Scope:
• Cyprus Investment Firms (CIFs)
• Central Securities Depositories
• Trading Venues
• Crypto-Asset Service Providers (CASPs)
• Alternative Investment Fund Managers (AIFMs)
• UCITS Management Companies
Summary:
On 10/06/2026 CySEC published a Circular on DORA ICT Incident Reporting , focussing on (a) Major ICT-Related Incidents and (b) Significant Cyber Threats (Version 1.3)
The European Supervisory Authorities (ESAs) have released Version 1.3 (V1.3) of the DORA Incident Reporting Technical Package, updating the templates for: (a) Major ICT-Related Incidents (mandatory reporting under Article 19(1) of DORA) and (b) Significant Cyber Threats (voluntary notification under Article 19(2) of DORA). Both templates must be submitted exclusively through CySEC’s TRS system — submissions by email or any other channel will not be accepted. Templates must not be digitally signed. The existing file naming convention from Circular C700 remains unchanged.
What to do next:
- All Regulated Entities currently using V1.2 Excel templates are required to transition to the V1.3 templates with immediate effect from the date of this Circular (10 June 2026).
- For Major ICT-Related Incidents (mandatory – Art. 19(1) DORA): use Incident Reporting Template V1.3.xlsx for submission purposes; continue submitting all three sequential reports (Initial, Intermediate, Final) within deadlines set out in Circular C700.
- For Significant Cyber Threats (voluntary – Art. 19(2) DORA): use Significant Cyber Threats Template V1.3.xlsx.