The Cyprus Securities and Exchange Commission (CySEC) this week announced a new policy statement setting out the fees that financial entities must pay under the European Union’s Digital Operational Resilience Regulation, known as DORA.

The policy statement, numbered PS-03-2025, outlines the supervisory and testing fees that will apply to firms falling under the scope of Regulation (EU) 2022/2554.

The annual supervision fee has been set to range between €2,000 and €20,000, depending on the size of each entity.

An assessment fee for threat-based penetration testing was set at €20,000.

CySEC explained that the fees were determined after taking into account feedback submitted by stakeholders in response to the public consultation document CP-01-2025, which was published earlier in the year.

The regulator noted that the most significant changes include a reduction in annual fees for micro and small enterprises and a reduction in the assessment fee for threat-led penetration tests.

Financial entities subject to DORA and supervised by CySEC in 2025 must now follow a two-step process for fee declaration and payment.

Between October 2 and October 31, 2025, financial entities are required to inform CySEC of the category of undertaking they fall under.

This declaration must be in line with the first annex of directive 73-2009-07 and should be based on the entities’ latest audited financial statements.

These statements must include the number of employed persons, annual turnover, and annual balance sheet.

The deadline for payment of annual fees is December 31, 2025.

Entities must pay the annual fee for the period from August 15, 2025 to December 31, 2025, calculated on a pro-rata basis in line with the fees set out in the first annex of directive 73-2009-07.

“The DORA regulation impacts national competent authorities, including CySEC, in ways not only confined to supervision,” said commission chairman George Theocharides.

“To meet these growing obligations adequate funding is essential,” he added.

“The fees are aligned with DORA’s proportionality criteria as well as the ministry of finance’s objective for CySEC to reduce reliance on public funding,” he continued.

“This will enhance CySEC’s independence and ensure it can continue to safeguard market integrity effectively,” Theocharides concluded.

Why is the DORA framework important?

The Digital Operational Resilience Regulation (DORA) is an EU framework designed to ensure financial entities can withstand and recover from information and communications technology disruptions.

It harmonises risk management, testing, reporting, and third-party oversight requirements across the bloc.

For Cyprus, DORA is particularly significant as it strengthens trust in the island’s financial sector, enhances supervisory standards, and aligns local firms with European resilience benchmarks.