Urgent Alert: CySEC Circular C700
Update: CySEC Circular C700 on Digital Operational Resilience Act – reporting obligations
Background Information
On 8 April 2025, the Cyprus Securities and Exchange Commission (CySEC) issued Circular C700 to inform regulated entities of their reporting obligations under theDigital Operational Resilience Act(DORA). This framework aims to enhance the operational resilience of financial entities (as defined under DORA, article 2) by mandating specific reporting requirements related to Information and Communication Technology (ICT) services and incidents.
The circular outlines two key obligations:
1. Incident Reporting
- Mandatory reporting of major ICT-related incidents under Article 19(1) of DORA.
- Voluntary notification for significant cyber threats.
2. Register of Information
- Annual submission detailing information on contractual arrangements on ICT services.
Financial entities are required to maintain detailed records of their ICT service providers and submit this data through the register of information annually
Submission Deadline
CySEC has set a deadline for the first submission of theRegister of Informationby30 April 2025, referencing data as of31 March 2025.
Key Instructions for Compliance
- Who Must Comply?
CySEC's circular outlines regulated entities including Cyprus Investment Firms, Central Securities Depositories, Trading Venues, Crypto-Asset Providers, Alternative Investment Fund Managers, and UCITS Management Companies.
- Submission Process:
The register must be submitted via CySEC's XBRL Portal using the prescribed guidance and communicated validation rules provided under DORA.
Entities are urged to ensure timely and accurate submission to avoid penalties and maintain compliance with DORA requirements.
Submit your Register of Information by 30 April 2025 to avoid penalties.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.