CSSF Circular 11/504 on frauds and incidents due to external IT attacks.
The CSSF obligation to report frauds and IT attacks for the financial sector.
Who is concerned?
This circular is broken down into 2 sections analysed one by one, each with the official text and Luxgap practical guidance for compliance in Luxembourg.Key obligations
The CSSF obligation to report frauds and IT attacks for the financial sector.
Luxgap supports CSSF-supervised entities (banks, PFS, payment and e-money institutions, management companies, funds) in complying with this circular: gap analysis, policy and register updates, CSSF inspection readiness, articulation with the DORA Regulation and the NIS 2 framework where relevant.
Deadlines
See the official CSSF text for precise application dates. Most recent ICT circulars articulate with the DORA Regulation, applicable since 17 January 2025.
Sanctions for non-compliance
Non-compliance exposes entities to CSSF administrative sanctions: injunctions, pecuniary sanctions, restrictions or suspension of authorisation.
How Luxgap helps
The CSSF obligation to report frauds and IT attacks for the financial sector.
Luxgap supports CSSF-supervised entities (banks, PFS, payment and e-money institutions, management companies, funds) in complying with this circular: gap analysis, policy and register updates, CSSF inspection readiness, articulation with the DORA Regulation and the NIS 2 framework where relevant.
Let's set up your CSSF compliance.
Configure a quote for a compliance audit on this circular. Reply within one business day.
Build my quote →