On Apr. 8, CYP SEC issued circular on DORA reporting requirements.
CYP SEC issued circular (C700) on reporting requirements for regulated entities under DORA, major incident reporting and annual information of ICT services (see #244501).
Major Incident Reporting
Regulated Entities must report major ICT-related incidents to CYP SEC under article 19A of the Digital operational and resilience act (DORA Dir 2022/2554).
When an incident occurs, an entity must assess if ICT related and then determine the impact of that incident to decide if it is a major ICT-related incident to be reported.
Three phases of reporting with specific deadlines - initial (within 4 hours of identification as major incident, intermediate (72 hours) and final (one month).
Circular sets out requirements and relevant forms to be used for major incidents, plus how an entity could voluntarily notify the regulator of a significant cyber threat.
Register of Information
Regulated entities must maintain and update a register of information on all contractual arrangements on ICT services provided by third-party service providers.
Must report at least yearly on new use of ICT services, categories of third-party service providers, types of contractual arrangements and ICT services and functions provided.
Form must be submitted by Feb. 28, each year, with preceding reference date Dec. 31.
First submission due on Apr. 30, 2025, with a reference date of Mar. 31, 2025.
