CySEC Implements EU Guidelines on Estimating ICT Incident Costs Under DORA Regulation

The Cyprus Securities and Exchange Commission (CySEC) has announced the adoption of new joint guidelines that require financial entities to assess and report the aggregated annual costs and losses resulting from major Information and Communications Technology (ICT)-related incidents, in line with the Digital Operational Resilience Act (DORA Regulation).

In a circular distributed on Wednesday, the commission informed a broad spectrum of supervised financial entities that it has formally adopted the joint guidelines issued by the European Supervisory Authorities (ESAs) on July 17, 2024.

This regulatory development falls under Article 11(11) of the DORA Regulation—formally designated as Regulation (EU) 2022/2554—established on December 14, 2022, which governs digital operational resilience across the financial sector.

According to CySEC, the new reporting mandate applies to “all financial entities under CySEC’s responsibility, as defined in Article 46 of the DORA Regulation.” This encompasses Cyprus Investment Firms (CIFs), Crypto-Asset Service Providers authorised by CySEC, and issuers of Asset-Referenced Tokens where Cyprus acts as the home member state and CySEC serves as the authorising body.

The scope further extends to Central Securities Depositories authorised in the Republic for basic or non-banking ancillary services, Central Counterparties established in Cyprus, Trading Venues operating within the Republic, Alternative Investment Fund Managers (AIFMs) of the Republic, Management Companies authorised by CySEC, and Crowdfunding Service Providers regulated by the Commission.

The Joint Guidelines, as highlighted in the circular, are designed to create “common reporting standards for the aggregated annual costs and losses of major ICT-related incidents,” in accordance with Article 11(10) of the DORA Regulation.

Beyond prescribing a uniform methodology for estimating these costs and losses, the guidelines also introduce a standardised template that all financial entities must use when submitting their annual reports.

The European Supervisory Authorities issued these guidelines under their respective regulations, which grant them the authority to “develop common guidelines on supervisory issues,” thereby ensuring consistency and comparability in how financial institutions across the European Union report and manage ICT-related operational risks. 

By fLEXI tEAM