The Cyprus Securities and Exchange Commission has published a consultation paper proposing that financial entities it authorises and that fall within scope of the EU Digital Operational Resilience Act (DORA) pay an annual ICT oversight fee, alongside enhanced cyber security testing requirements where applicable. The proposals also introduce a separate fee for the assessment of a threat-led penetration test (TLPT), with consultation responses due by 7 March 2025. Annual ICT oversight fees would be set by DORA categorisation, ranging from EUR 3,000 for microenterprises to EUR 20,000 for large financial entities authorised by CySEC. Entities subject to a TLPT requirement would additionally pay EUR 50,000 for assessment of their TLPT test. The scope includes Cyprus investment firms, crypto-asset service providers, central securities depositories, alternative investment fund managers, management companies, crowdfunding service providers and other CySEC-authorised entities within DORA. Financial entities would submit a self-categorisation each September based on their most recent financial statements, and the first annual ICT oversight fee would be paid in 2025.
Cyprus Securities and Exchange Commission 2025-01-31
Cyprus Securities and Exchange Commission consults on annual ICT oversight fees and TLPT assessment charges for DORA entities
The Cyprus Securities and Exchange Commission has issued a consultation paper proposing annual ICT oversight fees for entities under the EU Digital Operational Resilience Act (DORA), ranging from EUR 3,000 to EUR 20,000 based on size. Additionally, entities subject to threat-led penetration testing would incur a EUR 50,000 assessment fee. The proposals apply to various CySEC-authorised entities, including investment firms and crypto-asset service providers.