The Cyprus Securities and Exchange Commission has published a policy outlining fees for financial entities under the EU’s Digital Operational Resilience Regulation. Annual supervision fees will range from €2,000 to €20,000 based on entity size, while threat-based penetration testing carries a €20,000 assessment fee.

Regulator Outlines Fee Schedule and DORA Obligations for Firms

Firms must declare their category between October 2 and October 31, based on their latest audited financial statements. Annual fees are due by December 31 and will be calculated pro-rata for the period from mid-August to year-end.

Δελτίο Τύπου – Η ΕΚΚ δημοσιεύει Δήλωση Πολιτικής για τα τέλη που σχετίζονται με τον Κανονισμό DORAhttps://t.co/cr3xngVFDg

Press Release – CySEC issues Policy Statement on fees related to DORA Regulationhttps://t.co/UqpKhAnryx

— CySEC - Cyprus Securities and Exchange Commission (@CySEC_official) September 4, 2025

CySEC said the fees reflect stakeholder feedback and aim to reduce reliance on public funding. DORA obliges firms to manage and recover from ICT disruptions and standardises resilience requirements across the EU. In Cyprus, it aligns local firms with EU benchmarks.

CySEC Conducted 850 Audits, Issued €2.76 Million Fines

In 2024, CySEC carried out over 850 audits, reviewed 510 annual compliance reports, and monitored derivatives transactions for 33 investment funds. Administrative fines for the year totaled €2.76 million, with Cyprus-based investment firms accounting for €2.12 million.

The regulator also revoked multiple operating licenses as part of its efforts to strengthen compliance, investor protection, and overall financial stability.