Introduction
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) ("DORA") is a landmark EU regulation aimed at strengthening the cyber and operational resilience of the financial sector. It ensures that financial entities are able to withstand and recover from information and communication technology (''ICT'')-related incidents and disruptions. DORA regulation, together with an accompanying amending directive (EU 2022/2556), became fully applicable across the EU on 17 January 2025.
As a directly applicable Regulation, DORA requires immediate attention by Cyprus-based financial entities regulated by the Cyprus Securities and Exchange Commission (''CySEC''), the Central Bank of Cyprus (''CBC''), and other competent authorities. CySEC has issued Circular C700 on 8 April 2025, providing specific guidance to entities under its supervision to ensure timely and correct implementation of key obligations under DORA.
DORA's Scope and Applicability
DORA applies broadly across the EU financial sector, capturing a wide spectrum of entities, including:
– Banks and credit institutions
– Payment and electronic money institutions;
– Investment firms and fund managers;
– Crypto-asset service providers (CASPs);
– Market infrastructures (trading venues, CSDs, CCPs);
– Insurance and reinsurance undertakings;
– Critical ICT third-party service providers.
It also creates an oversight framework for critical ICT service providers, enabling the European Supervisory Authorities (''ESAs'') to directly supervise such providers. For
entities in Cyprus, CySEC and CBC will oversee DORA implementation, emphasizing the direct application of its provisions from 17 January 2025. All in-scope entities in Cyprus, that are under CySEC or CBC supervision, are expected to assess their status under DORA and prepare accordingly.
Key Obligations under DORA
DORA introduces a comprehensive set of obligations that financial entities must integrate into their governance, risk management, and operational processes. The key pillars of compliance include:
1. ICT Risk Management Framework
DORA states that financial entities should maintain a comprehensive, documented, and proportionate ICT risk management framework, encompassing governance, risk identification, protection, detection, response, recovery, and learning components. The board of director of each company is explicitly accountable for overseeing ICT risk strategies and controls.
2. Incident Classification and Reporting
Entities must classify ICT-related incidents based on specific materiality thresholds and report major ICT incidents to their competent authority using strict timelines:
– Initial notification within four hours of classification (but no later than 24 hours after detection);
– Intermediate update within 72 hours;
– Final report within one month.
CySEC's Circular C700 reiterates these timelines and mandates that entities submit reports via the Transaction Reporting System (''TRS'') using ESA-prescribed templates. CySEC emphasizes that delays or omissions may trigger enforcement action, underlining the importance of internal readiness.
3. Digital Operational Resilience Testing
Beyond managing day-to-day risks, DORA requires periodic operational resilience testing of ICT systems and processes. All but the smallest financial entities must develop a testing program to validate their cyber defences and ability to operate through disruptions. This ranges from regular vulnerability assessments and scenario-based tests to advanced Threat-Led Penetration Testing (''TLPT'') in the case of larger entities. TLPT is essentially a simulated cyber-attack by skilled ethical hackers and is mandated every three years for entities with significant ICT risk profiles. Testing results should feed back into remediation plans, any identified weaknesses must be addressed and reported on.
4. Third-Party ICT Risk Management
Given the sector's dependence on external ICT providers, DORA introduces stringent rules on ICT third-party risk management, including:
– Identifying critical or important functions supported by third parties;
– Conducting due diligence and ongoing monitoring of service providers;
– Ensuring contracts include specific clauses on service level agreements (''SLAs''), data security, audit rights, incident notification, cooperation with regulators, and termination rights.
CySEC's Circular C700 (''Circular'') further mandates the annual submission of a Register of Information on ICT third-party providers, capturing key details on contracts supporting critical functions. The first submission was due by 30 April 2025, covering data up to 31 March 2025. Thereafter, the register must be submitted annually by 28 February. Entities that fail to maintain accurate registers will attract supervisory attention and possible penalties.
5. Contractual Requirements for Outsourcing.
DORA goes a step further than previous outsourcing guidelines by prescribing certain clauses that must be included in contracts with ICT service providers. Financial entities in Cyprus should review and update their vendor and outsourcing agreements. This will ensure that they contain provisions on SLAs (with clear uptime/service quality metrics), data security and location (including requirements about where data is stored or processed), termination rights (allowing the firm to exit the arrangement if risk becomes unmanageable or if required by regulators), and audit and access rights for the firm and regulators.
Oversight of Critical ICT Third-Party Providers
DORA creates a pan-European oversight regime for critical ICT third-party providers, allowing the ESAs to supervise such entities directly. This applies where providers are identified as critical due to their systemic importance. In effect, large technology firms like cloud services that become crucial service hubs for banks or investment firms may find themselves directly reporting to European financial regulators. Furthermore, if a critical provider is established outside the EU, DORA requires a special condition, that the provider must set up an EU subsidiary within 12 months of being identified as critical.
Regulatory Supervision and Enforcement in Cyprus
CySEC and CBC have emphasized that DORA raises the bar for operational resilience expectations. Non-compliance may lead to administrative fines, remedial orders, and reputational consequences, with potential supervisory escalations.
Furthermore, DORA is lex specialis, vis-à-vis horizontal cybersecurity laws like the NIS2 Directive, meaning that for financial entities, DORA's specialized requirements and the oversight by financial regulators will take precedence in case of any overlapping obligations.
The Circular is clear that regulated entities are expected to have established all reporting processes and data submissions as of 17 January 2025. Firms in Cyprus should anticipate that DORA compliance will be integrated into regular supervisory reviews, inspections, and prudential assessments.
Concluding Remarks
DORA introduces a new era of digital operational resilience, reshaping the way financial entities across the EU manage ICT risks, incidents, and third-party relationships. For Cyprus-based firms, early and thorough alignment with DORA's requirements is not only a legal obligation but a business imperative, ensuring their continued operational stability and reinforcing trust with clients and regulators.
While implementation may pose challenges, especially in areas such as incident classification, third-party contract renegotiation, and cross-border group governance, addressing these proactively will position firms ahead of supervisory expectations and future-proof their operational resilience strategies.
Firms should regard DORA not simply as another regulatory requirement, but as a cornerstone of modern operational risk management in an increasingly digitalized financial sector.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
