If you strip away the legal phrasing, CSSF expectations on business continuity are brutally simple. They want to see that you understand what really matters, how quickly it must be restored, and how you will do it in practice. Especially when ICT and third‑party services are in trouble.
That starts with a serious Business Impact Analysis, not a spreadsheet inherited from 2017. Critical processes, dependencies, RTO/RPO, and tolerances must be clearly defined and revisited when your architecture or providers change. On top of that, the Board is expected to approve and periodically review a documented BCP that reflects those realities, including digital channels, cloud services, and outsourced functions.
During an inspection, the CSSF will not be impressed by glossy PDFs. They will look for evidence that you can maintain key operations, protect customers, and communicate transparently under stress. That means up‑to‑date plans, tested failover options, and clear decision rights. Not just IT procedures sitting on SharePoint.
If the CSSF walked in tomorrow, could you demonstrate that your BCP is a living practice woven into operations, not just a compliance artefact? Who, by name, would be able to walk them through your last test and the remediation actions that followed?