Banking Regulation 2025

LUXEMBOURG Trends and Developments Contributed by: Baptiste Aubry, Carole Schmidt and Adam Obadia, A&O Shearman

Digital Transformation of the Luxembourg Financial Sector: Enhanced Scrutiny by the Luxembourg Regulator Over the years, financial institutions have been increasing their reliance on digital solutions to enhance efficiency, streamline services, and maintain a competitive edge. This trend has accelerated with the advent of disruptive tech - nologies such as artificial intelligence (AI), block - chain, and big data analytics. Financial institu - tions leverage these technologies to automate processes, offer 24/7 banking services, and innovate in areas like robo-advisory and digital payment transactions. However, digitalisation of services also exposes financial institutions to new risks that must be adequately identified, mitigated, and managed, particularly in areas like cybersecurity and operational resilience. Building upon new legislative developments and faced with a 64% increase of ransomware attacks in the financial sector in 2023, the Lux - embourg regulator of the financial sector, the Commission de Surveillance du Secteur Finan- cier (CSSF) has heightened its expectations for entities under its supervision over the past two years. This article identifies certain key points of atten - tion of the CSSF in this field, to which supervised entities of the banking sector in the broad sense of that term should pay particular attention in order to ensure that their governance arrange - ments, policies, and procedures are aligned with the regulator’s expectations. We also provide an insight into the CSSF’s support of innovation in the financial sector as well as expected develop - ments in that field.

Key Points of Attention of the CSSF Overall management of ICT risk and ensuring digital resilience With the increased digitalisation of the finan - cial sector, the sector is more exposed to cyber threats and risk of ICT disruptions. Conscious of this risk, the CSSF quickly issued CSSF circular 20/750 in August 2020 by which it endorsed the EBA guidelines on ICT and security risk man - agement. This circular was amended in Decem - ber 2022 to include additional requirements for payment service providers to assess ICT and security risks related to the payment services they provide. Given the critical importance of ICT for the prop - er provision of financial services nowadays, the EU legislature decided to go a step further in the harmonisation process for digital operational resilience across the EU, leading to the adoption of the Digital Operational Resilience Act (DORA) on 14 December 2022. DORA provides for a set of rules on ICT governance and risk manage - ment, reporting of ICT-related incidents, testing of digital operational resilience, management of risks associated with ICT third-party service providers and sharing of information with peers. While DORA will become applicable from 17 January 2025, the CSSF has anticipated the upcoming requirements by issuing CSSF Circu - lar 24/847 one year ahead of the DORA imple - mentation deadline. This CSSF Circular defines a harmonised ICT-related incident report - ing framework largely aligned with the DORA requirements but applicable from 1 April 2024. Furthermore, this framework applies not only to supervised entities that will be in the scope of DORA but also to other types of entities super - vised by the CSSF, such as specialised and sup - port professionals of the financial sector (PFS). In parallel, the CSSF issued, on 5 January 2024,

341 CHAMBERS.COM

Powered by