The Cyprus Securities and Exchange Commission (the “CySEC”) has issued Circular C700 on the 8th of April 2025, regarding the Digital Operational Resilience Act – Reporting Obligations (the “Circular”).
The Circular focuses on the two (2) main reporting requirements that are applicable to Regulated Entities*:
(a) Incident Reporting
(b) Register of Information.
A. Incident Reporting
1. Mandatory Reporting of Major ICT-Related Incidents
Regulated Entities must report major ICT-related incidents to CySEC under Article 19(1) of the Digital Operational Resilience Act (DORA).
Incidents should be classified as ICT-related incidents based on criteria outlined in Articles 18(1) of DORA and the Commission Delegated Regulation (EU) 2024/1772 (RTS), considering factors such as the number of affected clients, duration, geographical impact, data loss, criticality of services, and economic impact.
If the incident is ICT-related, the Regulated Entity should then evaluate major incident thresholds as specified in Articles 8-9 of the RTS to determine if it qualifies as a major ICT-related incident. If the incident is ICT -related and classified as major, then a Major ICT-related incident Form must be reported within 4 hours and no later than 24 hours (initial report) of classification, with updates (intermediate report) required within 72 hours, and a final report due within one month.
Due to the entry into force of DORA, CySEC’s Circular 512 – on Reporting of cyber-attack incidents, is repealed.
2. Voluntary Notification for Significant Cyber Threats
Regulated Entities can voluntarily notify CySEC of significant cyber threats that may impact the financial system, clients, or services, following criteria such as service criticality and geographical spread.
Notifications should be made using the Significant Cyberthreats Template (Voluntary).
3. Submission Process for Incident Reports
The Major ICT-related incident Form and the Significant Cyberthreats Template (Voluntary) (collectively, the “Incident reporting forms”) must be submitted via CySEC’s TRS system (not digitally signed) and must follow specific naming conventions. For the naming conventions, please refer to Paragraph 17 of the Circular.
Regulated Entities are responsible for confirming the successful submission of the forms by checking for a feedback file indicating no errors.
B. Register of Information
Under Article 28(3) of DORA, Regulated Entities must maintain and update at entity level, and, where applicable, at consolidated level, a Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
1. Reporting of ICT Service Contracts
Regulated Entities must annually submit a Register of Information regarding all contractual arrangements with ICT third-party service providers. This includes, inter alia, details of new arrangements, ICT service categories, and types of contracts.
The report is due by February 28 each year, with the first submission deadline being April 30, 2025.
2. Submission Process for Register of Information
The register must be submitted via CySEC’s XBRL Portal, where the completed form should be zipped and submitted through the “Create filing” option.
3. Further Guidance & Frequently Asked Questions (FAQs)
Further guidance and FAQs can be found through the European Supervisory Authorities (ESAs).
Regulated Entities that have not yet registered in CySEC’s XBRL Portal, should do so as soon as possible.
Should you have any questions or require assistance, please contact our technology arm, Konkrit Solutions, at info@konkritsolutions.com.
*Regulated Entities
Cyprus Investment Firms (‘CIFs’)
Central Securities Depositories
Trading Venues
Crypto-Asset Providers (CASPs)
Alternative Investment Fund Managers (‘AIFMs’)
UCITS Management Companies (‘UCITS’)