CySEC Issues Circular C751: DORA – Reporting, Governance & Portal-related Obligations
On 20th of January 2026, the Cyprus Securities and Exchange Commission (CySEC) released Circular C751, addressed to Regulated Entities, relating to the Digital Operational Resilience Act (DORA) and its reporting, governance and portal-related obligations.
Key points of Circular C751:
1. Major ICT-related Incident Reporting
CySEC has noted that it has observed deficiencies in the classification and reporting of ICT-related incidents by Regulated Entities. In particular, Regulated Entities are either failing to report major ICT-related incidents or incorrectly classifying incidents as major.
As a result, Regulated Entities are required to review Commission Delegated Regulation (EU) 2024/1772, which explains:
- When an ICT incident must be considered “major”
- The materiality thresholds, and
- The required content and format of incident reports
In addition, Entities should use the classification diagram included in the Annex to the Regulation to help ensure incidents are correctly classified and reported promptly upon detection.
2. Register of Information – Submission Format
CySEC reminds Regulated Entities that it no longer accepts the “Built in Excel” file via its XBRL Portal. Instead, Regulated Entities must now:
- Submit the Register of Information only in XBRL-CSV format,
- Use XBRL-compatible software (that supports EBA validation rules), and
- Upload the zipped XBRL file via the CySEC XBRL Portal.
The Register of Information must be submitted annually by 28 February, with reference date of 31 December of the previous year.
3. ICT Risk Management Framework
Regulated Entities are reminded that they must maintain a clear, well-documented ICT risk management framework, noting that:
- Entities (other than microenterprises) must assign ICT risk oversight to an independent control function.
- Proper segregation and independence must be maintained between ICT risk management, control functions, and internal audit.
- The framework must be reviewed at least annually and after major ICT incidents, supervisory requests, or resilience testing, and updated over time based on lessons learned from monitoring.
- Where requested, entities must be able to provide CySEC with a report on the review of the ICT risk management framework, based on Chapter V of Commission Delegated Regulation (EU) 2024/1774.
- Entities (but not microenterprises) must also ensure that the ICT framework is subject to regular internal audit, auditors have sufficient ICT expertise and independence, and that audit findings are followed up and remediated in a timely manner.
- Small and non-interconnected (Class 3) investment firms may apply a simplified framework, in line with the proportionality principle.
4. Information in the CySEC Portal
CySEC emphasizes the importance of keeping the CySEC Portal updated. Regulated Entities (not microenterprises) must:
- Designate the ICT auditor responsible for ICT internal audits under the “Auditors” section of the Portal, by selecting the “Is ICT” option.
- Designate the person responsible for ICT risk management under the “Personnel” section of the Portal.
Contact us at compliance@salvusfunds.com if you have any questions or require support to ensure compliance with Circular C751. We are always ready to answer your questions and support you in achieving regulatory compliance.
#StayAhead
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.