The Cyprus Securities and Exchange Commission (CySEC) has issued new guidance aimed at strengthening how financial firms in Cyprus handle digital risks and technology-related disruptions.

The circular targets a wide range of regulated entities, including investment firms, trading venues, fund managers and crypto-asset providers, and focuses on improving digital resilience across the financial sector.

CySEC said it has identified weaknesses in how firms report technology-related incidents, with some serious incidents not being reported at all and others being misclassified.

The regulator stressed that firms must ensure serious ICT incidents are identified and reported promptly, warning that inaccurate reporting undermines oversight and risk management.

The commission also addressed the way firms submit key operational information, reminding regulated entities that spreadsheets are no longer accepted and that submissions must be made through the regulator’s online reporting systems.

Firms were reminded that this information must be submitted every year by February 28, based on data as at December 31 of the previous year.

The circular places strong emphasis on the need for firms to maintain a clear and well-documented ICT risk management framework, allowing risks linked to technology and cyber threats to be managed on an ongoing basis.

The commission underlined that responsibility for overseeing ICT risks should sit with a dedicated and independent control function, helping to avoid conflicts of interest and ensuring effective internal checks and balances.

Firms are also expected to review their ICT risk framework at least once a year, as well as after serious incidents or following internal reviews, and to continuously improve it based on lessons learned.

The regulator added that companies must ensure their ICT systems and controls are regularly audited by suitably qualified and independent auditors, with the depth of audits reflecting each firm’s risk profile.

Any significant issues identified through these audits should be addressed without delay, with firms expected to have formal processes in place to track and resolve weaknesses.

Smaller investment firms were reminded that they may apply a simplified approach, provided it remains proportionate to their size and level of interconnectedness.

The commission also instructed firms to update their details on the CySEC portal, including the designation of the ICT auditor and the person responsible for overseeing ICT risks.

The guidance forms part of the implementation of the Digital Operational Resilience Act (DORA), a new European Union framework designed to ensure that financial institutions can withstand, respond to and recover from digital disruptions.

DORA sets common rules across the EU on how banks, investment firms and other financial entities manage technology risks, including cyber threats, system failures and third-party service providers.

Its aim is to reduce vulnerabilities in the financial system by strengthening governance, improving incident reporting and ensuring firms remain operational even during severe digital incidents.