On 31 January 2025, the Cyprus Securities and Exchange Commission (CySEC) launched a consultation on proposed annual information and communication technology (ICT) oversight fees for financial entities under the EU Digital Operational Resilience Act (DORA). DORA aims to enhance cybersecurity and resilience in the financial sector.
CySEC proposes that entities affected, including but not limited to investment firms, crypto-asset service providers, central securities depositories, alternative investment fund managers, management companies, and crowdfunding platforms, will be required to pay annual ICT fees ranging from €3,000 to €20,000, depending on their categorisation under DORA.
Additionally, CySEC's proposed fee for firms subject to a Threat Lead Penetration Test (TLPT) is €50,000 per TLPT assessment.
Financial institutions will also need to submit a self-categorisation annually between 1 and 15 September based on their latest financial statements and pay the respective fee by 30 November. The first ICT oversight fee will be paid in 2025.
CySEC Chairman Dr Theocharides emphasised that DORA is more than a compliance requirement, highlighting its role in strengthening financial market resilience and cybersecurity preparedness.
Market participants can submit their feedback by 7 March 2025 via email at policy@cysec.gov.cy.
CySEC's press release can be found here and the consultation paper here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
