David HAGEN Advisory
 Strategic Advise in ICT and Cybersecurity for the Financial Sector 
Excellence in IT compliance for the financial sector


25 August 2020
Circular CSSF 20/750: Information and communication technology (ICT) and security risk management requirements.  
The CSSF has published the circular on:
  • The implementation of the guidelines of the European Banking Authority in this area (EBA/GL/2019/04);
  • The expectations of the CSSF regarding the management measures of these risks and the control and security mechanisms concerning the entities subject to the LSF and the PSL;
The obligations arising from this circular relate to good practices in the management of the IT function. They specify the need for the various lines of defence and their necessary independence and address the areas of governance, strategy, continuity, security, etc.

It is important to note that these requirements apply to all financial professionals with a licence under the Law of 5 April 1993 (the LSF) and not only to credit and payment institutions.

The text also specifies which points of the LSF are covered by these guidelines. Finally, the regulatory framework is adapted to maintain the coherence of the texts (repeal and replacement of CSSF circular 19/713 which transposed the EBA/GL/2017/1 guidelines, amendment of CSSF circular 12/552 and setting of additional requirements for payment service providers (PSPs)).
14 May 2020
Coronavirus (Covid-19): Recommendations to the market on teleworking and a possible return to the office
The CSSF recommends:
  • to continue teleworking as far as possible;
  • to limit to a minimum the return to the workplace, i.e. when tasks cannot be performed remotely. An example would be branches with customer interactions;
  • to hold external meetings by video or audio-conference instead of physical meetings;
For persons returning to work, distancing and security measures are still necessary.