Recent amendments to the Investment Services Law in Cyprus (L. 12(I)/2025) have introduced explicit references to the Digital Operational Resilience Act (DORA), marking a significant step forward in embedding cybersecurity and ICT risk management into financial regulation.
This legislative update reinforces several key principles that we at Konkrit Solutions have long promoted in our cybersecurity and vCISO engagements. With DORA now formally part of the Investment Services Law, Cyprus Investment Firms (CIFs) must give greater attention to ICT governance, data protection, and digital resilience.
What Has Changed?
The amended Section 17 of the law explicitly integrates DORA requirements, especially in the following areas:
ICT Systems and Operational Resilience
CIFs are now required to:
- Use ICT systems that are established and managed in accordance with Article 7 of Regulation (EU) No. 2022/2554 (DORA).
- Ensure continuity and regularity in the performance of investment services using proportionate digital tools and procedures.
Security of Communication Channels
The law now demands:
- Authenticity of communication channels, ensuring that networks, protocols, and encryption mechanisms are genuine and protected against spoofing or tampering.
- Data integrity and protection, minimising the risk of data being altered, destroyed, or corrupted during transfer or storage.
- Access control and confidentiality, to prevent unauthorised access and ensure sensitive information remains protected.
A Key Challenge: Data Classification
One major gap we observe in client readiness is a lack of clarity around data classification. Many CIFs struggle to determine what data is sensitive, how it should be labelled, and how access should be controlled.
As part of our CISO services, Konkrit Solutions is working on a data classification framework that will help clients:
- Understand the rationale and methodology for classifying data (e.g., by type, sensitivity, location).
- Apply classification at the document and folder level.
- Map data classification to relevant security controls and internal procedures.
Once our cybersecurity reports are finalised, we aim to help clients move toward practical implementation through structured guidance and templates.
What About Data Loss Prevention (DLP)?
While IT providers implement DLP tools, compliance teams must define the policies and data categories — this underscores that cybersecurity is a joint effort between governance and IT.
Conclusion
The formal incorporation of DORA into the Investment Services Law sends a strong signal: cybersecurity is no longer optional or secondary — it’s a regulatory requirement. CIFs must now align with EU standards for digital resilience, and the time to act is now.
At Konkrit Solutions, we support our clients not only with audit and compliance but also with ongoing strategic and operational guidance through our vCISO model.
For more information or to discuss how these changes may impact your firm, feel free to contact us.
