Recommended contact person
Would your firm pass a CySEC DORA Inspection Today?
A Practical Analysis of CySEC Circulars C700 and C751 and the New Reality of Digital Operational Resilience Compliance
Cyprus financial services firms are entering a new phase of digital operational resilience supervision. The Digital Operational Resilience Act, known as DORA, has moved beyond the stage of general policy preparation. The regulatory focus is now shifting towards implementation, evidence, governance, incident readiness and third-party ICT oversight.
This is particularly clear from CySEC Circular C751, issued in January 2026, which reminds regulated entities of their obligations under DORA in relation to reporting, governance and CySEC portal-related requirements. The circular applies to a broad range of CySEC-regulated entities, including CIFs, CASPs, AIFMs, UCITS management companies, trading venues and central securities depositories.
DORA is no longer a “policy document” exercise
DORA, Regulation (EU) 2022/2554, establishes a harmonised EU framework for digital operational resilience in the financial sector. Its purpose is not merely to require firms to adopt cybersecurity policies, but to ensure that financial entities can withstand, respond to and recover from ICT-related disruptions.
For CySEC-regulated entities, this means that DORA compliance must now be demonstrable in practice. Firms must be able to show that their ICT governance framework is operational, documented, tested, reviewed and embedded into their internal control environment.
Key message from CySEC Circular C751
Circular C751 focuses on three important areas: the Register of Information, ICT risk management governance, and CySEC Portal updates.
First, CySEC confirms that the Register of Information must be submitted in XBRL-CSV format, using compatible software capable of mapping and validating files against EBA rules. The Register must be submitted annually by 28 February, with a reference date of 31 December of the preceding year.
Second, CySEC reminds firms that under Article 6 of DORA they must establish, implement and maintain a well-documented ICT risk management framework that enables effective and continuous management of ICT risks. This is a core compliance obligation, not an optional internal policy.
Third, financial entities other than microenterprises must assign ICT risk management and oversight responsibility to an appropriate control function, with independence and segregation between ICT risk management, control functions and internal audit, following the three-lines-of-defence model or equivalent framework.
Annual review and internal audit are now central
Circular C751 also highlights that the ICT risk management framework must be reviewed at least annually, and also after major ICT incidents, supervisory instructions, resilience testing or audit findings.
CySEC may request the report on that review, which should be prepared in line with Chapter V of Commission Delegated Regulation (EU) 2024/1774.
For firms other than microenterprises, the framework must also be subject to regular internal audit by auditors with sufficient ICT risk knowledge, skills and independence. Audit findings must not remain theoretical: firms must maintain a formal follow-up process for timely verification and remediation of critical ICT audit findings.
Incident reporting: speed and classification matter
CySEC Circular C700 remains highly relevant. It sets out the reporting obligations for major ICT-related incidents and significant cyber threats. Firms must classify incidents by reference to criteria including clients affected, downtime, geographical spread, data loss, criticality of affected services and economic impact.
Where an incident is classified as major, the firm must submit an initial report within four hours from classification and no later than 24 hours from awareness, followed by an intermediate report within 72 hours and a final report within one month.
CySEC’s more recent Circular C784, issued in June 2026, further confirms that regulated entities must now use the updated Version 1.3 templates for major ICT-related incident reporting and significant cyber threat notifications, and that submissions must be made through CySEC’s TRS system only.
Third-party ICT risk is a board-level issue
DORA places significant emphasis on ICT third-party risk. This includes cloud providers, software vendors, IT support providers, payment infrastructure providers, cybersecurity providers and other outsourced ICT service providers supporting critical or important functions.
Under DORA, regulated entities must maintain a Register of Information covering contractual arrangements with ICT third-party service providers. Circular C700 confirms that the Register must include arrangements relating to ICT services supporting critical or important functions and must be submitted to CySEC annually.
This means firms should not treat ICT outsourcing as a procurement issue only. Contracts, exit plans, service levels, audit rights, incident notification clauses, subcontracting controls and concentration risk must be reviewed through a regulatory lens.
Practical implications for Cyprus regulated entities
The practical message is clear: CySEC will expect evidence. Firms should be able to demonstrate:
- a documented ICT risk management framework,
- clear board and senior management accountability,
- designated ICT risk control function and ICT auditor on the CySEC Portal,
- incident classification procedures aligned with DORA,
- readiness to submit major ICT incident reports within the required deadlines,
- a complete and updated ICT third-party Register of Information,
- annual review of the ICT framework,
- internal audit coverage of ICT risk,
- formal remediation tracking for audit findings,
- documented governance over critical ICT outsourcing.
Why this matters
DORA compliance is now becoming a supervisory reality. For regulated entities in Cyprus, the risk is not only cyber risk itself, but also the inability to evidence preparedness when CySEC asks.
A firm may have policies, but if those policies are not implemented, reviewed, tested, owned by specific functions, supported by proper reporting workflows and linked to third-party risk controls, they may not satisfy the regulatory expectation.
The message from CySEC is therefore increasingly clear: DORA compliance is no longer about policies on paper; it is about operational implementation and evidence.
How AGPLAW can assist with DORA Compliance
DORA is often mistakenly viewed as an IT or cybersecurity project. It is not. DORA is fundamentally a governance, regulatory, legal and operational resilience framework, with direct responsibility placed on the Board of Directors and senior management. CySEC’s recent supervisory focus, particularly through Circular C751, demonstrates that firms are now expected to provide evidence of compliance rather than merely maintain policies.
At AGPLAW, we assist regulated entities from a legal, regulatory and governance perspective, working alongside internal IT teams and external cybersecurity specialists where necessary.
1. DORA Gap Analysis
We perform a comprehensive legal and regulatory assessment against:
- DORA Regulation (EU) 2022/2554
- Delegated Regulations and RTSs
- CySEC Circulars
- ESMA, EBA and EIOPA guidance
- CySEC supervisory expectations
The objective is to identify:
- Governance deficiencies
- Documentation gaps
- Reporting weaknesses
- Outsourcing risks
- Third-party ICT risks
- Board accountability shortcomings
- Incident reporting deficiencies
The outcome is a practical remediation roadmap prioritised according to regulatory risk.
2. ICT Governance Framework Review
CySEC specifically emphasises the need for a documented ICT Risk Management Framework and clear governance arrangements.
We review and draft (in co-operation with entities designated departments):
- ICT Governance Policies
- ICT Risk Management Frameworks
- Board ICT Oversight Policies
- ICT Risk Appetite Statements
- Cybersecurity Governance Procedures
- ICT Internal Reporting Frameworks
- ICT Committee Terms of Reference
- Three-Lines-of-Defence Structures
Particular emphasis is placed on demonstrating Board oversight and accountability.
3. Board and Senior Management Responsibilities
One of the most underestimated DORA risks is personal responsibility of directors.
We assist boards with:
- Board responsibilities mapping
- Board resolutions
- Governance structures
- ICT oversight frameworks
- Delegation matrices
- Senior management accountability frameworks
- DORA Board training
Our objective is to ensure that directors can demonstrate active supervision rather than passive approval
4. ICT Incident Reporting Framework
CySEC has expressly identified weaknesses in incident classification and reporting.
We assist firms in developing:
- Major ICT Incident Procedures
- Escalation Matrices
- Classification Methodologies
- Reporting Workflows
- Internal Notification Procedures
- Crisis Management Procedures
This ensures that the firm can correctly determine:
- whether an incident is reportable;
- whether it qualifies as “major”;
- who must be notified;
- when reporting deadlines begin to run.
5. Third-Party ICT Risk and Outsourcing Review
For many firms, this is the area of greatest exposure. DORA imposes significant obligations concerning:
- Cloud providers
- Hosting providers
- Software vendors
- Cybersecurity providers
- Managed service providers
- Payment technology providers
- Group ICT arrangements
We conduct legal reviews of:
- ICT Outsourcing Agreements
- SaaS Contracts
- Cloud Agreements
- Managed Service Agreements
- Business Continuity Arrangements
- Disaster Recovery Commitments
- Subcontracting Provisions
- Audit Rights
- Exit Strategies
Many existing contracts are not DORA-compliant.
6. Register of Information (ROI)
Circular C751 places significant focus on the annual submission of the Register of Information.
We assist firms with:
- Identifying reportable ICT providers
- Contract classification
- Critical and Important Function assessments
- Register preparation
- Data verification
- Legal review of entries
- Submission readiness reviews
Many firms struggle not because they lack data, but because they have not mapped their ICT ecosystem correctly.
7. DORA Documentation Suite
We can prepare a complete DORA documentation package, including:
- ICT Risk Management Framework
- ICT Governance Policy
- Cyber Incident Policy
- Business Continuity Policy
- Disaster Recovery Policy
- ICT Third-Party Risk Policy
- Outsourcing Policy
- Board Reporting Templates
- Incident Registers
- Vendor Registers
8. Internal Audit and Independent Reviews
Circular C751 reinforces the requirement for periodic review and independent assessment.
AGPLAW can coordinate or support:
- DORA readiness reviews
- Regulatory mock inspections
- Internal compliance reviews
- Governance effectiveness assessments
- Remediation reviews
Prior to a CySEC inspection, we can conduct a full “regulatory health check” to identify weaknesses before the regulator does.
9. Regulatory Investigations and CySEC Engagement
Where CySEC:
- raises concerns,
- requests information,
- identifies deficiencies,
- commences supervisory reviews,
- investigates incident reporting failures,
AGPLAW can represent the entity before CySEC and assist in:
- responses to CySEC enquiries;
- remediation plans;
- supervisory correspondence;
- regulatory submissions;
- enforcement defence strategies.
10. Ongoing DORA Compliance Officer Support
Many firms do not have sufficient in-house expertise.
We can provide ongoing support through:
- retained advisory services;
- quarterly reviews;
- Board reporting assistance;
- DORA updates monitoring;
- regulatory developments briefings;
- ongoing compliance oversight.
Why AGPLAW?
Unlike purely technical consultants, AGPLAW combines:
- Regulatory and legal expertise combined
- CySEC licensing experience
- Governance advisory
- Outsourcing and commercial contracts expertise
- Data protection knowledge
- Financial services regulation
- Internal control frameworks
- Regulatory investigations experience
This allows us to bridge the gap between legal compliance, governance, operational resilience and regulatory expectations.
The key question under DORA is no longer: “Do you have a cybersecurity or a Business Continuity policy?” The question CySEC is increasingly asking is:
“Can you demonstrate, with evidence, that your Board governs ICT risk, your incidents are classified correctly, your third-party providers are under control, and your operational resilience framework actually works?”
That is precisely where AGPLAW can add value.
The information provided by AGPLAW | A.G. Paphitis & Co. LLC is for general informational purposes only and should not be construed as professional or formal legal advice. While every effort has been made to ensure the accuracy and reliability of the information contained herein, no representation or warranty is given. In no event will the author or any related parties be liable for any loss arising from reliance on this article.

