CSSF 25/893: reporting a major incident in 4h with EDR/XDR
CSSF Circular 25/893 formalizes DORA reporting for major ICT incidents and significant cyber threats. A well‑tuned EDR/XDR stack speeds up detection, classification, and 4h/72h/1‑month notifications.
Excerpt — On 28 May 2025, the CSSF released Circular 25/893, formalizing the reporting of major ICT incidents and significant cyber threats under DORA. In May 2026, the CSSF made this a supervisory priority. A well‑tuned EDR/XDR stack enables fast detection, sound qualification, and on‑time notifications.
Key facts
On 28 May 2025, the CSSF published Circular CSSF 25/893, which sets, for financial entities under DORA, the practical modalities for reporting major ICT incidents and notifying significant cyber threats (channels, templates, deadlines). The CSSF has since reiterated these requirements: a sector‑wide reminder on 25 July 2025 and, above all, an explicit inclusion in its 2026 supervisory priorities (“considering major incidents reported under Circular 25/893”). In other words: in 2026, complying with this framework becomes a concrete examination topic for the supervisor.
Meanwhile, recent events highlight the operational criticality: on 7 February 2026, the payments provider BridgePay confirmed a ransomware attack that caused a widespread service outage for clients, illustrating how quickly an incident can impact financial flows and user trust (BleepingComputer).
The applicable legal framework
DORA (Regulation (EU) 2022/2554) mandates robust ICT incident management (Arts. 17–20) and harmonized reporting of major incidents and cyber threats. The European authorities (ESAs) have issued technical standards that lock down the content and timelines: initial notification within 4 hours after classification (with a 24‑hour safeguard after detection), intermediate report within 72 hours, final report within one month. See the EBA page on the common standards (“Joint Technical Standards on major incident reporting”), summarizing these milestones and standardized templates (EBA). For a local overview, refer to our page on DORA and operational resilience.
In Luxembourg, Circular CSSF 25/893 clarifies the implementation modalities for DORA entities: classification process, submission channels, required data, and how to articulate “significant cyber threat” notifications. The CSSF also announced that DORA implementation by managers and funds will be monitored in 2026, taking reported incidents into account (2026 priorities).
The technical solution to deploy
EDR/XDR (Endpoint/Extended Detection & Response) provides deep detection, telemetry, and chronology to:
- Detect quickly attack behaviors (ransomware, living‑off‑the‑land, SSO token theft), cut “time‑to‑classify,” and start DORA’s countdown on time.
- Objectively assess materiality using observable metrics (number of affected endpoints/clients, downtimes, exfiltrations), useful for the “major incident” threshold and for completing standardized forms.
- Supply forensic evidence (hash, PID, parent/child process, IOC/IOA, network sessions) required for intermediate/final reports, while tracing containment and remediation actions.
Practically, an XDR stack aggregates EDR, authenticated logs (Windows/Linux, SaaS, cloud), network telemetry (NDR), identity (IdP) and email signals into a single time‑correlated view. Playbooks automate endpoint isolation, IOC blocking, and ticket enrichment (victims, critical systems, RTO/RPO), then pre‑populate DORA template fields (entity/LEI, classification, impacts, measures taken). To speed up this operational layer, support from a managed SOC focused on EDR/XDR is decisive.
References:
• ISO/IEC 27001:2022: A.8.15 (Logging), A.8.16 (Monitoring), A.5.24–A.5.25 (Incident management).
• NIST CSF 2.0: DE.CM (Monitoring), DE.DP (Detection), RS.AN (Analysis), RS.CO (Communication).
• CIS Controls v8: 8 (Audit Log Management), 13 (Network Monitoring & Defense), 17 (Incident Response Management).
How Luxgap delivers this
- Our 24/7 managed SOC runs your EDR/XDR, tunes anti‑ransomware policies (behavioral detection, canaries, LOLBins blocking), orchestrates isolation, and timestamps each step to feed your 4h/72h/1‑month reports. We maintain a timestamped evidence register, reusable for the CSSF.
- Our ISO 27001 governance structures your classification process (DORA thresholds), notification runbooks, and required traceability. We align incident taxonomy with RTS/ITS and set escalation roles (CISO, compliance, communications).
- Our outsourced DPO and CISO consultants validate DORA/GDPR/NIS 2 articulation and avoid inconsistent double notifications. We prepare pre‑filled templates (entity, LEI, contacts), ready as soon as classification occurs.
Real‑world case in Luxembourg or the EU
A payment institution operating in the Greater Region migrated in 6 weeks from a signature‑based antivirus to a managed XDR stack (Windows endpoints, Linux servers, Microsoft 365, firewalls, and proxy). Results: detection time reduced from hours to under 10 minutes on Emotet/loader campaigns, classification of a confirmed incident in 45 minutes (DORA threshold not reached, documentation retained), and a dry‑run notification exercise using DORA templates to test the 4h/72h/1‑month chain. Management received a materiality dashboard (clients, volumes, SLAs) reusable for the CSSF.
First practical steps
- Map your critical logs (EDR, AD/Entra, mail, VPN, proxies, SaaS) and feed them into a single XDR/SIEM. Implement synchronized timestamps (NTP): indispensable for reporting.
- Set DORA thresholds for “major incident” classification based on your volumes (clients, transactions, downtimes) and have them validated by leadership/compliance.
- Pre‑fill DORA templates (entity/LEI, points of contact, scope, critical systems) and run a ransomware table‑top: aim for a notification ready within 4 hours after classification.
- Enable XDR playbooks: auto isolation, file quarantine, secret rotation, degraded modes; log every action for the 72‑hour report. For the continuity angle (RTO/RPO, degraded modes), see our capabilities in business continuity and DORA resilience.
- Brief your executive committee: who decides classification, who signs submission, who speaks to clients? Rehearse the circuit during a “weekend/holiday” slot.
Official sources
- CSSF — Circular 25/893: reporting major ICT incidents and significant cyber threats (DORA)
- EBA — Joint Technical Standards (RTS/ITS) on content, templates, and timelines (4h/72h/1 month)
- CSSF — 2026 priorities for supervising the fund sector (taking into account incidents reported under 25/893)
- BleepingComputer — BridgePay confirms ransomware attack with service outage (7 February 2026)
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →