2025-05-28
The CSSF issued Circular 25/893 to establish reporting requirements for major ICT-related incidents and significant cyber threats under the Digital Operational Resilience Act. This circular repeals the previous Circular CSSF 21/787, which applied EBA Guidelines on major incident reporting under PSD2. The new regulation updates the framework for financial entities to ensure consistent and timely disclosure of critical cyber risks and incidents.