Addressed To: Cyprus Investment Firms (CIFs), Central Securities Depositories, Trading Venues, Crypto-Asset Service Providers (CASPs), Alternative Investment Fund Managers (AIFMs), and UCITS Management Companies.
CySEC issued Circular C751on 19 January 2026, which provides further supervisory guidance on obligations arising under Regulation (EU) 2022/2554 on Digital Operational Resilience (DORA).
Below is a summary of the key requirements highlighted by CySEC.
1. Major ICT-Related Incident Reporting
CySEC has identified deficiencies in how regulated entities classify and report ICT-related incidents, including:
- failure to report incidents that should be classified as major; and
- incorrect classification of non-major incidents as major.
Regulated entities are required to:
- apply the criteria set out in Commission Delegated Regulation (EU) 2024/1772, which defines:
- materiality thresholds for ICT-related incidents and cyber threats; and
- mandatory content and reporting formats;
- use the classification diagram included in the Regulation’s Annex to ensure accurate classification and timely reporting immediately upon detection.
CySEC notes that incorrect classification or delayed reporting may result in supervisory scrutiny.
2. Register of Information – Submission Format & Deadline
CySEC confirms that Excel-based (“Build in Excel”) submissions are no longer accepted.
The only permitted format for the Register of Information is XBRL-CSV, in line with EBA requirements.
Entities must:
- use XBRL-compatible software capable of data mapping, validation, and compliant file generation;
- compress (zip) the XBRL files; and
- submit them via the CySEC XBRL Portal.
Submission deadline:
- Annually, no later than 28 February
- Reference date: 31 December of the preceding year
3. ICT Risk Management Framework
CySEC reiterates that regulated entities must maintain a well-documented ICT risk management framework in accordance with Article 6 of DORA, ensuring effective and continuous ICT risk oversight.
Key requirements include:
Governance & segregation of duties
Entities (other than microenterprises) must assign ICT risk oversight to an independent control function, ensuring proper separation between:
- ICT risk management
- control functions
- internal audit
in line with the three lines of defence model.
Review & continuous improvement
The ICT framework must be:
- reviewed at least annually (or periodically for microenterprises);
- reviewed following major ICT incidents, supervisory instructions, or resilience testing;
- continuously improved based on lessons learned.
Upon request, firms must submit a formal ICT framework review report aligned with Commission Delegated Regulation (EU) 2024/1774.
Internal audit
Non-micro entities must ensure:
- regular ICT audits by qualified and independent auditors;
- audit scope and frequency aligned with ICT risk exposure;
- a formal remediation process for audit findings.
Proportionality
Small and non-interconnected (Class 3) investment firms may apply a simplified ICT framework, consistent with proportionality rules.
4. Mandatory CySEC Portal Updates
Regulated entities must ensure the following are recorded in the CySEC Portal:
- designation of the ICT auditor (via the Auditors section, selecting “Is ICT”);
- designation of the person responsible for ICT risk oversight (via the Personnel section).
5. Recommended Next Steps
Entities should:
- review ICT incident classification and reporting procedures;
- ensure technical capability for XBRL-CSV submissions;
- assess ICT governance, audit processes, and documentation;
- confirm required ICT roles are correctly recorded in the CySEC Portal.
Should you need assistance feel free to contact us at:
Email: info@mnkriskconsulting.com or
Tel: 25 508201