists can help you clarify the impact of regulations, identify potential remedies and then take the necessary steps to put these remedies in place.

Deloitte’s RegWatch Kaleidoscope service can support you in navigating regulatory trends and identifying which are relevant to your activities. And, Deloitte can assist you in structuring your activity to develop new products and adapt to regulatory and market demands.

Deloitte can help organizations prevent cyberattacks and protect valuable assets: https://www2.deloitte.com/lu/en/pages/risk/solutions/cyber-risk.html

PDF - 125kb


1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union.

2 Point 12, Article 1, of the amended law of 5 April 1993 relating to the financial sector.

3 Point 43, Article 1 of the Law of 30 May 2018 on markets in financial instruments.

4 Point 1, Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on over-the-counter (OTC) derivatives, central counterparties and trade repositories.

5 Point 32, Article 1 of the Law of 30 May 2018 on markets in financial instruments.


Subject matter specialists

Stephane Hurtaud
Partner – Risk Advisory
Tel: +352 45145 4434

Roland Bastin
Partner – Risk Advisory
Tel: +352 45145 2213

Patrick Laurent
Partner – Technology Leader
Tel: +352 45145 4170

Irina Hedea
Partner – Information & Technology Risk
Tel: +352 45145 2944

Onur Ozdemir
Director – Risk Advisory
Tel: +352 45145 2207


Regulatory Watch Kaleidoscope service

Simon Ramos
Partner – IM Advisory & Consulting
Regulatory Watch services Co-Leader
Tel: +352 45145 2702

Jean-Philippe Peters
Partner – Risk Advisory & Regulatory Watch services Co-Leader
Tel : +352 45145 2276

Benoit Sauvage
Director – RegWatch, Risk Advisory 
Tel : +352 45145 4220

Marijana Vuksic
Manager – Regulatory & Consulting
Tel : +352 45145 2311


Did you find this useful?