Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
6 articles found · #cssf
CSSF: DORA takes precedence and clarifies ICT outsourcing (Apr 2025)
CSSF confirmed DORA’s primacy from 17 January 2025 and issued Circular 25/882 to govern third‑party ICT use, the Article 28 register of information, and incident notifications via eDesk.
DORA — TLPT framed by Delegated Regulation (EU) 2025/1190
The Commission clarified TLPT under DORA via Delegated Regulation (EU) 2025/1190. In Luxembourg, the CSSF is the TLPT authority: timeline, scope, and method are now clear.
OVG NRW (20 Feb 2025): no general obligation for end-to-end encryption
OVG North Rhine-Westphalia confirms that “appropriate” encryption under GDPR Art. 32 may be limited to robust transport encryption (TLS), depending on risk. How to align legally and technically.
Cloud CSPM: the answer to CSSF Circular 22/806 on outsourcing
To remain compliant with CSSF in 2026, moving to the cloud is not enough. A CSPM continuously proves correct configuration, monitoring, and auditability as required.
NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May
Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.
DORA Article 28: the 'ICT dependencies register' expected by the CSSF
Since 17 January 2025, all financial entities subject to DORA must keep a structured register of their ICT contracts. The CSSF has specified the timeline and submission modalities in Luxembourg.