Mission

As part of a specialised team on ICT risk supervision within the CSSF, you will be involved in two distinct activities:

• In the context of the EU-wide joint oversight framework of critical IT third-party service providers (“CTPP”) established by the Digital Operational Resilience Act (“DORA regulation”) on the digital operational resilience of the financial sector, and as part of Joint Examination Teams under the responsibility of the Lead Overseer, you will carry out oversight tasks, such as general investigations and ongoing monitoring
• You will also be in charge of analysing risk management measures related to information and communication technology (ICT) as part of the review of application files for authorisation of future financial entities and as part of the ongoing supervision of financial entities. You may participate to transversal thematic analyses and/or to national and international working groups dedicated to technical or regulatory aspects in this area

Role & responsibilities

• Involvement in the Joint Examination Teams (minimum 50% of your activity):
• Participate to examination activities of CTPPs, i.e. general investigations and ongoing monitoring
• Interact and cooperate with specialists of the CTPPs, with the joint examination team members
• Draft all or part of key deliverables
• Activities of the specialised team within the CSSF (up to 50% of your activity):
• Analyse the sections relating to ICT organisation and ICT risk management in application files for authorisation of future professionals of the financial sector
• Analyse the notifications for use of ICT third party service providers of entities supervised by the CSSF
• Provide expertise and support to other supervisory departments in assessing the compliance of supervised entities with the DORA regulation
• Provide various types of advice to other supervisory departments (advice on supervised entities’ IT strategy, their digital transformation, findings raised by their internal or external IT auditors, etc.)
• Participate in transversal analyses on topics related to ICT risk management
• Participate to national and international working groups dedicated to ICT and ICT risk supervision

Please note that this position will require frequent business trips.

Your profile

• University degree (at least BAC+3/Bachelor) in information systems audit, or in IT security with a specialization in finance, or in economics, finance or business management with an ICT specialization
• Proven professional experience of at least 3 years in either the field of information systems auditing or in ICT risk management
• Perfect command of written and spoken English. Fluency in French and/or German. Knowledge of Luxembourgish will be considered as an advantage
• Commitment to be available for business trips abroad
• Excellent knowledge of the DORA European regulation
• Excellent knowledge of the CSSF circulars notably relating to ICT risk management and to ICT outsourcing
• Knowledge of other European regulation in this area (i.e., PSD, eIDAS, NIS, MICA etc.) and interest in new technologies and digital solutions (DLT, AI, virtual currencies/crypto assets, open banking/finance, etc.) constitute an advantage
• CISA, CISM, CISSP or equivalent certifications are an asset
• Writing, analytical, synthesis skills and thoroughness
• Proactivity and flexibility
• Ability to work independently as well as good team spirit
• Communication skills
• Confidentiality

The successful candidate (m/f) will be hired as public employee (“employé de l’Etat”) under a permanent contract. If the candidate meets the required conditions, s/he will be asked to apply for admission to the status of civil servant (“fonctionnaire de l’Etat”).

Prior to the conclusion of the contract, the candidate must submit an extract from the criminal record (bulletin n°3), dated less than 2 months, in order to prove their conduct and integrity.