CSSF Circular 24/847 on ICT-related incident reporting framework: Clock is ticking for Luxembourg investment funds and fund managers

On 5 January 2024, the CSSF issued Circular 24/847, which introduced new ICT-related incident classification and reporting obligations (inspired from the obligations of EU Digital Operational Resilience Act (“DORA”)) replacing the previous reporting regime applicable under CSSF Circular 11/504 for most supervised entities of the financial sector, including but not limited to Luxembourg investment fund managers (“IFMs”) and internally managed UCITS/regulated AIFs (“Funds”).

CSSF Circular 24/847 applies as from 1 June 2024 to Luxembourg IFMs/Funds.

The CSSF also published an FAQ in relation to a number of key aspects of Circular 24/847 and a User Guide to help supervised entities with the submission of their ICT-related notifications. 

Which Luxembourg IFMs/Funds are in scope?

Circular 24/847 applies to the following Luxembourg IFMs, including their branches, and Funds:

• UCITS ManCos subject to Chapter 15 of the UCI Law;
• Internally-managed UCITS SICAV/SICAF within the meaning of Article 27 of UCI Law;
• External authorised AIFMs under Chapter 2 of the AIFM Law;
• Internally-managed regulated AIFs authorised as AIFMs under Chapter 2 of the AIFM Law; and
• ManCos subject to Chapter 16 of the UCI Law (under Articles 125-1 and 125-2 of the UCI law).

For the avoidance of doubt, Luxembourg sub-threshold/registered AIFMs, which do not qualify as Chapter 16 ManCos, are out of scope of Circular 24/847. 

What are the main new requirements for Luxembourg IFMs/Funds?

The main changes and new requirements of Circular 24/847 for Luxembourg IFMs/Funds include:

• Extension of the scope of ICT-related incidents to be reported to the CSSF, which was previously limited to fraud and incidents due to external computer attacks only, as per the reporting scope of Circular 11/504, and will now cover more broadly any ICT operational and security incident(s) having an adverse impact on the availability, authenticity, integrity or confidentiality of the data and/or services provided by IFMs/Funds.
• Internal classification of ICT-related incidents, where IFMs/Funds must internally assess the impact of the relevant ICT-related incidents detected and classify them as “major” or not, in principle no later than 24 hours after detection.

• Reporting of ICT-related major incidents to CSSF, where IFMs/Funds must report to the CSSF: 

  (i) any successful malicious unauthorised access to the network and information systems of the IFMs/Funds (even if the impacts are not immediately known); 

  (ii) any incident other than those referred to in point (i) above classified as a major ICT-related incident in line with the specific criteria provided by Circular 24/847 (which includes in particular the duration, geographical spread, reputational effect, data losses, costs and impact of the incident on the criticality of the IFMs/Funds services, transactions and operations affected (non-exhaustive list));

  (iii) any unclear ICT-related incident for which IFMs/Funds cannot clearly asses if they have to be classified as major (both incidents under (i) and (ii) being deemed as major by the CSSF). 

  For the avoidance of any doubt, under point (ii), the ICT-related incident may occur within the network and information systems of the IFMs/Funds but also within the network and information systems of a third party provider with whom the IFMs/Funds have entered into a business relationship, if any such incident has an adverse impact on the availability, authenticity, integrity or confidentiality of the data and/or services provided by IFMs/Funds.

• New ICT-related incident 3-stage notification process via eDesk or API (S3 protocol), where IFMs/Funds must, in principle, notify the CSSF by completing and submitting the relevant sections of the new dedicated incident notification form within the following time limits depending on the phase they are in: (i) initial notification within 4 hours upon classification containing general information of the incident, (ii) intermediate notification within 3 working days after initial notification with more details on the incident’s cause, consequences and corrective measures, and (iii) final notification within 20 working days after intermediate notification containing the complete analysis of the root cause of the incident. 
• Outsourcing of reporting obligation to a third party provider is possible, but IFMs/Funds will remain fully responsible for the whole content and completion of the ICT-related incident reporting within the applicable timeline. 

What should Luxembourg IFMs/Funds do and by when?

Circular 24/847 enters into force and applies as from 1 June 2024 to Luxembourg IFMs/Funds and their branches (if any) which shall from that date classify and report to the CSSF any major ICT-related incident by considering the criteria, time limits and data fields prescribed by Circular 24/847. 

In order to do so, IFMs/Funds should update the following, amongst others, by 1 June 2024:

• Their ICT policies and procedures, namely to extend the scope of ICT-related incidents to be reported to the CSSF in accordance with Circular 24/847 as well as to define the criteria to classify ICT-related incidents as major and to optimise the data collection process for ICT-related incident classification;
• Their Business Continuity Plan/Disaster Recovery Plan (“BCP/DRP”), namely to include ICT-related incidents within the meaning of Circular 24/847 as triggering events leading to the activation of the BCP/DRP and to establish internal process (internally or with delegate) in order for the ICT conducting officer to be informed immediately of any ICT-related incident and to obtain relevant information in a timely manner;
• Their agreements and operating memorandum with delegates/third party service providers, where applicable, in order for IFMs/Funds to be informed in the event of ICT-related incidents (impacting the IFMs/Funds) and to secure their cooperation to obtain the information required for CSSF reporting.

One note regarding the future reporting requirements under DORA, which will apply as from 17 January 2025. The CSSF confirmed on its website that when all DORA level 2 texts related to incident reporting become applicable, Circular CSSF 24/847 will be amended accordingly.