CSSF 25/880 — the 2026 PSP ICT Assessment requires continuous VM

Excerpt — On 9 February 2026, the CSSF opened the “PSD2 – PSP ICT Assessment” campaign: each PSP must submit an up‑to‑date ICT assessment via eDesk (circular 25/880). Here is how continuous vulnerability management meets NIS 2 Art. 21 and DORA Arts. 25–27 and gets you compliant fast.

Key facts

On 9 February 2026, the CSSF announced the launch of the “PSD2 – PSP ICT Assessment” campaign for fiscal year 2025: payment service providers (PSPs) must file a comprehensive and up‑to‑date ICT risk assessment via the eDesk portal (webform or S3 API), under CSSF Circular 25/880. In 2025 the CSSF clarified that this national requirement (ex‑25/750) is now embedded in 25/880, alongside the management of the payment services user relationship. In other words: even under DORA, PSPs must annually deliver an evidence‑based, operational view of their ICT risks, with vulnerability management as a cornerstone. (CSSF, 09/02/2026) (CSSF Circular 25/880).

The applicable legal framework

• CSSF Circular 25/880 — requires PSPs to submit an annual “PSP ICT Assessment” with a “comprehensive and up‑to‑date” ICT risk evaluation via eDesk. The 2026 campaign is the practical execution. (25/880 text) (2026 campaign announcement).
• NIS 2 — Article 21 — mandates state‑of‑the‑art cyber risk management measures, including vulnerability management, logging, access control, and continuity. Management bodies must approve and oversee implementation. See our overview of the NIS 2 directive. (EUR‑Lex, Dir. 2022/2555, Art. 21).
• DORA (EU 2022/2554) — Articles 24–27 — define the digital operational resilience testing programme: regular testing of ICT tools and systems (Art. 25), and, for designated entities, TLPT (Threat‑Led Penetration Testing) based on TIBER‑EU (Arts. 26–27). These rely on a sound vulnerability management baseline. For a detailed overview, see our DORA page. (EUR‑Lex, DORA) (DNB, TLPT/TIBER‑EU).
• ISO/IEC 27001:2022 — Annex A 8.8 — formalizes management of technical vulnerabilities as a mandatory technological control within an ISMS. (Annex A 8.8 reference).

The technical solution to deploy

Continuous vulnerability management (VM) = detect, prioritize, remediate, and verify in a tight loop. In practice:

• Discovery and coverage — automatic mapping of the attack surface (on‑prem, cloud, endpoints, containers), including software dependencies and exposed services. Feeds your DORA/NIS 2 registers (assets, dependencies, critical functions).
• Orchestrated scans + agents — authenticated/unauthenticated network scans, agents on servers/VMs/containers, SCA and SBOM for third‑party components.
• Risk‑based prioritization — correlation of CVE/CVSS, exploitability (EPSS), internet exposure, business criticality, and existing mitigations. Tackle first what is exploited and exposed.
• Remediation and patching — ITSM/CMDB integration to open tickets, link to change, steer SLAs (e.g., 7/30/90 days by severity), and trigger automated fixes where feasible.
• Verification and evidence — targeted rescans, drift control, and auditors‑ready reporting: trend dashboards, mean time to remediate, coverage of critical assets. These outputs document the “PSP ICT Assessment” and feed your DORA/NIS 2 file.

Useful references: ISO 27001 A.8.8 (vulnerabilities), NIST CSF 2.0 (ID‑AM, PR‑IP, DE‑VM), CIS Controls 7/16/18 (continuous vulnerability management, asset inventory, application security).

How Luxgap delivers this

• Our 24/7 managed SOC — we correlate VM findings with EDR/XDR detections and network telemetry: when a critical vulnerability is observed and exploited, the alert is escalated and a containment plan is issued. Actions are tracked for CSSF/DORA reports. Learn more about our managed SOC.
• Our ISO 27001 governance — our Lead Implementers/Auditors structure the A.8.8 process: scope, roles, prioritization criteria, SLAs, ITSM/CI/CD integration, and production of the required evidence (essential for Circular 25/880 and NIS 2 Art. 21 checks).
• Our outsourced DPOs and CISOs — align VM, change management, and supplier clauses (DORA Arts. 28–30); they prepare management dashboards (accountable under NIS 2 and DORA) and validate the eDesk submission. See our outsourced CISO service and our DORA overview.

Real‑world case in Luxembourg or the EU

A mid‑size payment institution based in Luxembourg had to produce its 2026 “PSP ICT Assessment”. In six weeks, Luxgap:

1. Deployed an attack‑surface map (on‑prem + cloud), VM agents, and authenticated scans.
2. Implemented risk‑based prioritization (EPSS + internet exposure + service criticality) and remediation SLAs of 7/30/90 days linked to ITSM.
3. Automated evidence: monthly progress reports, mean time to remediate, coverage of “critical or important” assets (DORA), and a structured export for eDesk.

Outcome: a complete file for the CSSF (25/880), a board‑validated dashboard (NIS 2 Art. 21), and a solid foundation to plan DORA testing (Arts. 25–27), including a targeted TLPT dry‑run on a critical function.

Practical first steps

• 1. Fix scope and inventory — list ICT assets (on‑prem, cloud, SaaS), “critical or important functions” (DORA), and exposed applications. Without a reliable inventory, VM cannot be effective.
• 2. Start scans and agents — run weekly authenticated scans and deploy agents on servers/VMs/containers. Add SBOM analysis for key applications.
• 3. Set remediation SLAs — by severity/exploitability (e.g., EPSS > 0.7), with realistic, measurable deadlines. Connect ITSM to track changes.
• 4. Industrialize evidence — prepare a “PSP ICT Assessment” report with: methodology, coverage, prioritized backlog, remediation timelines, exceptions rationale, and management sign‑off.
• 5. Anticipate DORA 24–27 — plan a testing cycle: targeted code reviews, annual pentests, and, if designated, a TIBER‑EU TLPT. Document the linkage between VM findings and test scenarios. (DNB).

Official sources

• CSSF — “PSD2 – PSP ICT Assessment” 2026 campaign
• CSSF Circular 25/880 — User relationship management & PSP ICT assessment
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA), Arts. 24–27
• EUR‑Lex — Directive (EU) 2022/2555 (NIS 2), Art. 21
• De Nederlandsche Bank — TLPT/TIBER‑EU and DORA