If you want to stress‑test your continuity posture, look at your institution through an auditor’s eyes. A CSSF team will not start with your favourite architecture diagram; they will start with blunt questions that cut across governance, IT, and business lines.
“Show us your latest Business Impact Analysis and explain how it feeds into your Business Continuity Plan, including ICT and critical third‑party dependencies.” That is not a paperwork request; it is a test of whether your resilience model is coherent from risk identification to practical response.
“Explain how you ensure continuity of critical services if your main cloud or SaaS provider fails or becomes non‑compliant.” Here, they are probing both technical options and decision‑making: who decides to trigger exit, based on which criteria, and how quickly can you execute?
“Provide evidence of your last BCP test and how Board decisions followed.” Minutes, action logs, remediation tracking—this is where many institutions start to improvise.
Would you be comfortable answering those questions, in English or French, with the CSSF in the room and your Board listening? Or would you find yourself promising to “come back with the documents” that, in reality, do not yet exist?