CySEC aligns with DORA rules
Cyprus’s regulator has aligned local rules with the EU’s DORA digital‑operational resilience standards, tightening requirements around cloud outsourcing, incident response and cybersecurity for fintechs with EU exposure reported. That raises the compliance bar for model documentation and resilient architecture — practical must‑haves for engineers and quants working on production systems.
CySEC issued Circular C751 on 19 January 2026, providing targeted supervisory guidance on Digital Operational Resilience Act (DORA) obligations such as incident reporting, ICT governance and portal use. (gpglobalcy.com) Two further CySEC circulars adopted the EU’s cloud‑outsourcing guidelines for certain depositaries outside DORA’s direct scope and reminded managers of updated stress‑test rules for money‑market funds. (cyprus-mail.com) The regulator signalled it has observed firms misclassifying or failing to report major ICT‑related incidents during supervisory reviews, calling out those deficiencies as a specific concern. (salvusfunds.com) DORA has been in application since 17 January 2025 and requires harmonised reporting templates and strict timelines for major ICT‑related incidents across EU financial entities. (eiopa.europa.eu) CySEC’s guidance makes completion of mandatory Portal entries and submission of a prescribed Register of Information compulsory, which raises the level of documentation operational teams must maintain. (enaservicesltd.com) The combined effect of DORA and CySEC guidance forces firms to run preliminary ICT concentration risk assessments at entity level and to embed detailed contractual SLAs plus regular resilience testing of critical services in vendor programs. (eba.europa.eu)
