On 1 September 2023, a bill of law implementing directive 2022/2557 on the resilience of critical entities (the “Bill of Law”) was filed with the Parliament.
The Bill of Law aims at enhancing the resilience of critical entities, notably in the field of cyber security. Critical entities provide essential services in the maintenance of vital societal functions or economic activities in the sectors of energy, transports, banking, financial market infrastructure, health, drinking water, waste water, digital infrstructure, public administration, space, and production, processing and distribution of food. The Bill of Law adds waste management, that is not covered by Directive 2022/2557. Thus, as far as the banking and financial sectors are concerned, the Bill of Law applies to credit institutions, operators of trading venues and central counterparties, as defined in the Bill of Law.
Competent authorities in this context are the Commission de Surveillance du Secteur Financier (the “CSSF”) and the Haut Commissariat à la Protecion Nationale (the “HCPN”). A national framework for the resilience of critical entities is set up by the HCPN after consultation with the CSSF on the basis of an assessment of the risks identified by the European Commission. The national framework specifies the strategy to strengthen the resilience of critical entities and provides for strategic objectives and policy measures, built on existing national and sectoral strategies, plans or similar relevant documents. Competent authorities will draw up a list of critical entities and inform them thereof.
The Bill of Law imposes requirements on critical entities, which must in particular:
- inform the competent authority when they provide essential services in six or more Member States,
- carry out an assessment of any risk that could affect them, including terrorist offences,
- take appropriate and proportionate technical, security and organisational measures to ensure their resilience (preventing the risks, responding to them, resisting to them, recovering from them and raising awareness of incidents) in a resilience plan which they put in place and implement,
- designate a liaison officer as a point of contact with the competent authorities,
- notify the competent authority without undue delay of incidents which significantly disrupt or are likely to significantly disrupt the provision of essential services.
In order to assess compliance with the obligations, the competent authorities are authorised to (i) carry out on-site inspections, (ii) remotely supervise the measures taken, (iii) order an audit to check the effective implementation of the measures taken by critical entities and, where appropriate, (iv) impose penalties.
The Grand-Ducal Police is responsible for conducting background checks on individuals (i) who hold sensitive positions within or for the benefit of the critical entity or (ii) who hold the position of head of the critical entity's IT system or control system, prior to their recruitment.
The Bill of Law is currently under legislative process and may be amended.