How to comply with article 1 of CSSF 24/847?

Question

I need to bring my Luxembourg organisation into compliance with article 1 of CSSF 24/847 (CSSF 24/847). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapChapter 1 of CSSF Circular 24/847 defines the scope and the key terms: it determines whether you are in scope, and under which framework (DORA, NIS Law, CSSF Regulation 24-01). The CSSF rarely sanctions the definitions themselves; it sanctions incorrect self-qualification, such as a financial entity that wrongly considers itself outside DORA, or an asset manager still relying on the repealed Circular 11/504. Supervisors focus on the consistency between the declared perimeter and the operational reality of ICT systems.Qualification pitfalls to masterConfusing ICT incident under DORA art. 17 with security incident under NIS 2 / NIS Law: thresholds and notification deadlines differ.Forgetting that Circular 24/847 repeals Circular 11/504: any internal policy still citing 11/504 is non-compliant.Misreading the staggered entry into force (1 April 2024 vs 1 June 2024 for some entities) and filing on the wrong template.Underestimating the scope of critical third-party providers: a cloud subcontractor or core banking vendor can trigger a major incident qualification even if the origin is external.Ignoring the link with Circular 20/750 (ICT risk management), which remains the foundation of the control architecture.The CSSF qualification testIn front of the CSSF, you must be able to produce within 24 hours a mapping that shows: (1) which regulatory framework applies to each group entity (DORA, NIS Law, 24-01), (2) which ICT systems qualify as critical under article 1, (3) which third-party providers fall within scope. Without this pre-established mapping, any incident notification arrives late and the procedural breach adds up to the material breach.How Luxgap automates this riskOur Luxgap Regulatory Scope Mapper eliminates the risk of incorrect self-qualification by cross-referencing in real time your CSSF legal status, your actual activity observed on your systems (Sage BOB 50 transactions, Odoo flows, M365 logs, Defender telemetry) and the DORA / NIS 2 / 24-847 grid kept up to date by our regulatory watch. The tool produces an enforceable qualification matrix indicating, for each group entity and each ICT system, the applicable framework and the related reporting obligations.Detects automatically your CSSF status from the official register and cross-checks it with your actual activity to surface mismatches (e.g. a PSF performing operations that fall under DORA without realising it).Classifies each connected ICT system against the article 1 criteria (criticality, supported function, vendor dependency), leveraging the CSSF 20/750 taxonomy.Generates the scope mapping implicitly required by 24/847, ready to be produced during an inspection, with cryptographic timestamping.Alerts instantly on Teams or Slack whenever a perimeter change (new subsidiary, new licence, new cloud vendor) modifies your incident notification framework.Maintains automatically the alignment between your internal procedures and the live regulatory references, flagging...

Chapitre 1 - : Définitions et champ d’application

They trust us

Before we chat