Cyprus Financial Regulator Tightens Expectations on DORA Reporting & ICT Controls

Key Takeaways

• Incident Reporting Under the Microscope: CySEC says firms are still misclassifying and mishandling major ICT-related incidents under DORA.
• XBRL-Only Submissions: The Register of Information must be filed in XBRL-CSV format through the CySEC portal, with Excel submissions no longer accepted.
• Governance Expectations Rising: Firms must demonstrate real independence between ICT risk management, control functions, and internal audit.
• Audit and Accountability: Regular ICT-focused internal audits and formal remediation processes are now central to supervisory expectations.

Deep Dive

The Cyprus Securities and Exchange Commission has issued guidance to regulated entities so that Europe’s new digital resilience regime is no longer an abstract compliance exercise. In a circular published on 19 January 2026, the regulator signaled growing concern that some firms are still struggling with the basics of the Digital Operational Resilience Act (DORA), particularly when it comes to incident reporting, ICT governance, and regulatory submissions.

The circular follows earlier guidance but strikes a firmer tone. CySEC says it has observed recurring deficiencies in how ICT-related incidents are classified and reported, with some firms failing to report incidents that should clearly have been escalated as “major,” while others have gone the opposite direction and over-reported incidents that do not meet DORA’s thresholds. Either way, the regulator is signaling that inconsistency is becoming a supervisory issue.

To address this, CySEC is urging firms to lean more heavily on the EU’s delegated rules that underpin DORA, including the detailed classification criteria and reporting templates set out in Commission Delegated Regulation (EU) 2024/1772. Firms are expected to use the prescribed materiality thresholds and supporting decision diagrams to ensure that major ICT-related incidents are identified quickly and reported correctly from the outset.

Where the circular carries the most weight, however, is on governance. CySEC reminded firms that DORA’s ICT risk management framework is not meant to live on paper. Regulated entities are expected to have a well-documented framework that actually supports continuous ICT risk management, backed by clear accountability and independence. For firms other than micro-enterprizes, responsibility for ICT risk oversight must sit with an independent control function, with proper separation between risk management, control, and internal audit in line with the three lines of defence model.

The regulator also emphasized that this framework must be reviewed regularly, at least annually, and whenever major ICT incidents occur or supervisory and testing outcomes warrant it. Those reviews are expected to be more than box-ticking exercises. CySEC made clear that it may request formal review reports, prepared in line with the EU’s delegated rules, and that lessons learned should feed back into continuous improvements.

Internal audit is another area firmly in focus. Firms are expected to subject their ICT risk frameworks to regular internal audits carried out by auditors with demonstrable ICT expertise and sufficient independence. Audit frequency and scope should reflect the firm’s ICT risk profile, and any critical findings should trigger a structured follow-up process to ensure timely remediation.

Smaller, non-interconnected Class 3 investment firms were reminded that proportionality still applies. They are subject to a simplified ICT risk management framework, but not to a free pass.

Finally, CySEC turned to what many firms still treat as administrative housekeeping. Regulated entities must formally designate their ICT auditor in the CySEC Portal and identify the individual responsible for ICT risk oversight within the control function. According to the regulator, these designations are now an integral part of demonstrating compliance with DORA’s governance expectations.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.