top of page

CySEC Regulatory Alert Circular 700 - Major Incidents Reporting

  • Antonis Hadjicostas
  • Apr 9
  • 2 min read

ree


🔔 Legal / Regulatory Alert – Cyprus!


CySEC has issued today Circular 700, which outlines the obligation of Regulated Entities:


  • Cyprus Investment Firms (‘CIFs’)

  • Central Securities Depositories (‘CSDs’)

  • Trading Venues (‘TVs’)

  • Crypto-Asset Providers (CASPs)

  • Alternative Investment Fund Managers (‘AIFMs’)

  • UCITS Management Companies (‘UCITS’)


regarding the assessment of incidents related to ICT Services as well as the reporting of Major Incidents Reporting, as emanated by Article 19(1)of Regulation 2022/2554 on digital operational resilience for the financial sector (DORA).


📊 Major Incidents Reporting - Step Approach


  1. Assess Impact: Determine the impact of the incident on ICT services to establish whether it qualifies as an ICT-related incident based on Articles 18(1) of DORA and Articles 1-7 of the Commission Delegated Regulation 2024/1772.


  2. Classify Incident: If the incident is deemed ICT-related, classify it accordingly using the provided criteria.


  3. Evaluate Major Incident Thresholds: Refer to Articles 8-9 of the Commission Delegated Regulation 2024/1772 to assess if the incident meets the thresholds for a major ICT-related incident.


  4. Report to CySEC: If classified as a Major Incident, ensure that it is reported to CySEC in accordance with regulatory requirements.


📢 Phase Out Reporting & Submission Deadlines


  • Initial Report: Submit within four hours of classifying the incident as major, and no later than 24 hours after becoming aware of it.


  • Intermediate Report: Submit within 72 hours of the initial report, regardless of whether the incident's status has changed. An updated report must be submitted promptly, especially after regular activities are restored.


  • Final Report: Submit within one month of the intermediate report or the latest updated intermediate report.


References:


Commission Implementing Regulation (EU) 2025/302 with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat


Commission Delegated Regulation (EU) 2025/301 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats


â›” Submission Process


  1. The Major ICT-related incident Form and the Significant Cyberthreats Template (Voluntary) (the ‘Incident Reporting Forms’) must be submitted to CySEC through the TRS system ONLY.



  1. The steps that the Regulated Entities have to follow for the successful submission of the template to the TRS, can be found here.


  1. After populating the required Excel fields in the Incident Reporting Forms, Regulated Entities should name the Excel file in accordance with the following naming convention:


Username_DATDIR_IIRN-Version_YY.xlsx


Example: XX_DATDIR_0000000001-0_25.xlsx

 
 

The material reflected in our website, including Blog material, is for informational purposes only and does not constitute legal advice, consulting, or any other professional advice. Please seek independent professional guidance for your specific needs.

​

All rights reserved. No part of this work may be reproduced, stored in a retrieval system of any nature, or transmitted, in any form or by any means including photocopying and recording, without the prior written permission of the ENAH Services Ltd. The reproduction or transmission of all or part of the work, whether by photocopying or storing in any medium by electronic means or otherwise without the written permission of the owner is strictly prohibited and the commission of any unauthorised act in relation to the work will result in civil and/or criminal actions. 

bottom of page