We would like to bring to your attention the recent issuance by the Cyprus Securities and Exchange Commission (CySEC) of Circular C701, dated April 9, 2025, regarding the European Banking Authority’s (EBA) amendment to the Guidelines on ICT and Security Risk Management (EBA/GL/2025/02). These amendments, referred to as the Amended Guidelines, provide clarity on the scope and applicability of the EBA’s previous guidelines, specifically EBA/GL/2019/04, in light of the introduction of the Digital Operational Resilience Act (DORA).
Key Changes in the Amended Guidelines
The Amended Guidelines specifically address the following key update:
-
Removal of Applicability to Cyprus Investment Firms (CIFs):
The scope of the EBA/GL/2019/04 guidelines has been revised, and these guidelines no longer apply to Cyprus Investment Firms (CIFs). This change comes in response to the implementation of DORA as of January 17, 2025. As a result, Circulars C571 and C609 issued by CySEC are now withdrawn. -
No Requirement for CIFs to Follow Previous Guidelines:
With the withdrawal of the older guidelines, CIFs are no longer required to adhere to the EBA/GL/2019/04 guidelines. The Amended Guidelines (EBA/GL/2025/02), however, are not yet available in all official EU languages, nor have they been published on the EBA website. Despite this, CIFs are not bound by the previous guidelines under CySEC’s updated regulatory framework.
Impact on Regulated Entities
The key takeaway is that Cyprus Investment Firms (CIFs) are no longer governed by the previous EBA ICT and Security Risk Management Guidelines (EBA/GL/2019/04) as these have been superseded by the Digital Operational Resilience Act (DORA). CIFs are now subject to the new regulatory framework under DORA, which introduces updated reporting, risk management, and operational resilience requirements.
Further Assistance
For any questions or if you require assistance in understanding the implications of this amendment, please feel free to contact us at info@konkritsolutions.com.
Stay informed and compliant with the latest regulatory developments to ensure your organization’s ongoing resilience and security in the digital landscape.
