CySEC Circular C700: Reporting Obligations of Regulated Entities under DORA
The Cyprus Securities and Exchange Commission (CySEC) issued Circular C700, detailing the reporting obligations of regulated entities under the Digital Operational Resilience Act (DORA), which entered into application across the EU on the 17th January 2025. This circular provides guidance on two main reporting requirements of regulated entities; incident reporting and register of information.
In this article, the SALVUS Regulatory Compliance team summarizes how and when these reporting requirements should be prepared and submitted to CySEC along with the relevant guidance on the framework in place. The summary provides answers to the following:
1. What does fulfilling the Incident Reporting requirement entail?
2. What does the DORA Register of Information requirement cover?
3. Report Filing
4. The Importance of Fulfilling Reporting Requirements
5. How can SALVUS assist you?
We regularly share bite-sized insights on LinkedIn such as those found in this article
1. Incident Reporting
There are two categories under Incident Reporting: a) Mandatory reporting of major ICT-related incidents AND b) Voluntary notification for significant cyber threats.
Mandatory reporting of major ICT-related incidents
Under Article 19(1) of DORA, regulated entities are required to report all major ICT-related incidents to CySEC. To determine whether an incident qualifies as “major,” entities must apply the classification criteria outlined in Article 18(1) of DORA and Articles 1 to 7 of Commission Delegated Regulation (EU) 2024/1772. These criteria assess the impact of the incident based on:
- The number or relevance of clients or financial counterparts affected,
- The duration and downtime of services,
- The geographical spread (particularly if it spans more than two EU Member States),
- Any losses of data integrity, availability, confidentiality, or authenticity,
- The criticality of the services impacted, and
- The economic impact in absolute or relative terms.
If the criteria are met, entities must then assess the thresholds in Articles 8–9 of the same Delegated Regulation to confirm whether the incident is considered “major.” If the event is classified as major, it must be reported to CySEC.
Voluntary notification for significant cyber threats
In addition to mandatory incident reporting, Article 19(2) of DORA allows regulated entities to voluntarily notify CySEC of significant cyber threats they believe may affect the financial system or their clients. Classification of these threats should follow Article 18(2) of DORA and Article 10 of Commission Delegated Regulation (EU) 2024/1772, using the following criteria:
- The criticality of the services at risk,
- The scope of financial transactions or operations impacted,
- The number or relevance of clients or financial counterparts targeted, and
- The geographical reach of the threat.
2. Register of Information
Article 28(3) of DORA obliges regulated entities to keep an updated register of all their contracts with ICT third-party service providers, covering both the entity level and the group level. This register must be submitted to CySEC at least annually and should include information such as the number of new ICT service arrangements, the types of service providers, the nature of the contracts, and the specific ICT services and functions outsourced.
In accordance with the ESAs’ Decision of 8 November 2024, the register must reflect the entity’s structure—whether it’s a standalone firm or part of a larger group, including those with non-EU parent companies. This data contributes to the identification and designation of critical ICT third-party providers and is forwarded to the European Supervisory Authorities (ESAs).
3. Report Filing
Below are the guidelines on reporting timeline and submission process of reporting obligations.
| Mandatory reporting of major ICT-related incidents | Voluntary notification for significant cyber threats | ||
| Reporting timeline | Initial Notification: Within 4 hours from classifying an incident as major Intermediate Report: Within 72 hours from the submission of initial notification Final Report: Within one month after the submission of intermediate report. | No specified timeline but ideally upon detection of significant cyber threats. | First submission due date is Wednesday, April 30, 2025, with a reference date of March 31, 2025. This requirement will be annually, with a deadline 28th of February in subsequent years. |
| Submission process | The Major ICT-related incident Form and Significant Cyberthreats Template (Voluntary) must be submitted to CySEC through the TRS system ONLY. These forms must not be digitally signed. | The Register of Information Form should be submitted via CySEC’s XBRL Portal ONLY. | |
4. The Importance of Fulfilling Reporting Requirements
Adherence to these requirements ensures regulatory compliance and helps entities avoid administrative fines, legal consequences, and reputational damage. Beyond regulatory enforcement, reporting obligations play a key role in enhancing an entity’s operational resilience. By consistently monitoring and reporting ICT-related incidents, firms are better equipped to identify system vulnerabilities, strengthen their continuity planning, and respond effectively to cyber threats or operational disruptions. This proactive approach fosters a robust defense against both known and emerging digital risks.
Reporting also supports supervisory oversight by enabling regulators to monitor systemic threats, coordinate responses across the financial sector, and promote overall market stability. In this way, individual compliance contributes to the collective strength of the financial ecosystem. Furthermore, maintaining accurate and timely records demonstrates transparency and accountability, which are vital for internal governance, client trust, and external assessments such as audits or due diligence reviews.
Lastly, DORA introduces a harmonized set of rules across the European Union, allowing entities that comply to align with international standards and facilitate smoother cross-border operations. Overall, compliance with reporting obligations is not merely a legal necessity—it is a strategic imperative that supports operational integrity, regulatory trust, and long-term business sustainability in the digital age.
5. How can SALVUS assist you?
At SALVUS, we combine deep regulatory knowledge with hands-on industry experience to help our clients navigate the complex reporting obligations. The SALVUS Regulatory Compliance team can support your firm in identifying the classification of ICT-related incidents, preparing and submitting mandatory and voluntary reports through CySEC’s TRS system, and compiling the annual Register of Information for submission via the XBRL portal.
We offer tailored guidance and operational support throughout the reporting lifecycle—from initial assessment to timely filing—ensuring accuracy, compliance, and peace of mind. Whether your firm operates independently or as part of a larger financial group, SALVUS stands ready to assist you in meeting these evolving regulatory expectations with confidence and precision.
If you require more information or support regarding the DORA reporting obligation, please contact our Regulatory Compliance team by email at info@salvusfunds.com. We are always ready to answer your questions and support you in achieving regulatory compliance.
#StayAhead
Should you be interested to read more about relevant topics in the DORA reporting obligation, feel free to visit our earlier news and articles:
- CySEC issues Circular C700: DORA Reporting Requirements for Regulated Entities
- CySEC announces Supervisory Priorities for 2025
- Digital Finance Strategy, Markets in Crypto Assets Regulation and More
- The SALVUS Regulatory Reporting Obligations Calendar™ – 2025
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.