We would like to inform you about the recent issuance by the Cyprus Securities and Exchange Commission (CySEC) of Circular C700, dated April 8th, 2025, regarding the Digital Operational Resilience Act (DORA) and the new Reporting Obligations for regulated entities. This Circular outlines critical reporting requirements that regulated entities must adhere to in relation to ICT risks and incidents. Below is an overview of the key elements:
A. Incident Reporting
1. Mandatory Reporting of Major ICT-Related Incidents
Under Article 19(1) of DORA, regulated entities are required to report any major ICT-related incidents to CySEC. The classification of incidents should follow criteria set out in Articles 18(1) of DORA and Commission Delegated Regulation (EU) 2024/1772 (RTS), taking into account:
-
Number of affected clients
-
Duration of the incident
-
Geographical impact
-
Data loss
-
Criticality of services
-
Economic impact
If the incident qualifies as major according to the specified thresholds in Articles 8-9 of the RTS, regulated entities must report it within 4 hours of classification and no later than 24 hours. Additionally, an intermediate report must be submitted within 72 hours, and a final report is due within one month.
As a result of the introduction of DORA, CySEC Circular 512, which previously covered reporting of cyber-attack incidents, has now been repealed.
2. Voluntary Notification of Significant Cyber Threats
Regulated entities also have the option to voluntarily notify CySEC about significant cyber threats that may impact the financial system, clients, or services. These threats should be assessed based on:
-
Service criticality
-
Geographical spread
Entities can use the Significant Cyberthreats Template (Voluntary) for such notifications.
3. Submission Process for Incident Reports
Both the Major ICT-related Incident Form and the Significant Cyberthreats Template (Voluntary) must be submitted through CySEC’s TRS system (without digital signatures) and must follow specific naming conventions. For detailed naming conventions, refer to Paragraph 17 of the Circular.
Regulated entities are responsible for confirming the successful submission of the forms by checking for a feedback file that indicates no errors.
B. Register of Information
As per Article 28(3) of DORA, regulated entities must maintain and regularly update a Register of Information for all contractual arrangements related to the use of ICT services provided by third-party ICT service providers.
1. Reporting of ICT Service Contracts
Regulated entities are required to submit the Register of Information annually, detailing all contracts with third-party ICT service providers. The report must include:
-
Details of new ICT service arrangements
-
ICT service categories
-
Types of contracts
The report is due by February 28 each year, with the first submission deadline for the Cyprus-based entities being April 30, 2025.
2. Submission Process for Register of Information
The Register must be submitted via CySEC’s XBRL Portal. The completed form should be zipped and submitted through the “Create filing” option.
3. Further Guidance & FAQs
Additional guidance and Frequently Asked Questions (FAQs) on the reporting obligations can be found through the European Supervisory Authorities (ESAs).
Regulated entities that have not yet registered on CySEC’s XBRL Portal should do so as soon as possible.
Who Are Regulated Entities?
The following entities are required to comply with the DORA reporting obligations:
-
Cyprus Investment Firms (CIFs)
-
Central Securities Depositories
-
Trading Venues
-
Crypto-Asset Providers (CASPs)
-
Alternative Investment Fund Managers (AIFMs)
-
UCITS Management Companies (UCITS)
Should you have any questions or need assistance in ensuring compliance with these new reporting obligations, please don’t hesitate to reach out to Konkrit Solutions, our technology partner, at info@konkritsolutions.com.
Stay informed and compliant with DORA to ensure the continued resilience of your operations.
