CSSF 26/904: stronger ICT evidence — inventory/CMDB becomes essential
CSSF Circular 26/904 tightens investment firms’ self‑assessment by requiring concrete evidence on ICT organization. An automated inventory and a relational CMDB are the most reliable way to demonstrate effective control.
On 8 January 2026, the CSSF issued Circular CSSF 26/904 updating the practical rules for the Long Form Report and the self‑assessment questionnaire for investment firms, explicitly embedding ICT organization and internal control mechanisms. Here is the concrete solution—an automated inventory/CMDB—that demonstrates control and immediately reduces third‑party risk.
Key facts
Luxembourg’s regulator published CSSF Circular 26/904 on 8 January 2026. It updates Circular 24/853 (as amended by 25/870) and clarifies the practical rules for the Long Form and the investment firms’ self‑assessment. It raises expectations for governance, risk management, and ICT organization and formalizes how evidence must be documented and presented to auditors and the CSSF.
This tightening comes as supply‑chain attacks multiply: on 8 June 2026, SoFi Hong Kong confirmed a breach via a third‑party vendor exposing customer data, after detecting unauthorized access on 30 April 2026. The incident highlights the need for exhaustive, up‑to‑date visibility on assets, providers, and interconnections to rapidly qualify exposure and brief authorities. Source: BleepingComputer.
Applicable framework
- CSSF Circular 26/904: updates Long Form and self‑assessment rules for investment firms, embedding requirements for central administration, risk management, and ICT organization. Concrete expectation: maintain probative evidence on the asset inventory, ownership, controls, and audit trail to let auditors and CSSF assess effectiveness. Refs: CSSF 26/904 and PDF.
- Control standards and frameworks that structure the expectation:
- ISO/IEC 27001:2022 Annex A.5.9 “Inventory of information and other associated assets” and A.5.10 “Responsibilities for assets.” For local implementation, see our focus on ISO 27001 governance in Luxembourg.
- NIST CSF 2.0 – Identify function, category ID.AM (Asset Management).
- CIS Critical Security Controls v8 – CSC 1 (Enterprise Asset Inventory) and CSC 2 (Software Inventory).
Practical reading: although 26/904 targets investment firms, its evidence expectations (traceability, effective controls, ICT risk coverage) reflect Luxembourg regulators’ broader trajectory—now commonly requiring to show (not merely declare) that ICT and supplier risks are under control.
The technical solution to deploy
Automated asset inventory and a “real‑life” CMDB. The goal is to continuously produce a reliable view of:
- Hardware assets: servers, endpoints, network gear, IoT/OT.
- Software assets: OS, applications, versions, patches, security agents.
- Cloud/SaaS services and integrations (APIs, connectors, OAuth), including technical accounts and entitlements.
- Flows and critical dependencies (interconnections, providers, sites).
In practice:
- Multi‑source collection: EDR/XDR agents, network scanners, hyperscaler/SaaS APIs, MDM/IdP, directories, CI/CD registries. Tooling must deduplicate and normalize to avoid a “ghost inventory.”
- Relational CMDB: models Configuration Items, their attributes, and their dependencies (who talks to whom, hosted where, by which provider), with versioning and an audit trail.
- Embedded controls: completeness rules (e.g., 100% of endpoints with EDR, encryption enabled), drift vs. benchmarks (ISO 27001, CIS), alerts for divergence (new unmanaged asset, unapproved SaaS, over‑privileged OAuth token).
- SOC/SIEM consumption: inventory enriches detection (asset criticality), investigation (who was exposed?), and regulatory qualification (impact, scope, affected providers) for notifications. Integration with a managed SOC for detection and response maximizes operational value.
Outcome: a reusable body of evidence for the Long Form and self‑assessment (CSSF 26/904), demonstrating ownership, effective controls, and ICT risk coverage—including third parties and SaaS—with dated, signed exports.
How Luxgap deploys this
- Our ISO 27001 governance: Lead Implementers/Auditors frame ISO 27001 scoping (Annex A.5.9/A.5.10), define the CMDB data model, asset‑owner policies, and the review cycle (completeness KPIs, compliance, exceptions). When privacy is in scope, a fractional external DPO aligns registers and DPIAs.
- Our managed SOC: we wire the CMDB into the SIEM/XDR to contextualize detections (critical vs. non‑critical), prioritize incidents, and deliver audit‑ready dashboards (EDR coverage, encryption, patching, SaaS privilege drift).
- Our outsourced CISO and DPO consultants: align the inventory with GDPR records, flow mapping, supplier reviews, and contractual clauses (responsibilities, notification duties, reversibility) to respond calmly to auditor and CSSF requests.
Practically, we do not “drop a tool”: we orchestrate connectors, define controls, integrate with IdP/MDM/EDR/Cloud, and implement the formalized reports expected (asset lists by criticality, responsibility matrix, log of corrected deviations).
Case study in Luxembourg or the EU
A supervised investment firm deployed an automated CMDB in 8 weeks, covering 3 datacenters, 2 clouds, and 14 critical SaaS. API connectors (cloud/IdP/SaaS) and EDR agents lifted completeness to 96% on endpoints and 100% on privileged technical accounts. The Long Form included: (1) dated, signed inventory, (2) A.5.10 responsibility matrix, (3) evidence of alerts and remediation (rogue assets, unapproved OAuth integrations). During a provider incident, the team isolated potentially exposed CIs and users in under 3 hours and justified materiality and control status to the auditor.
First concrete steps
- Decide on the foundation: validate the CMDB model (CIs, attributes, dependencies) and sources of truth (IdP, MDM, EDR, Cloud). Avoid a big‑bang—start with the critical perimeter (front office, middle, crown jewels).
- Activate 5 key connectors first: IdP (accounts/roles), EDR (endpoints), Cloud (IaaS/PaaS), MDM (mobiles), main SaaS (e.g., CRM/ITSM). Target >90% completeness within 30 days.
- Define 10 measurable controls (e.g., 100% encrypted endpoints, no critical CI without an owner, no OAuth integration without review), with alert thresholds and owners.
- Hook into the SOC/SIEM: enrich logs with asset criticality and build audit views (agent coverage, patching, privilege drift) reusable in your Long Form/self‑assessment.
- Run a quarterly review signed off (CISO + internal audit): documented exceptions, risk decisions, remediation actions. Keep dated exports for reviewers and the CSSF.
Official sources
- CSSF — Circular CSSF 26/904 (8 January 2026) and PDF.
- Security news: BleepingComputer — SoFi Hong Kong confirms third‑party breach (8 June 2026).
Want to scope this for your environment? Reach out via our Contact page.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →