CSSF regulation: Essential financial services under NIS Directive has been saved
CSSF regulation: Essential financial services under NIS Directive
27 July 2020
Context and objectives
Following Luxembourg’s Law of 28 May 2019 transposing the NIS Directive1, on 20 July 2020, the Commission de Surveillance du Secteur Financier (CSSF) published its Regulation N° 20-04 of 15 July 2020 on the list of services considered as essential for maintaining critical societal and economic activities.
List of essential services
As Luxembourg’s competent authority for the security of networks and information systems covering credit institutions and financial market infrastructure sectors, the CSSF has adopted that:
- For credit institutions, their essential services are:
- a. Custodian bank functions;
- b. Deposit management;
- c. Credit granting;
- d. Investment services; and
- e. Payment services.
- For financial market infrastructures, their essential service is the admission to trading of financial instruments on a regulated market-type trading platform or multilateral trading facility (MTF).
For this Regulation, the CSSF also clarifies the definition of credit institutions, financial market infrastructures, and MTFs as follows:
- Credit institutions: legal persons whose activities consist in receiving from the public deposits or other repayable funds and in granting credits for their own accounts2.
- Financial market infrastructures:
- Trading venue: a regulated market, an MTF, or an organized trading facility (OTF)3.
- Central counterparty (CCP): a legal person that interposes itself between the counterparties of contracts traded on one or more financial markets, becoming the buyer to every seller and the seller to every buyer4.
- MTF: a multilateral system that is operated by a credit institution, investment firm or market operator, which brings together multiple third-party buying and selling interests in financial instruments—within the system and following nondiscretionary rules—in a way that results in a contract under the provisions of Title II of Directive 2014/65/EU5.
This Regulation will enter into force on 1 August 2020.
How can Deloitte help you?
Deloitte’s cybersecurity and risk advisory specialists can help you clarify the impact of regulations, identify potential remedies and then take the necessary steps to put these remedies in place.
Deloitte’s RegWatch Kaleidoscope service can support you in navigating regulatory trends and identifying which are relevant to your activities. And, Deloitte can assist you in structuring your activity to develop new products and adapt to regulatory and market demands.
Deloitte can help organizations prevent cyberattacks and protect valuable assets: https://www2.deloitte.com/lu/en/pages/risk/solutions/cyber-risk.html
1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union.
2 Point 12, Article 1, of the amended law of 5 April 1993 relating to the financial sector.
3 Point 43, Article 1 of the Law of 30 May 2018 on markets in financial instruments.
4 Point 1, Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on over-the-counter (OTC) derivatives, central counterparties and trade repositories.
5 Point 32, Article 1 of the Law of 30 May 2018 on markets in financial instruments.
Subject matter specialists
Regulatory Watch Kaleidoscope service