1. ICT-Related Incident Reporting: classification and reporting of major ICT-related incidents

Entities must ensure accurate classification and timely reporting of major ICT-related incidents, adhering to the criteria in Commission Delegated Regulation 2024/1772. Figure 1 of Circular C751 provides a helpful diagram indicating the approach for classifying major incidents under DORA.

2. Register of Information: format of the submission

Submissions must be in XBRL-CSV format through the CySEC XBRL Portal, which can be accessed here, with annual deadlines of 28 February for data as of 31 December of the prior year.

3. ICT Risk Management Framework

Entities must establish and maintain a documented ICT risk management framework, reviewed annually or after major incidents. Responsibilities for ICT risk oversight must be independent, and internal audits should be conducted regularly by qualified auditors.

4. CySEC Portal: Designation of ICT auditor and responsible personnel

Entities must designate the ICT auditor responsible for the internal audit of the ICT risk management framework and the person responsible for the control function in the CySEC Portal and can be found here.

For further details, Circular C751 can be found here