top of page

📢CySEC PUBLISHES POLICY STATEMENT ON DORA FEES (PS-03-2025)

  • Writer: PCV LLC
    PCV LLC
  • Sep 4
  • 3 min read

Updated: 1 day ago

ree

On 4 September 2025, the Cyprus Securities and Exchange Commission (CySEC) issued Policy Statement PS-03-2025, setting out the fees applicable to financial entities under the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554). The announcement follows the public consultation CP-01-2025 held earlier this year and provides clarity for supervised entities on their obligations regarding annual supervisory fees and the assessment of Threat-Led Penetration Testing (TLPT).


Key Highlights of the Policy Statement

  • Annual ICT Oversight Fees

Entities supervised by CySEC will pay annual fees depending on their size:

  • Microenterprises: €2,000

  • Small enterprises: €5,000

  • Medium-sized enterprises: €10,000

  • Large entities: €20,000


Note:


‘microenterprise’ as defined in Article 3 of the Regulation (EU) 2022/2554, means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million.


‘small enterprise’ as defined in Article 3 of the Regulation (EU) 2022/2554, means a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but does not exceed EUR 10 million.


‘medium-sized enterprise’ as defined in Article 3 of the Regulation (EU) 2022/2554, means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million.


  • TLPT Assessment Fee

The fee for the assessment of Threat-Led Penetration Tests has been set at €20,000 per assessment.


  • Fee Timeline for 2025

    • 2–31 October 2025: Entities must declare their category (micro, small, medium, large) to CySEC, based on audited financial statements.

    • By 31 December 2025: Entities must pay their annual fee for the period 15 August – 31 December 2025, calculated on a pro-rata basis.


Scope of Application

ree

The Policy Statement applies to a wide range of financial entities supervised by CySEC, including:


  • Cyprus Investment Firms (CIFs)

  • Crypto-Asset Service Providers (CASPs) authorised under MiCA

  • Issuers of Asset-Referenced Tokens

  • Central securities depositories and central counterparties

  • Trading venues

  • Alternative Investment Fund Managers (AIFMs) and UCITS management companies

  • Crowdfunding service providers


Stakeholder Feedback and Adjustments

During the consultation process, stakeholders expressed concerns about the cost of compliance and the potential impact on Cyprus’ competitiveness as a financial centre. In response, CySEC introduced reductions for micro and small enterprises and lowered the TLPT assessment fee.


CySEC emphasised that these fees reflect the principle of proportionality under DORA, while ensuring the regulator’s independence by reducing reliance on public funding. As noted by CySEC Chairman Dr. George Theocharides, adequate funding is essential for CySEC to effectively safeguard market integrity and meet its supervisory obligations under DORA.


Why This Matters

DORA represents a major step in strengthening the digital resilience of the EU financial sector, ensuring that entities can withstand ICT disruptions and cyber threats. For Cyprus-based firms, this Policy Statement clarifies the financial obligations attached to compliance. While the new fee structure introduces an additional cost, it also provides certainty and aligns Cyprus with EU-wide efforts to standardise digital operational resilience across the financial system.


Next Steps

Financial entities under CySEC’s supervision should start preparing for the October categorisation and ensure timely fee payments by December 2025. In parallel, boards and compliance teams should integrate these costs into their DORA implementation plans and review ICT resilience strategies.


For tailored legal and regulatory support on DORA compliance, including categorisation, TLPT preparation, and supervisory engagement with CySEC, feel free to contact our team at info@pelaghiaslaw.com

Comments

bottom of page