📢CySEC ISSUES CIRCULAR C700: KEY DORA REPORTING OBLIGATIONS FOR CySEC REGULATED ENTITIES

​On the 8th of April 2025, the Cyprus Securities and Exchange Commission (CySEC) issued Circular C700, outlining the reporting obligations for regulated entities under the Digital Operational Resilience Act (DORA).

This circular provides detailed guidance on two critical areas: (a) Incident Reporting and (b) Register of Information.​

Understanding DORA and Its Implications

DORA, effective across the EU from the 17th of January 2025, aims to bolster the digital operational resilience of financial entities. It mandates comprehensive frameworks for managing ICT risks, ensuring that entities can withstand, respond to, and recover from ICT-related disruptions.​

Key Reporting Obligations Under Circular C700

A. Incident Reporting

Under Article 19(1) of DORA, regulated entities must report major ICT-related incidents to CySEC. The reporting process involves:​

• Initial Report: Submitted within four (4) hours of classifying an incident as major, and no later than 24 hours from awareness.​

• Intermediate Report: Due within seventy two (72) hours of the initial report, even if there are no updates.​

• Final Report: To be submitted within one (1) month after the intermediate report.​

Additionally, entities may voluntarily report significant cyber threats, especially if they pose risks to the financial system or clients. All reports should be submitted through CySEC’s TRS system using the specified templates. ​

B. Register of Information

In accordance with Article 28(3) of DORA, entities are required to maintain and annually submit a Register of Information detailing all contractual arrangements with ICT third-party service providers supporting critical or important functions. Key points include:​

• First Submission Deadline: 30 April 2025, referencing data as of 31 March 2025

• Annual Submission: Subsequent reports are due by 28 February each year, referencing data as of 31 December of the previous year

• Submission Format: Reports must be submitted via CySEC’s XBRL Portal using the prescribed templates and validation rules

Compliance Considerations

Entities must ensure timely and accurate submissions to avoid potential penalties. It's crucial to familiarise with the reporting templates and guidelines provided by the European Supervisory Authorities (ESAs).

Entities not yet registered on CySEC’s XBRL Portal should do so promptly to meet reporting deadlines. ​

How can our Firm assist you?

Our law firm specialises in regulatory compliance and is equipped to assist entities in navigating the complexities of DORA. We offer services including:​

• Reviewing and classifying ICT-related incidents

• Preparing and submitting Incident Reports and Registers of Information.

• Advising on compliance strategies and risk management frameworks.​

For tailored guidance on DORA compliance and CySEC reporting obligations, please contact info@pelaghiaslaw.com

This article is intended for informational purposes and does not constitute legal advice. For specific guidance, please consult with our legal professionals.