CSSF 26/914: AMLA supervision — the ICT inventory becomes vital
CSSF 26/914 identifies entities eligible for AMLA’s direct supervision. Governance and traceability tighten: a reliable, continuous inventory/CMDB is now essential to evidence NIS 2/ISO 27001 controls.
Excerpt — On 25 June 2026, the CSSF issued circular 26/914 identifying entities eligible for AMLA’s direct supervision. In practice: tougher governance and traceability. The operational answer: a reliable, continuous inventory/CMDB to evidence NIS 2/ISO 27001 controls.
Key facts
On 25 June 2026, the CSSF published circular 26/914 detailing the Identification of obliged entities eligible for direct supervision by AMLA (the EU Anti-Money Laundering Authority). This text, applicable to banks, e-money/payment institutions, support PSF, crypto providers (CASP) and other financial actors, raises the bar for governance and visibility over critical ICT functions, services and dependencies — a sine qua non to justify scope, exposures and controls to a direct European supervisor. Official source: CSSF, Circular 26/914, 25/06/2026.
Why is this an “information systems” topic and not only AML/CFT compliance? Because the ability to prove who does what, where, and with which data depends on an up‑to‑date business and technical inventory (assets, applications, flows, accounts, providers). Recent signals confirm it: major leaks often stem from poorly referenced links (SaaS apps, API integrations, cloud environments). A current example in Europe: the Eurail breach disclosed mid‑January 2026, where sensitive data (including ID documents) were exposed; beyond GDPR impact, it illustrates the structural risk from insufficiently mapped systems and integrations. See The Register, 14/01/2026 and Eurail’s own notice 10/01/2026.
The applicable legal framework
- CSSF 26/914 (25/06/2026) — Identification of entities eligible for AMLA direct supervision. Implicit yet clear: maintain robust traceability of critical functions and dependencies, including ICT, to document exposures and controls. Source: CSSF.
- NIS 2, art. 21(2)(d) — Risk management measures including security of supply chains and supplier relationships. Without a reliable and current inventory (assets, software, cloud/SaaS services, third parties), it is impossible to demonstrate the expected control to the authority (ILR in LU) and financial supervisors. EU text: EUR‑Lex (Directive (EU) 2022/2555). For practical guidance, see our page on the NIS 2 directive and essential entities.
- ISO/IEC 27001:2022 — Annex A.5.9 “Asset inventory” and A.5.14/8.16 on supplier and change management: require an asset register with owner, criticality, location and associated data flows. Reference standard to prove an operational ISMS; see also ISO 27001 in Luxembourg.
Executive takeaway: the AMLA/NIS 2 combination moves the Asset Inventory/CMDB from “nice‑to‑have” to an auditable “compliance prerequisite”. Without this evidence, direct supervision and related audits will be risky.
The technical solution to implement
Automated asset inventory and CMDB — The goal is to maintain a living “twin” of your IS and supplier chain:
- Coverage: endpoints (workstations/servers), mobiles, containers, VMs, networks, databases, on‑prem and SaaS apps (via API connectors), privileged accounts, secrets/tokens, cloud resources (IaaS/PaaS/SaaS), providers and subcontractors.
- Continuous collection: EDR/MDM agents, network scans, cloud connectors (AWS/Azure/GCP), ITSM/IDP integrations (Entra/AD/Okta), API and SaaS integration discovery (CASB/SSPM/CSPM), enrichment via vuln scanners.
- Normalization: data dictionary, CMDB schema, deduplication, linkage to owner/criticality/processed data (GDPR categories, banking secrecy, etc.), dependency links (app → database → cloud region → supplier).
- Controls: NIS 2 art. 21(2)(d) compliance views, DORA/NIS 2 registers, attack surface monitoring, automatically discovered shadow IT, cross‑border flow mapping (useful for GDPR art. 44–49), third‑party exposure scoring.
- Security integration: feed SIEM/XDR, trigger SOAR when a new critical asset appears without backup, without MFA, or hosted outside allowed regions. For operations, our managed SOC and incident detection connects these sensors to your processes.
Alignment standards — ISO 27001 Annex A.5.9/A.5.14/A.8.1, NIST CSF v2 (ID.AM, ID.RA‑SCRM), CIS Controls v8 (C1 Hardware Inventory, C2 Software Inventory, C15 SCRM).
How Luxgap deploys this
- Our ISO 27001 governance — We define the inventory policy (ownership, cadence, criticality), the CMDB model and compliance metrics (NIS 2 art. 21(2)(d), AMLA/DORA registers when applicable). Workshops with CIO/DPO/CISO to link assets ↔ data ↔ risks; supported by our fractional CISO and cyber leadership.
- Our managed SOC — We connect the CMDB to SIEM/XDR. “Operational compliance” alerts: new critical asset not inventoried, SaaS without DPA/clauses, sensitive DB without encryption, unevaluated third party: alert + automatic ticket.
- Our outsourced DPO and CISO consultants — We prepare evidence packages: scope, dependency mapping, third‑party and data‑flow registers, dashboards for management and for the authority (CSSF/ILR/CNPD).
Concrete case in Luxembourg or the EU
A Luxembourg support PSF, subject to NIS 2 and the CSSF framework, had to justify its critical dependencies ahead of enhanced audits. In 6 weeks, we:
- deployed auto‑discovery across on‑prem networks and cloud accounts (CSPM);
- integrated 14 key SaaS apps (SSPM) and IdP directories to bind assets ↔ identities;
- normalized the CMDB and linked each application to processed data and providers;
- activated “critical gap” controls: sensitive app without DPA, cloud resource outside EU regions, database without immutable backup;
- published an “AMLA/NIS 2 readiness” dashboard used at executive committee.
Result: clarified scope and accountabilities, 23 compliance gaps closed (including 7 re‑framed SaaS transfers), and an evidence pack ready for CSSF/ILR/CNPD requests.
Practical first steps
- Decide the CMDB data model (assets, apps, data, suppliers, flows) and appoint asset owners per domain.
- Activate discovery on 2 pilot perimeters (e.g., Finance + HR) and connect at least 3 critical SaaS (SSO, CRM, collaboration).
- Map your critical suppliers and link them to services/apps and to data categories processed (incl. outside the EU).
- Connect CMDB ↔ SIEM/XDR and create 5 “compliance hygiene” rules (new critical asset without backup, resource outside allowed zone, SaaS without MFA, etc.).
- Hold a monthly review with CIO/DPO/CISO: gaps, action plans, NIS 2/ISO 27001 metrics, preparation for AMLA/CSSF requests. For assistance, see NIS 2 in Luxembourg and ILR.
Official sources
- CSSF — Circular 26/914 (25 June 2026): Identification of obliged entities eligible for direct supervision by AMLA
- EUR‑Lex — Directive (EU) 2022/2555 (NIS 2), art. 21(2)(d)
- The Register — Eurail: passports and bank data exposed (14 Jan 2026)
- Eurail — Data security incident statement (10 Jan 2026)
Need help structuring your inventory, controls and evidence? Our team can step in quickly — tell us about your context.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →