CySEC proposes that entities affected, including but not limited to investment firms, crypto-asset service providers, central securities depositories, alternative investment fund managers, management companies, and crowdfunding platforms, will be required to pay annual ICT fees ranging from €3,000 to €20,000, depending on their categorisation under DORA.

Additionally, CySEC’s proposed fee for firms subject to a Threat Lead Penetration Test (TLPT) is €50,000 per TLPT assessment.

Financial institutions will also need to submit a self-categorisation annually between 1 and 15 September based on their latest financial statements and pay the respective fee by 30 November. The first ICT oversight fee will be paid in 2025.

CySEC Chairman Dr Theocharides emphasised that DORA is more than a compliance requirement, highlighting its role in strengthening financial market resilience and cybersecurity preparedness.

Market participants can submit their feedback by 7 March 2025 via email at policy@cysec.gov.cy.

CySEC’s press release can be found here and the consultation paper here.