On April 8, 2025, the Cyprus Securities and Exchange Commission (CySEC) issued Circular C700, providing important guidance on the Digital Operational Resilience Act (DORA) and its reporting obligations for Regulated Entities.
The Circular outlines two key reporting requirements:
-
Incident Reporting
-
Register of Information
A. Incident Reporting Under DORA
1. Mandatory Reporting of Major ICT-Related Incidents
Regulated Entities are required to report major ICT-related incidents to CySEC, in accordance with Article 19(1) of DORA. The classification of an incident as ICT-related must follow the criteria detailed in Article 18(1) of DORA and the Commission Delegated Regulation (EU) 2024/1772 (RTS).
These criteria consider:
-
Number of affected clients
-
Duration and geographical spread
-
Data loss and service criticality
-
Economic and operational impact
Once an incident is identified as ICT-related, entities must determine whether it meets the “major” thresholds as defined in Articles 8-9 of the RTS. If it qualifies:
-
An initial report must be submitted within 4 hours and no later than 24 hours from classification.
-
An intermediate report is due within 72 hours.
-
A final report must be submitted within one month.
With the enforcement of DORA, CySEC Circular 512 on cyber-attack incident reporting has been officially repealed.
2. Voluntary Notification of Significant Cyber Threats
In addition to mandatory reporting, Regulated Entities are encouraged to voluntarily notify CySEC of significant cyber threats that may affect the financial ecosystem, clients, or operational continuity. Notifications can be submitted using the Significant Cyberthreats Template (Voluntary).
3. Submission Process for Incident Reports
Both the Major ICT-related Incident Form and the Voluntary Significant Cyberthreats Template must be submitted via CySEC’s TRS system. Submissions:
-
Do not require a digital signature
-
Must follow specific file naming conventions as outlined in Paragraph 17 of the Circular
-
Should be confirmed by the submitting entity through validation of a feedback file indicating no errors
B. Register of Information
Under Article 28(3) of DORA, Regulated Entities are required to maintain a Register of Information documenting all contractual arrangements with ICT third-party service providers. This must be maintained:
-
At entity level, and
-
Where applicable, at consolidated group level
1. Annual Reporting Obligation
Entities must submit the Register of Information annually, including details such as:
-
New contractual arrangements
-
Categories of ICT services
-
Contract types
The first submission is due by April 30, 2025, with subsequent annual submissions required by February 28 of each year.
2. Submission Process
The register should be completed and submitted via CySEC’s XBRL Portal using the “Create filing” option after compressing the file in ZIP format.
How KSA Can Help
At KSA, we support Regulated Entities in achieving full compliance with DORA. Our expert team can:
-
Assess your organisation’s current state against DORA’s requirements
-
Assist in implementing robust reporting processes
-
Prepare and validate the Register of Information
-
Manage end-to-end incident reporting workflows
-
Provide ongoing advisory and continuous support to maintain compliance year-round
Whether you are a CIF, AIFM, UCITS Manager, CASP, CSD, or Trading Venue, our consultants are equipped to guide you through every step of your DORA compliance journey.
To learn more or request assistance, contact us at ksa.pre@ksa.com.cy
