AGEFI Luxembourg - juin 2025

Juin 2025 21 AGEFI Luxembourg Conseil / RSE Cadre d’app l ication Nouve ll es pub l ications Mai 2025 31 m a i 2025 L u x embourg L a CSS F pub l ie l a circu l aire CSS F 25 /89 2 app l ication des l ignes directrices conjointes de l ’A E S sur l ’estimation des co û ts et pertes annue l s agrégés causés par des incidents majeurs l iés au x TI C en vertu du règ l ement ( U E) 2022 / 255 4 (J C 202 4 34) Le 28 mai 2025, la CSSF a publié la circulaire CSSF 25/892 relative à l’application des lignes directrices conjointes des Autorités Européennes de Surveillance (AES) concernant l’estimation des coûts et pertes annuels agrégés résultant d’incidents majeurs liés aux technologies de l’information et de la communication (TIC). Ces lignes directrices font partie de la mise en œuvre du règlement (UE) 2022/2554, DORA. La circulaire s’applique à toutes les entités soumises à DORA, à l’exception des PLFURHQWUHSULVHV WHOOHV TXH G«ȴQLHV ¢ OȇDUWLFOH GH '25$ /D FLUFXODLUH VȇDGUHVVH DX[ LQVWLWXWLRQV ȴQDQFLªUHV VRXV OD VXSHUYLVLRQ GH OD &66) HW YLVH ¢ DVVXUHU XQ UHSRUWLQJ FRK«UHQW WUDQVSDUHQW HW SU«FLV GH OȇLPSDFW ȴQDQFLHU FDXV« SDU GHV perturbations importantes liées aux TIC. Ces incidents peuvent inclure des cyber-attaques, GHV SDQQHV GH V\VWªPH RX GȇDXWUHV «Y«QHPHQWV OL«V ¢ OD WHFKQRORJLH HW TXL D΍HFWHQW OD continuité des services critiques. Les principaux éléments de la circulaire sont les suivants : • &KDPS GȇDSSOLFDWLRQ HW G«ȴQLWLRQV elle fournit des explications claires sur ce qui constitue un incident majeur lié aux TIC et sur la manière de déterminer quand un incident déclenche des obligations de déclaration. • Catégories de coûts et de pertes : HOOH IRXUQLW GHV FRQVHLOV VXU OȇLGHQWLȴFDWLRQ HW OD FDW«JRULVDWLRQ GHV GL΍«UHQWV W\SHV GH FR½WV HW GH SHUWHV \ FRPSULV OHV SHUWHV ȴQDQFLªUHV directes, les coûts opérationnels, les atteintes à la réputation et les amendes ou pénalités réglementaires. Les lignes directrices fournissent des méthodologies détaillées pour estimer les coûts directs (par exemple, remédiation informatique, enquêtes, amendes réglementaires) et les coûts indirects (par exemple, atteinte à la réputation, perte de revenus, augmentation des coûts opérationnels). • Méthodes d’estimation : elle donne des instructions sur la manière d’agréger les coûts DX FRXUV GH OȇDQQ«H HQ WHQDQW FRPSWH ¢ OD IRLV GHV LQFLGHQWV LQGLYLGXHOV HW GH OHXUV H΍HWV FXPXODWLIV FHFL DȴQ GH IRXUQLU XQH HVWLPDWLRQ DQQXHOOH GHV FR½WV /HV HQWLW«V ȴQDQFLªUHV doivent agréger les coûts et pertes causés par un incident sur une base annuelle, en assurant la cohérence sur les périodes de reporting. • Exigences en matière de rapports : elle fournit des détails sur la manière et le moment où les institutions doivent soumettre leurs estimations de coûts et de pertes agrégées à la &66) HQ DVVXUDQW OȇDOLJQHPHQW DYHF OH FDGUH FRPPXQ GHV $(6 /HV HQWLW«V ȴQDQFLªUHV ¢ l’exclusion des microentreprises, doivent fournir, sur demande des autorités compétentes, une estimation annuelle des coûts et pertes résultant d’incidents majeurs liés aux TIC. Le reporting doit être transparent et soutenu par une documentation. L’objectif est d’améliorer la surveillance des risques liés à la résilience opérationnelle, de favoriser une meilleure gestion des risques au sein des institutions et de faciliter le suivi de l’exposition du secteur aux menaces liées aux TIC. (Q VXLYDQW FHWWH FLUFXODLUH OHV HQWLW«V ȴQDQFLªUHV FRQWULEXHQW ¢ XQ V\VWªPH ȴQDQFLHU SOXV résilient qui peut mieux anticiper, absorber et récupérer les perturbations liées aux TIC, conformément aux objectifs de résilience opérationnelle numérique à l’échelle de l’UE. /D FLUFXODLUH HVW HQWU«H HQ DSSOLFDWLRQ OH PDL 28 m a i 2025 L u x embourg 9 avr il 2025 L u x embourg L ’U E pub l ie l e règ l ement dé l égué ( U E) 2025 / 100 3 de l a Commission du 2 4 janvier 2025 comp l étant l e règ l ement ( U E) n ° 6 00 / 201 4 du Par l ement européen et du &RQVHLO HQ FH TXL FRQFHUQH OHV GRQQ«HV GH U«I«UHQFH LGHQWLȴDQWHV GHV G«ULY«V GH JU« ¢ JU« ¢ XWLOLVHU DX[ ȴQV GHV H[LJHQFHV GH WUDQVSDUHQFH SU«YXHV ¢ OȇDUWLFOH ELV SDUDJUDSKH HW DX[ DUWLFOHV HW /H PDL Oȇ8QLRQ HXURS«HQQH D SXEOL« OH UªJOHPHQW G«O«JX« 8( GH OD &RPPLVVLRQ GX MDQYLHU FRPSO«WDQW OH UªJOHPHQW 8( Qr 0L)Ζ5 HQ FH TXL FRQFHUQH OHV GRQQ«HV GH U«I«UHQFH LGHQWLȴDQWHV ¢ XWLOLVHU SRXU U«SRQGUH DX[ H[LJHQFHV GH WUDQVSDUHQFH SU«YXHV DX[ DUWLFOHV D HW Ce règlement introduit des données de référence obligatoires, pour permettre aux SDUWLFLSDQWV DX PDUFK« HW DX[ DXWRULW«V FRPS«WHQWHV GȇLGHQWLȴHU FRUUHFWHPHQW OHV VZDSV GH WDX[ GȇLQW«U¬W HW OHV VZDSV GH G«IDXW GH FU«GLW GH JU« ¢ JU« HQ SDUWLFXOLHU FHX[ TXL QH VXLYHQW pas les conventions de marché standard. Elle soutient les objectifs plus larges de l’UE visant à améliorer la transparence du marché, à réduire le risque systémique et à s’aligner sur les engagements du G20 et les initiatives mondiales du CSF et du CPMI-IOSCO sur les marchés de produits dérivés de gré à gré. ‚ FRPSWHU GX HU VHSWHPEUH OHV GRQQ«HV VXLYDQWHV GHYURQW ¬WUH XWLOLV«HV SRXU satisfaire ces exigences : ȏ 3RXU OHV VZDSV GH WDX[ GȇLQW«U¬W OHV GRQQ«HV ȴJXUDQW GDQV OH WDEOHDX GH OȇDQQH[H GX présent règlement ; ȏ 3RXU OHV VZDSV GH WDX[ GȇLQW«U¬W HW OHV &'6 27& OȇLGHQWLȴDQW XQLTXH GH SURGXLW 83Ζ WHO TXH G«ȴQL GDQV OD QRUPH Ζ62 &HV GRQQ«HV SHUPHWWURQW QRWDPPHQW GȇLGHQWLȴHU OHV FRQWUDWV QH VXLYDQW SDV OHV FRQGLWLRQV standard liées à leur taux de référence sous-jacent, en intégrant des éléments comme la FRQYHQWLRQ GȇDMXVWHPHQW GHV MRXUV RXYU«V OH G«ODL GH ȴ[DWLRQ OH FDOHQGULHU GH SDLHPHQW HW l’absence de paiements supplémentaires. ‚ SDUWLU GX HU VHSWHPEUH FHV GRQQ«HV GH U«I«UHQFH GHYURQW ¬WUH XWLOLV«HV SRXU OHV UDSSRUWV GH WUDQVSDUHQFH /ȇDSSOLFDWLRQ GL΍«U«H YLVH ¢ SHUPHWWUH DX[ DFWHXUV GH PDUFK« de mettre en place les mesures nécessaires pour se conformer aux nouvelles obligations. $ȴQ GH JDUDQWLU XQH PLVH HQ ĕXYUH FRRUGRQQ«H FHWWH GLVSRVLWLRQ VȇDOLJQH VXU OH UªJOHPHQW G«O«JX« DGRSW« HQ YHUWX GH OȇDUWLFOH SDUDJUDSKH GX 0L)Ζ5 3DU DLOOHXUV FRQIRUP«PHQW ¢ OȇDUWLFOH GD TXDWULªPH DOLQ«D GX 0L)Ζ5 OȇHQWU«H HQ application du présent règlement déclenchera un délai de trois mois pour que l’ESMA initie la procédure de sélection du fournisseur unique de bande consolidée pour les dérivés OTC, à condition que la procédure pour les actions et ETF ait été lancée au moins six mois auparavant. /H UªJOHPHQW HQWUH HQ YLJXHXU OH MXLQ © 2025 Deloitte Tax & Consulting, SARL REGULATORY COMPLIANCE SENTINEL /D &66) SXEOLH OD FLUFXODLUH &66) VXU OD QRWLȴFDWLRQ GHV LQFLGHQWV PDMHXUV l iés au x TI C et des c y bermenaces importantes en vertu de l a l oi sur l a rési l ience opérationne ll e numérique ( Digita l Operationa l Resi l ience Act – DORA ) /H PDL OD &66) D SXEOL« OD FLUFXODLUH &66) UHODWLYH DX VLJQDOHPHQW GHV LQFLGHQWV PDMHXUV OL«V DX[ 7Ζ& HW GHV F\EHUPHQDFHV VLJQLȴFDWLYHV GDQV OH FDGUH GX '25$ /H WH[WH G«ȴQLW OHV SURF«GXUHV G«WDLOO«HV GH QRWLȴFDWLRQ GHV LQFLGHQWV PDMHXUV OL«V DX[ 7Ζ& HW GHV F\EHUPHQDFHV VLJQLȴFDWLYHV GDQV OH FDGUH GH OD ORL VXU OD U«VLOLHQFH RS«UDWLRQQHOOH numérique (Digital Operational Resilience Act - DORA). Elle s’applique principalement aux HQWLW«V ȴQDQFLªUHV VXSHUYLV«HV SDU OD &66) TXL HQWUHQW GDQV OH FKDPS GȇDSSOLFDWLRQ GH OD '25$ m HQWLW«V '25$ } WHO TXH G«ȴQL SDU GHV DUWLFOHV VS«FLȴTXHV GX UªJOHPHQW Il est important de noter que la circulaire étend le cadre de reporting DORA aux prestataires de services de paiement (PSP) qui ne sont pas eux-mêmes couverts par DORA, mais qui sont VXUYHLOO«V HQ YHUWX GH OD ORL GX QRYHPEUH UHODWLYH DX[ VHUYLFHV GH SDLHPHQW /36 &HV 363 GRLYHQW VH FRQIRUPHU DX[ P¬PHV REOLJDWLRQV GH FODVVLȴFDWLRQ HW GH G«FODUDWLRQ des incidents TIC que les entités DORA, couvrant tous les incidents liés aux TIC - et pas VHXOHPHQW FHX[ OL«V DX[ VHUYLFHV GH SDLHPHQW DȴQ GȇKDUPRQLVHU OHV G«FODUDWLRQV HW Gȇ«YLWHU les doublons. La circulaire prévoit une période de transition de six mois pour permettre à ces prestataires de services de paiement non DORA de s’adapter aux nouvelles exigences en matière de déclaration. Jusqu’à la transposition nationale de la directive NIS 2, la circulaire CSSF 24/847 reste en vigueur pour les entités hors du champ d’application des DORA et pour les PSP pendant leur transition. Toutefois, à partir de la date d’entrée en vigueur, les entités DORA et les PSP VRXPLV ¢ OD FLUFXODLUH QH VRQW SOXV WHQXV GH UDSSRUWHU OHV LQFLGHQWV Ζ&7 HQ YHUWX GH OD circulaire 24/847. 'DQV OȇHQVHPEOH OD FLUFXODLUH &66) IRXUQLW XQ FDGUH UDWLRQDOLV« HW FRK«UHQW SRXU améliorer la surveillance et la gestion des risques liés aux TIC et des cybermenaces dans un ODUJH «YHQWDLO GȇHQWLW«V ȴQDQFLªUHV HW GH VHUYLFHV GH SDLHPHQW DX /X[HPERXUJ &KDSLWUH &ODVVLȴFDWLRQ HW QRWLȴFDWLRQ GHV LQFLGHQWV Ȃ 363 KRUV '25$ Les PSP hors DORA doivent : ȏ $SSOLTXHU OHV G«ȴQLWLRQV LVVXHV GX UªJOHPHQW '25$ FI DQQH[H • Classer les incidents liés aux TIC et cybermenaces conformément aux chapitres I à III des 576 VXU OD FODVVLȴFDWLRQ FKDSLWUHV Ζ9 HW 9 QRQ DSSOLFDEOHV ȏ 1RWLȴHU ¢ OD &66) WRXW LQFLGHQW 7Ζ& PDMHXU HW WRXWH F\EHUPHQDFH VLJQLȴFDWLYH YLD OHV 576 HW Ζ76 VXU OD QRWLȴFDWLRQ GȇLQFLGHQWV &KDSLWUH 0RGDOLW«V SUDWLTXHV GH QRWLȴFDWLRQ Ȃ 7RXWHV HQWLW«V ȴQDQFLªUHV /HV HQWLW«V ȴQDQFLªUHV GRLYHQW ȏ 6RXPHWWUH OHV QRWLȴFDWLRQV YLD OH SRUWDLO H'HVN GH OD &66) RX YLD OȇLQWHUIDFH $3Ζ 6 HQ XWLOLVDQW OH IRUPXODLUH m '25$ 0DMRU Ζ&7 UHODWHG ΖQFLGHQW 1RWLȴFDWLRQ } ȏ 5HVSHFWHU OHV G«ODLV ȴ[«V ¢ OȇDUWLFOH GHV 576 VXU OD QRWLȴFDWLRQ GȇLQFLGHQWV QRWLȴFDWLRQ LQLWLDOH UDSSRUW LQWHUP«GLDLUH UDSSRUW ȴQDO ȏ &RPSO«WHU OHV FKDPSV UHTXLV VHORQ OHV DQQH[HV ΖΖ HW Ζ9 GHV Ζ76 VXU OD QRWLȴFDWLRQ GȇLQFLGHQWVb ȏ 1H SDV UHJURXSHU OHV QRWLȴFDWLRQV UHSRUWLQJ DJU«J« QRQ DXWRULV« /D &66) SU«FLVH TXȇDXFXQH QRWLȴFDWLRQ FRQVROLG«H QH VHUD DFFHSW«H P¬PH VL SOXVLHXUV LQFLGHQWV surviennent simultanément ou sont liés. Cette position découle d’une évaluation stricte des FRQGLWLRQV SRV«HV ¢ OȇDUWLFOH GHV Ζ76 VXU OD QRWLȴFDWLRQ GȇLQFLGHQWV Prochaines étapes 3RXU OHV HQWLW«V ȴQDQFLªUHV TXL UHOªYHQW GLUHFWHPHQW GX FKDPS GȇDSSOLFDWLRQ GH '25$ SRLQWV D ¢ M OD FLUFXODLUH VȇDSSOLTXH LPP«GLDWHPHQW HW OHV FLUFXODLUHV &66) HW sont abrogées. 3RXU OHV 363 TXL TXL QH UHOªYHQW SDV GX FKDPS GȇDSSOLFDWLRQ GH '25$ SRLQW N OD FLUFXODLUH VȇDSSOLTXH VL[ PRLV DSUªV VD SXEOLFDWLRQ VRLW ȴQ QRYHPEUH OHV FDGUHV H[LVWDQWV UHVWDQW valables pendant la transition. Regulatory Evolution in ESG Disclosure ByOrianeKAESMANN,ResearchManager the LHoFT S ince 2019, environmental, social, and governance (ESG) regulation has reshaped the operating land- scape for companies across the European Union. Ambitious frameworks such as the Corporate Sustainability Reporting Directive (CSRD) (1) , the Corporate Sustainability Due Diligence Directive (CSDDD) (2) , the SFDR (3) and the EU Taxonomy Regulation (4) have not only raised the bar for trans- parency but also established a foundation for what many saw as a new standard of corporate accountability. These policies pushed firms, either large and small, to invest heavily in data infrastructure, governance frameworks, and ESG talent to comply with what became some of the most advanced sustainabil- ity requirements in the world (5) . In 2025, the European Commission and the European Banking Authority (EBA) are proposing a simplification of this regime. Through the Omnibus legislative package (6) , the Commission suggests rolling back obligations under CSRD and CSDDD, raising applicability thresholds and scaling back due diligence requirements. Parallel efforts by the EBA (7) , includ- ing new proposals under Capital Requirements Regulation (CRR3), Pillar 3 disclosure amendments (the banking package), aim to ease ESG reporting for small and non-listed banks, citing proportionality and cost- efficiency. This consultation runs until 22 August 2025. These developments have triggered intense debate. Is this recalibration a pragmatic response to the growing regulatory burden on businesses, or does it signal a retreat from the EU’s flagship Green Deal ambitions? For firms that have invested significantly in aligning with these mandates, the implications extend well beyond com- pliance timelines. These developments raise important questions about the long-term stabili- ty and predictability of the EU’s ESG regulatory landscape, particularly as businesses seek to integrate sustain- ability more deeply into their core strategy. I. The Road to Reform On 26 February 2025, the European Commission unveiled a sweeping reg- ulatory package designed to stream- line sustainability obligations across the corporate landscape. Central to this shift are the Omnibus I and II pro- posals, which aim to recalibrate the scope and scale of corporate sustain- ability reporting and due diligence. Among the most consequential changes is the proposed increase in reporting thresholds. Under the revised CSRD criteria, only compa- nies with more than 1,000 employees, and either a balance sheet total above €25m or a turnover exceeding €50 mil- lion (8) would fall under mandatory reporting obligations, a shift that could exempt approximately 80% of currently affected firms (9) . At the same time, a “Stop-the-Clock” directive (10) offers a temporary two- year deferral of reporting obligations for companies still preparing to com- ply, including listed small and medi- um-sized enterprises. “Today we delivered on our promise regarding the simplification of EU laws. The fast adoption of this directive is an important first step towards cutting red tape, providing legal certainty to our com- panies and making the EU more compet- itive.” - Adam Szłapka, Minister for the European Union of Poland On the financial side, the EBA has initiated its own simplification effort. Proposed amendments to ESG dis- closure obligations under Pillar 3 of the CRR3 aim to reduce the compli- ance burden for small and non-listed institutions. These include streamlined templates, “enhanced and proportionate disclo- sure requirements related to ESG- related risks, equity exposures and aggregate exposure to shadow bank- ing entities. It also implements the new codes for the statistical classifi- cation of economic activities in the EU (NACE) (11) ”. Policymakers have framed these changes as part of a broader strategy of proportionality, aimed at easing the regulatory load on smaller play- ers and reducing administrative costs. This emphasis reflects growing concerns over so-called “green fatigue,” especially among SMEs and mid-cap institutions (12) . With economic uncertainty lingering across the Euro-zone and the 2024 European Parliament elections ampli- fying calls for competitiveness and deregulatory relief, the simplification agenda has gained traction as a timely and politically pragmatic response. II. Simplification or Strategic Backslide? The European Commission’s 2025 “Simplification Omnibus” package proposes significant changes to the EU’s sustainability reporting land- scape, especially considering the new threshold suggested for the CSRD (see section I). Likewise, the CSDDD would see its scope refined, with due diligence obli- gations focusing on direct business partners. While this adjustment may enhance clarity and operational feasi- bility for companies, it also raises questions about how indirect value chain impacts will be addressed with- in evolving ESG risk frameworks. These developments have raised fun- damental questions about the pre- dictability and credibility of the EU’s regulatory environment. Many com- panies have made significant opera- tional investments to comply with the CSRD and CSDDD frameworks, including building ESG data systems, hiring specialist teams, and restruc- turing supply chain protocols. A sud- den regulatory pivot risks triggering a sense of regulatory whiplash and undermining long-term planning. Adding to the scrutiny, the European Ombudsman has launched a formal inquiry into the Commission’s pro- cess for drafting these reforms (14) . “The decision to open an inquiry follows a complaint by eight civil society organ- isations who argue that the Commission breached its better regulation guidelines by failing to justify why it did not carry out a public consultation or impact assessment on the draft legislation,” - Ombudswoman Teresa Anjinho Meanwhile, the proposed introduc- tion of a Voluntary Sustainability Reporting Standard for SMEs (VSME) aims to provide a streamlined option for businesses falling below the new CSRD threshold (15) . Although this may alleviate adminis- trative burdens, there are concerns that voluntary approaches could lead to fragmented ESG disclosures, there- by undermining overall market com- parability. Conclusion The European Union is entering a new phase in its sustainable finance journey; the proposed regulatory sim- plifications signify a pivotal moment. This period may be seen as a recali- bration or a strategic course correc- tion, with the current consultation indicating a clear shift in tone from rapid transformation to more deliber- ate consolidation. For businesses, particularly those already advanced in ESG integration, this transition presents both potential and ambiguity. Streamlined reporting frameworks could ease immediate compliance demands; however, they also introduce concerns around con- tinuity, comparability, and the coher- ence of long-term strategy. The suggested move towards volun- tary standards for SMEs and a more limited scope of due diligence obliga- tions may enhance flexibility but could equally dilute the depth and consistency of sustainability insights across the market. In this changing context, ESG infrastructure retains its strategic value. Robust data systems, transparent reporting procedures, and effective governance mechanisms remain essential. Companies may find an advantage in stabilising and refining them to maintain adaptability within an evolving regulatory landscape. With public consultation ongoing and scrutiny intensifying, it becomes increasingly important for market participants to remain actively involved. This involves balancing responsiveness to regulatory shifts with a consistent dedication to trans- parency, accountability, and the pur- suit of sustainable value creation. Simplifying Sustainability Source:Midjourney 1 )https://lc.cx/9NRtuP 2 )https://lc.cx/z8Z0gW 3 )https://urlr.me/h4My39 4 )https://lc.cx/nr4lTv 5) Société Générale (30/03/2023) “EUAction Plan onSustainableFinance ”https://lc.cx/A4JYib 6 )https://lc.cx/h9z8vz 7)EBA(22May2025)“EBAlaunchesconsultation on amended disclosure requirements for ESG risks,equityexposuresandaggregateexposureto shadowbankingentities ”https://lc.cx/-GPuTy 8) FintechGlobal (May 12, 2025) “New1,000-em- ployee threshold could exempt many firms from CSRDreporting ”https://lc.cx/e-MyjL 9)Simmons&Simmons(13March2025)“TheEU OmnibusIandIIpackages ”https://lc.cx/tOefJn 10)CounciloftheEU-Pressrelease(14April2025) “Simplification: Council gives final green light on the ‘Stop-the-clock’ mechanismto boost EUcom- petitiveness and provide legal certainty to busi- nesses ”https://lc.cx/rGj-6L 11)SeeEBAlink. 12) “Mid-cap (or mid-capitalization) is the term thatisusedtodesignatecompanieswithamarket cap (capitalization)—or market value—between $2and$10billion”.Source :https://urlr.me/RF3ZXe 13)ECIIA(March2025)“CorporateSustainability Due Diligence Directive - Changes proposed by Omnibus ”https://lc.cx/Bo7O4z 14)BenoitVanOverstraetenandKateAbnett(May 23, 2025) “EU watchdog launches inquiry into Commission’s easing of green rules” https://urlr.me/CGNeJY 15) Frida Stolpe (6 March 2025) “VSME and the ‘Sustainability Omnibus’: Adapting to the new ESGlandscape ”https://urlr.me/NJ7cYX Obligation to conduct due dili- gence on the company’s own busi- ness, its subsidiaries, and entities in the value chain: - Direct business partners - Indirect business partners (only if there is credible informa- tion indicating poten- tial issues) Source: European Confederation of Institutes of Internal Auditing (13)