The annual supervisory fee to be paid by financial entities falling under the scope of Regulation (EU) 2022/2554 on the Digital Operational Resilience of the financial sector, known as DORA (Digital Operational Resilience Act), will range between €2,000 and €20,000.

The Cyprus Securities and Exchange Commission (CySEC) published yesterday its Policy Statement on Fees, which are determined based on the size of each entity. The assessment fee for Threat-Led Penetration Testing (TLPT) has been set at €20,000.

According to CySEC, fees were finalized after considering feedback submitted by stakeholders in the Public Consultation Paper CP-01-2025, released earlier this year. The main adjustments include reduced annual fees for very small and small enterprises, as well as a lower assessment fee for TLPT.

For 2025, financial entities under DORA and supervised by CySEC must first declare their category between October 2–31, 2025, and subsequently pay the supervisory fee by December 31, 2025.

Entities are required to inform CySEC of their category, in line with Annex I of Directive 73-2009-07, based on their most recent audited financial statements. Submissions must include extracts showing the number of employees, annual turnover, and total balance sheet value.

Thereafter, entities must pay the annual supervisory fee covering the period from August 15, 2025, to December 31, 2025, calculated proportionally in accordance with Annex I of Directive 73-2009-07. The payment deadline is December 31, 2025.

CySEC President, Dr. George Theocharides, stated: “The DORA Regulation affects National Competent Authorities, including CySEC, in ways that extend beyond supervision. To meet these increasing obligations, adequate funding is necessary. The fees are aligned with DORA’s proportionality criteria, as well as the Ministry of Finance’s objective of reducing CySEC’s reliance on public funding. This will strengthen the independence of CySEC and ensure it continues to effectively safeguard market integrity.”