When regulators talk about operational resilience, most banks still picture floods, data‑centre failures, or a nasty ransomware outbreak. Yet the next “severe disruption” for a Luxembourg institution could just as easily come from a judgment in Luxembourg (Court of Justice), Washington, or Brussels rather than from a hacker in a hoodie.
CSSF circulars on business continuity and ICT risk are clear: you must be able to maintain critical activities and limit losses during serious disruptions, whatever their origin. A legal shock that suddenly renders your main SaaS stack questionable under EU law is not conceptually different from a fire in your primary data centre. In both cases, your obligation is to keep services running within defined tolerances and to demonstrate control.
The uncomfortable truth is that many BCM programmes still treat geopolitical or regulatory volatility as “someone else’s problem”, usually Legal or Compliance. That is a luxury you no longer have.
Do your risk scenarios explicitly include cross‑border legal and sanctions events, not just cyber incidents and power cuts? And if you did run that scenario tomorrow, would your continuity playbooks, contracts, and communication plans actually hold up under CSSF scrutiny?