The Cyprus Securities and Exchange Commission (CySEC) this week adopted new joint guidelines, requiring financial entities to estimate the aggregated annual costs and losses caused by major Information and Communications Technology (ICT)-related incidents under the Digital Operational Resilience Act (DORA Regulation).

In circular sent on Wednesday, the commission informed a wide range of financial entities under its supervision that the regulator has adopted the joint guidelines issued by the European Supervisory Authorities (ESAs) on July 17, 2024.

This regulatory action is taken under Article 11(11) of the DORA Regulation, formally known as Regulation (EU) 2022/2554, which was established on December 14, 2022, and deals with digital operational resilience for the financial sector.

The mandate to report on ICT-related losses applies to all financial entities under CySEC’s responsibility, as defined in Article 46 of the DORA Regulation.

This requirement covers Cyprus Investment Firms (CIFs), Crypto-Asset Service Providers authorised by CySEC, and issuers of Asset-Referenced Tokens where Cyprus is the home member state and the issuer has been authorised by CySEC.

Additionally, it includes Central Securities Depositories authorised in the Republic for basic or non-banking ancillary services, Central counterparties established in the Republic, Trading venues of the Republic, Alternative Investment Fund Managers of the Republic, Management companies authorised by CySEC, and Crowdfunding services providers authorised by CySEC.

The Joint Guidelines aim to develop common reporting standards for the aggregated annual costs and losses of major ICT-related incidents, as referenced in Article 11(10) of the DORA Regulation.

In addition to setting out the methodology for estimation, the guidelines also specify a common template that must be used for the submission of these aggregated annual costs and losses.

The ESAs issued the guidelines pursuant to their respective regulations, which empower them to develop common guidelines on supervisory issues.