The Cyprus Securities and Exchange Commission (CySEC) has issued Directive 73-2009-07 on digital operational resilience (Fees and Contributions), which was published in the Official Gazette on 29 August 2025. The Directive implements EU Regulation (EU) 2022/2554 (DORA) on digital operational resilience and entered into force with immediate effect.
The Directive introduces annual contributions, and for certain entities, additional fees linked to advanced cyber resilience testing.
Annual Contributions
Every supervised entity will now be required to pay an annual contribution to CySEC, with the amount depending on the size of the firm, as defined by DORA:
| Category | Description | Amount |
| Microenterprise | Employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million | €2,000 |
| Small enterprise | Employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million | €5,000 |
| Medium enterprise | Employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million | €10,000 |
| Large enterprise | All others | €20,000 |
For the year 2025
- Firms must notify CySEC of their size category between the 2nd and the 31st of October 2025, based on their latest audited financial statements.
- The notification must include an extract of the audited financial statements, showing the annual turnover, balance sheet total, and number of employees.
- The contributions are calculated proportionally for the period 15th of August – 31st of December 2025, payable by 31stof December 2025.
From 2026 onwards
- Firms must notify CySEC of their category each year between the 1st and 15th of September, based on the latest audited financial statements, with extracts from previous year’s audited financial statements attached to the notification showing the annual turnover, the annual balance sheet total, and the number of employees.
- The annual contributions are payable for the period 1st of January – 31st of December of the previous financial year. Payments must be made to CySEC by the 30th of November of each year.
- If a license is granted or revoked during the year, contributions are calculated on a proportionally, covering the months of both grant and revocation.
- For entities under CySEC supervision without a license, contributions are also proportionally according to the period under supervision.
Threat-Led Penetration Testing (TLPT)
Certain firms may also be required to conduct a Threat-Led Penetration Testing (TLPT) under the Digital Operational Resilience Act (DORA). A TLPT is an advanced form of cyber-attack simulation designed to assess the resilience of critical systems against realistic threat scenarios.
- CySEC will request a sample of entities to perform a TLPT, selecting them based on their risk profile and operational circumstances
- The TLPT must be conducted by qualified, independent providers and supervised by CySEC.
- When required, the fixed fee of €20,000 must be paid to CySEC for the review and oversight of the TLPT.
Key Actions for Compliance
- Review your firm’s classification under DORA (micro, small, medium, large).
- Prepare the required financial extracts (turnover, balance sheet, and number of employees).
- Submit the notification to CySEC within the prescribed deadline.
- Arrange for timely payment of the applicable contribution.
Our Compliance Team is here to assist you. Feel free to contact us at 25508201 or via email at admin@mnkriskconsulting.com.