The classic trap
Article 1 of CSSF Circular 11/504 sets a reporting threshold that looks simple but is systematically misread by supervised entities: as soon as an external attack has succeeded (corrupted system, confirmed diversion attempt), it must be reported to the CSSF, even without financial loss. The CSSF sanctions two recurring behaviours: non-reporting of technical incidents wrongly deemed 'without impact', and late filings that prevent the regulator from correlating sector-wide attacks. With DORA and NIS 2 now in force, this reporting perimeter has hardened: the CSSF cross-checks its notification channels and detects omissions after the fact.
The exact line between reportable incident and excluded phishing
The operational trap is to qualify each event correctly. The circular excludes pure phishing (a fraudulent email with no further effect), but includes anything resulting from a successful technical compromise. In practice, the grey zones where the CSSF expects a filing:
- Phishing that led to credential compromise and unauthorised SI access (reportable: successful attack).
- Ransomware blocked by EDR but having encrypted an isolated endpoint before containment (reportable: corrupted system).
- Attempted payment diversion via Business Email Compromise, caught before execution (reportable: confirmed attempt).
- Exploitation of an external vulnerability (Citrix, Fortinet, Exchange) with code execution, even without proven exfiltration.
- Intrusion at a critical subcontractor affecting the confidentiality of your regulated data.
The defensive reflex of labelling an incident as 'phishing' to avoid reporting is the costliest mistake in a CSSF inspection: the authority reconstructs the timeline through logs and requalifies retroactively.
How Luxgap automates this risk
Our Luxgap Incident Qualifier removes the subjectivity of incident classification by sitting between your SOC and the CSSF. The tool ingests real-time alerts from Microsoft Defender, Azure Sentinel, CrowdStrike, Wazuh and your EDR, then a specialised LLM agent applies the CSSF 11/504 decision grid cross-referenced with DORA RTS 2024/1772 to rule in under 90 seconds: reportable, phishing excluded, or grey zone for DPO/CISO arbitration.
- Automatically detects every security incident escalated by your SOC stack and qualifies it against the exact perimeter of Circular 11/504.
- Distinguishes pure phishing (excluded) from phishing leading to actual technical compromise (reportable) by correlating Azure AD, Defender and proxy logs.
- Pre-fills the CSSF reporting form with timeline, indicators of compromise and containment measures extracted automatically from your systems.
- Alerts the compliance officer via Teams or email as soon as an incident crosses the reporting threshold, with built-in countdown clock.
- Produces a cryptographically sealed log of every qualification decision, admissible in a CSSF inspection to demonstrate due diligence.
- Synchronises the CSSF 11/504 filing with parallel DORA obligations (major ICT incident register) and NIS 2 where applicable, to avoid divergent declarations.
Available as a complement to a Luxgap CISO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real SOC alerts, with a free 48h white audit to measure your reporting exposure before any engagement.
