CSSF 26/906: governance and DORA-grade immutable backups by June 30

Excerpt — On 20 January 2026, the CSSF issued circular 26/906 requiring payment/e-money institutions to reassess governance and risk management by 30 June 2026. Immutable, isolated backups are the technical proof of DORA-grade ransomware resilience.

The facts

On 20 January 2026, the Commission de Surveillance du Secteur Financier (CSSF) published CSSF Circular 26/906 “Central administration, internal governance and risk management,” applicable to payment institutions (PIs) and electronic money institutions (EMIs). The CSSF requires entities to “assess and review” their governance and risk frameworks to be compliant no later than 30 June 2026, aligning with EBA risk guidance (including ICT/operational risk and business continuity) and Luxembourg sectoral frameworks. Official source: CSSF — circular 26/906 announcement and PDF text.

Why act now? On 9 June 2026, Veeam patched critical CVE‑2026‑44963, enabling RCE on domain-joined backup servers — a known ransomware vector per CISA KEV history. Coverage: BleepingComputer, 9 June 2026. Bottom line: the backup environment is a priority target. CSSF-driven governance must therefore evidence technical and organisational backup resilience, not just describe it.

The applicable legal framework

• CSSF 26/906: raises governance and risk management expectations for PIs/EMIs (central administration, risk management, continuity). Internal deadline: 30 June 2026. Reference: CSSF, circular PDF.
• DORA (Regulation (EU) 2022/2554): mandates ICT continuity and recovery capabilities. Article 12 requires backup policies, regular testing, logical/physical separation and reliable restoration. Reference: EUR‑Lex — DORA. For a practitioner view, see our take on operational resilience under DORA.
• NIS 2 (Directive (EU) 2022/2555) — Art. 21: technical/organisational measures including continuity and crisis management (backups, recovery). Reference: EUR‑Lex — NIS 2.
• ISO/IEC 27001:2022 — Annex A: A.8.13 Information backup and A.5.30 ICT readiness for business continuity define backup strategy, testing and restoration.

Regulatory message: by 30 June 2026, governance must demonstrate effective controls for resilience — especially backups — to withstand compromise and restore services within your commitments. To frame BCP/DRP execution, see our business continuity and DORA resilience service.

The technical solution to deploy

Immutable backups + network isolation (data vault). Goal: make destruction or crypto‑extortion of backups operationally impossible for an intruder, and restore fast with full traceability.

Principles

• Immutability: WORM copies with enforced retention and non-bypassable admin locks. Prevents wiping/encrypting backups after AD domain compromise.
• Network isolation (logical/physical air-gap): vault in a segment with no direct admin path from production, separate accounts, minimal ACLs, deny‑all firewalls, short, auditable ingest windows.
• 3‑2‑1‑1‑0 copies: at least 3 copies, 2 media, 1 offsite, 1 immutable/isolated, 0 errors verified by restore tests.
• Identity segregation: no shared admins across prod, backup, vault. Strong MFA on all admin access.
• Periodic testing: bare‑metal/granular restores, tabletop and technical exercises aligned to DORA Art. 12 (and Art. 24 for continuity testing).

Compliance deliverables

• DORA‑compliant backup policy (scope, RPO/RTO, retention, immutability, isolation, keys/encryption, responsibilities, testing schedule) — mapped to ISO 27001 A.8.13 and A.5.30.
• Network diagrams for the vault, firewall rules, dedicated accounts, access and change logs.
• Restore test minutes with evidence, deviations and action plan.
• Ransomware recovery playbooks integrated into the IT continuity plan.

Security impact: even if an attacker gains high privileges (e.g., exploiting a CVE on the hypervisor, EDR or backup server), immutability and isolation prevent erasure of golden copies. The Veeam case (CVE‑2026‑44963) exemplifies this risk and the need to harden and decouple the backup layer (BleepingComputer).

How Luxgap implements this

• Our ISO 27001 governance: gap assessment across DORA/NIS 2/ISO, drafting the backup policy and runbooks, role matrix (segregation of duties) and evidence register. Certified Lead Implementers/Auditors map each control to DORA articles and ISO A.8.13/A.5.30.
• Our managed SOC: vault telemetry integration (access logs, retention changes, deletion attempts), analytics for anomalous behaviours (deletion spikes, ingest window changes), 24/7 alerts and containment playbooks — see our managed SOC and incident detection.
• Our outsourced DPO and CISO: quarterly risk committee, resilience KPIs (tested restore rate, RPO/RTO drift), responses to CSSF inquiries and updated dependency register (vault/storage vendors). For local regulatory context, consult DORA in Luxembourg (CSSF).

Case study in Luxembourg or the EU

A local PSP subject to CSSF 26/906 moved in six weeks from “flat NAS copies” to an immutable, isolated vault:

• deployed a WORM object‑storage data vault with legal retention;
• admin access off-domain via bastion and hardware MFA; synchronised windows via production one‑way pull;
• service‑by‑service restore runbooks and documented quarterly tests;
• vault logs integrated into SIEM with alerts on any policy change attempts.

Outcome: tangible evidence of DORA Art. 12 compliance (policies, testing, separation), validated restoration under 4 hours for critical systems, and a review‑ready CSSF (26/906) dossier. To orchestrate BCP/DRP execution end‑to‑end, see our business continuity plan expertise.

First concrete steps

1. Before 30/06/2026: have the risk committee recognise backups as a first‑line control for CSSF 26/906 and DORA. Appoint a service owner and validate target RPO/RTO.
2. Assess your exposure: inventory backup repositories, identity separation, attack surface (ports/admin), encryption and retention. Check whether your versions are affected by recent CVEs (e.g., Veeam CVE‑2026‑44963).
3. Segment the network: create a dedicated vault segment with deny‑all, distinct accounts, bastion and MFA. Disable any deletion/modification outside maintenance windows.
4. Enable immutability: WORM/retention on at least one copy. Document break‑glass and log any attempt to reduce retention.
5. Test and evidence: run a full restore test and record results (timings, deviations, actions). Feed the DORA register and your CSSF 26/906 compliance file.

Official sources

• CSSF — new circular CSSF 26/906 (announcement)
• CSSF — Circular 26/906 (PDF)
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA), Art. 12
• EUR‑Lex — Directive (EU) 2022/2555 (NIS 2), Art. 21
• BleepingComputer — Veeam CVE‑2026‑44963, 9 June 2026