CySEC Sets Supervision Fees, Trims Bills for Smaller Financial Firms

What Did CySEC Announce?

The Cyprus Securities and platform Commission (CySEC) has finalized its fee schedule for enforcing the EU’s Digital Operational Resilience Act (DORA), introducing annual charges of €2,000–€20,000 depending on firm size. In addition, a €20,000 attestation fee will apply when CySEC reviews the results of Threat-Led Penetration Tests (TLPTs), the “red team” exercises designed to test firms’ cyber defences. The policy is set out in Policy Statement PS-03-2025, published Thursday.

later than a public consultation earlier this year, CySEC scaled back charges for micro and small firms and reduced the TLPT fee. Chairman George Theocharides said the fees align with proportionality requirements while reducing reliance on state funding: “This will enhance CySEC’s independence and ensure it can continue to secureguard market integrity effectively.”

Investor Takeaway

When Do Payments Begin?

The first obligations arrive rapidly. Between 2–31 October 2025, firms must declare their size category, based on audited accounts. By 31 December 2025, they must pay a pro-rata fee covering August–December. From 2026, declarations will run 1–15 September annually, with payment due by 30 November.

This timeline gives compliance teams in Nicosia and Limassol just weeks to prepare documentation and funding, making 2025 the first real test of DORA’s practical rollout.

Who Falls Under CySEC’s DORA Scope?

CySEC’s coverage includes a wide swath of Cyprus’s financial sector: investment firms, crypto-asset providers regulated under MiCA, central counterparties, securities depositories, trading venues, UCITS and AIF managers, and licensed crowdfunding platforms. Each will now contribute directly to funding CySEC’s DORA supervision, in addition to complying with new ICT risk and incident-reporting obligations.

The regulator emphasized that adequate funding is essential, given DORA’s requirements for digital testing, ICT third-party oversight, and cross-border supervisory cooperation. By embedding fees into the framework, CySEC is formalizing cost recovery rather than relying on state subsidies.

Investor Takeaway

How Does This Fit Into the EU DORA Rollout?

DORA, in force since January 2025, is creating a harmonized EU framework for digital resilience in finance. IT incidents, perform TLPTs, and scrutinize critical third-party ICT providers more rigorously. Brussels continues to refine details: a delegated act on subcontracting was adopted in July, and European Supervisory Authorities have issued cooperation guidelines to avoid fragmented national approaches.

One efficiency measure is mutual recognition of TLPTs across the EU. Once a test is validated by a home supervisor, it is accepted by others—making CySEC’s €20,000 attestation an unavoidable one-off cost but preventing duplication across jurisdictions. This gives firms regulatory certainty even as broader DORA .

What’s Next?

For firms, the immediate focus is preparing size declarations in October and budgeting for the first levy by year-end. Longer term, DORA ICT governance, cross-border coordination, and careful planning of TLPTs. For CySEC, the fee structure marks a step toward financial independence, tying its oversight costs directly to industry contributions at a time when its remit is role in EU finance.