top of page

Regulatory Alert: CySEC Circular C751 – DORA Reporting, Governance Portal and Related Obligations

  • Antonis Hadjicostas
  • Jan 19
  • 2 min read

Updated: 7 days ago



CySEC has issued Circular C751, providing targeted operational guidance on specific obligations arising under Regulation (EU) 2022/2554 (DORA). The Circular focuses on four practical areas: ICT-related incident reporting, the Register of Information submission format, governance of the ICT risk management framework, and mandatory entries in the CySEC Portal.


ICT-related incident reporting


CySEC states that it has identified deficiencies in how regulated entities classify and report ICT-related incidents. In particular:

  • incidents that should have been classified and reported as “major” were not reported;

  • incidents were reported but incorrectly classified as major.


Regulated entities are required to apply the classification criteria and materiality thresholds in Commission Delegated Regulation (EU) 2024/1772 and to ensure timely reporting upon detection of a major ICT-related incident.


Register of Information – XBRL-CSV only


CySEC reiterates that the “Build in Excel” file is no longer accepted. The Register of Information must be submitted exclusively in XBRL-CSV format, which is the only format accepted by the EBA.


Key operational points:

  • use XBRL-compatible software supporting mapping and validation against EBA rules;

  • generate fully compliant XBRL files;

  • zip the files and submit them via the CySEC XBRL Portal;

  • submit annually by 28 February, with reference date 31 December of the preceding year.


ICT risk management framework – governance, review and audit


CySEC reminds regulated entities of their obligations under Article 6 DORA to establish, implement and maintain a documented ICT risk management framework.

In particular:

  • for non-microenterprises, ICT risk management and oversight must be assigned to a control function with appropriate independence and segregation from internal audit;

  • the framework must be reviewed at least annually and following major ICT incidents, supervisory instructions or resilience testing and audit findings;

  • a report on the review must be submitted to CySEC upon request and should be based on Chapter V of Commission Delegated Regulation (EU) 2024/1774;

  • for non-microenterprises, the framework must be subject to regular internal audit, with a formal follow-up process for critical ICT audit findings;

  • small and non-interconnected (Class 3) investment firms remain subject to a simplified ICT framework.


CySEC Portal – mandatory designations


Circular C751 introduces two specific operational obligations in the CySEC Portal:

  • designation of the ICT auditor (for non-microenterprises) under the Auditors section, selecting “Is ICT”;

  • designation of the person responsible for the ICT risk control function under the Personnel section.


How ENAH Services Can Support


ENAH Services supports regulated entities across the banking, payments, investment and fintech sectors with:

  • DORA implementation and gap assessments

  • ICT risk governance frameworks

  • Incident reporting workflows and simulations

  • ICT third-party risk management and contract reviews

  • Board-level DORA readiness reporting

  • Regulatory engagement and remediation programmes


For further information or tailored DORA support, please contact us at consulting@enaservicesltd.com.

 
 

The material reflected in our website, including Blog material, is for informational purposes only and does not constitute legal advice, consulting, or any other professional advice. Please seek independent professional guidance for your specific needs.

All rights reserved. No part of this work may be reproduced, stored in a retrieval system of any nature, or transmitted, in any form or by any means including photocopying and recording, without the prior written permission of the ENAH Services Ltd. The reproduction or transmission of all or part of the work, whether by photocopying or storing in any medium by electronic means or otherwise without the written permission of the owner is strictly prohibited and the commission of any unauthorised act in relation to the work will result in civil and/or criminal actions. 

bottom of page