Key objectives include:
1. Standardizing cybersecurity regulations: Ensuring consistent regulatory technical standards for cybersecurity across the EU
2. Protecting critical services: Safeguarding critical and essential services from potential vulnerabilities and cyberattacks
3. Incident reporting: Mandating the reporting of major ICT incidents to the competent national authority (CSSF in Luxembourg)
Reporting Obligations in Luxembourg
Luxembourg entities must report ICT incidents to the CSSF by 12 noon on the next working day if they occur on weekend days or public holidays (as specified in Article 5 of the RTS). However, some entities (material entities) with significant activities must report on the same day, regardless of whether it's a non-working day.
Update: Postponement of Material Entity Identification
The CSSF has announced a postponement of identifying material entities in Luxembourg until the full implementation of Directive (EU) 2022/2555 (NIS 2), which DORA and the RTS are based on. This means that financial actors in Luxembourg will need to wait for further guidance on reporting requirements.
What's Next?
As the transposition deadline for NIS 2 was set for 17th October 2024 and has already passed, there is an urgent need for action. Luxembourg is working on the implementation, and we expect new developments regarding the reporting requirements of the RTS under DORA very soon. Stay tuned for updates!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.