Luxembourg - Financial Supervision - CSSF issues Circular 20/750 on requirements regarding ICT and security risk management


In Brief

On 25 August, 2020, the CSSF issued Circular 20/750 on the requirements regarding ICT and security risk management, which transposes and implements the EBA Guidelines on Information and Communication technology (“ICT”) and security risk management. 

The Circular 20/750 is applicable to all credit institutions, all professionals of the financial sector (PSF), as well as all payment institutions and all electronic money institutions.

Besides integrating the ICT Guidelines into its administrative practice and its regulatory approach, the CSSF expects all entities authorised according to the 1993 Law and the 2009 Law - whether or not they are also within the scope of these Guidelines - to implement the content of such ICT Guidelines in order to manage their ICT and security risks. 

In addition, the Circular 20/750 amends certain provisions of the Circular 12/552 specifically on points related to IT Function (point 85 of section 5.2.3) and specifies additional reporting requirements for Payment Service Providers (“PSPs”) pursuant to Paragraph 24 of the ICT Guidelines and Article 105-1(2) of the 2009 Law. The circular also emphasises the importance of ICT and security risk management for the robust internal governance arrangements (i.e. ICT and security risk management framework, mapping of information assets and the assessment of interdependencies related to ICT and security risks).

It is particularly noteworthy that the management of ICT and security risks is vital and relevant in an ever-challenging environment in light of the implications of the Covid-19 pandemic such as a necessary interconnectedness through telecommunication channels to support home-based working models as well as the increasing frequency of ICT and security-related incidents (i.e. cyber-attacks). 

For further information, the Circular 20/750 is available here (only in French). 

Regulatory Background

On 28 November 2019, the European Banking Authority (the “EBA”) issued its final report entitled “Guidelines on information and communication technology (“ICT”) and security risk management” (EBA/GL/2019/04 – the “ICT Guidelines”, available here). 

The aim of the ICT Guidelines is to ensure a sound ICT and security management amongst regulated entities of the financial sector and to ensure a level playing field for all financial institutions. They specify the regulatory expectations related to the management of ICT and security risks in light of the increasing reliance and vulnerability of IT systems, while being methodology agnostic. Complying with the provisions of the Guidelines should be proportionate to the financial institutions’ size and internal organisation as well as the nature, scope, complexity and riskiness of the services and products provided.

What’s next?

​The Circular 20/750 entered into force on 25 August 2020 and repeals Circular 19/713, which at the time transposed the EBA Guidelines on security measures under PSD2.

1. PwC Luxembourg ( is the largest professional services firm in Luxembourg with 3,000 people employed from 75 different countries. PwC Luxembourg provides audit, tax and advisory services including management consulting, transaction, financing and regulatory advice. The firm provides advice to a wide variety of clients from local and middle market entrepreneurs to large multinational companies operating from Luxembourg and the Greater Region. The firm helps its clients create the value they are looking for by contributing to the smooth operation of the capital markets and providing advice through an industry-focused approach.

2. The PwC global network is the largest provider of professional services in the audit, tax and management consultancy sectors. We are a network of independent firms based in 157 countries and employing over 276,000 people. Talk to us about your concerns and find out more by visiting us at and