Tessera Cyber

// DORA

DORA compliance for regulated financial entities in Cyprus, Malta, and Greece.

The Digital Operational Resilience Act entered application on 17 January 2025. CySEC, MFSA, and HCMC are now requesting Register of Information submissions and conducting ICT governance inspections. We build your compliance documentation set from scratch — in a defined scope, at a fixed price.

Book a DORA/NIS2 Readiness Call

Cyprus-based · Senior specialists · Greek + English delivery · Fixed-scope SoW

// SCOPE

Is your firm in scope?

DORA applies to financial entities regulated under EU law. The six most relevant entity types for small and mid-size regulated firms are:

  1. 01

    Cyprus Investment Firms (CIFs)

    Licensed under the Investment Services and Activities and Regulated Markets Law (Law 87(I)/2017) and supervised by CySEC.

  2. 02

    Payment Institutions

    Authorised by the Central Bank of Cyprus, MFSA, or Bank of Greece.

  3. 03

    Electronic Money Institutions (EMIs)

    Authorised under EMD2 transposition across Cyprus, Malta, or Greece.

  4. 04

    Crypto-Asset Service Providers (CASPs)

    Authorised under MiCA (Regulation (EU) 2023/1114).

  5. 05

    Alternative Investment Fund Managers (AIFMs)

    Including sub-threshold AIFMs where national legislation brings them into scope.

  6. 06

    Insurance intermediaries and small insurers

    Where supervised by CySEC, MFSA, or the Bank of Greece.

If your authorisation falls under any of these categories, DORA compliance obligations are active now. The principle of proportionality applies — microenterprises benefit from a simplified ICT risk management framework under DORA Article 16, but you must still produce and submit a Register of Information.

// DELIVERABLES

The DORA compliance deliverables.

Register of Information (RoI)

A structured, regulator-ready CSV export of all your ICT third-party service providers, their functions, contract details, subcontractors, and criticality assessment. Formatted to the ESA Reporting Technical Package standard. Ready for direct submission to CySEC, MFSA, or HCMC.

ICT Risk Management Framework

A documented framework covering identification, protection, detection, response, and recovery across your ICT environment. Written to the standard required by DORA Article 6, proportionate to your entity size, and formatted for board approval and regulatory review.

Incident Reporting Procedures

Classification criteria, notification timelines, and reporting templates aligned to the DORA incident reporting requirements: initial notification (24 hours), intermediate report (72 hours), and final report (one month). Ready for submission to your competent authority.

Third-Party Register & Vendor Assessments

A structured register of all ICT service providers — cloud providers, SaaS platforms, managed services, and critical outsourcing arrangements — with due diligence documentation and contract compliance checklists aligned to DORA Article 28.

Digital Resilience Testing Coordination

For entities required to conduct resilience testing: we scope and coordinate basic testing programmes (vulnerability assessments, scenario-based testing). Advanced threat-led penetration testing (TLPT) is available under our Full Framework tier.

// TIERS

Service tiers.

All engagements use fixed-scope Statements of Work. Pricing is confirmed in writing before any work begins.

Tier 1 — Quick-Start Assessment

Duration: 2 weeks · Scope: Fixed

For: Firms that need to understand their DORA position before committing to a full build. Ideal if your compliance deadline has passed or you have received a regulatory query.

  • Gap analysis against DORA's five pillars
  • Current-state ICT assessment
  • Written report with prioritised remediation list
  • Fixed-price proposal for Full Build

Tier 2 — RoI Build

Duration: 4–6 weeks · Scope: Fixed

For: Firms whose immediate obligation is the Register of Information submission to their competent authority.

  • Complete, validated Register of Information (ESA-compliant format)
  • ICT third-party inventory and criticality mapping
  • Regulatory submission support (CySEC portal, MFSA LH Portal, or HCMC process)
  • Supporting ICT policy documentation

Tier 3 — Full Framework Build

Duration: 6–8 weeks · Scope: Fixed

For: Firms that need a complete, auditable DORA compliance posture — all five pillars documented and evidenced.

  • All Tier 2 deliverables
  • Full ICT risk management framework (Article 6)
  • Incident classification, reporting and escalation procedures
  • Business continuity and ICT recovery plan
  • Third-party due diligence (Article 28)
  • Resilience testing scope
  • Board governance summary
  • ICT security programme review

// TIMELINE

What 6 weeks looks like.

Week 1
Kick-off · ICT asset inventory · third-party provider data collection
Week 2
Gap analysis finalisation · RoI data build · framework drafting begins
Week 3–4
ICT risk management framework drafting · incident procedure development
Week 5
Documentation review · board-level summary · client review and sign-off
Week 6
Final documentation package · regulatory submission support · handover

// PROCESS

How we work.

Discovery (before contract)

A 20-minute structured call to confirm your entity type, regulatory perimeter, and immediate filing obligations. We will tell you honestly whether you need a Quick-Start or a Full Build.

Statement of Work

A written, fixed-scope document with defined deliverables, timelines, and a single fixed fee. Signed before any work begins.

Named lead

One senior specialist is assigned to your engagement. You communicate with the person doing the work.

Documentation review

All documents are reviewed by a second specialist before delivery. You receive a final version and a tracked-changes draft, so you can see every decision made.

Regulatory submission support

Where your competent authority requires portal submission (CySEC portal, MFSA LH Portal), we prepare the submission-ready files and walk your team through the process.

Handover

All source files are provided to you. Nothing is locked in a proprietary system. You own the documentation.

// FAQ

DORA — frequently asked questions.

We already have some cybersecurity policies in place. Do we need to start again?

No. We begin by mapping what you have against what DORA requires. Most small regulated entities have partial coverage — good cybersecurity practices, but gaps in ICT risk governance documentation, third-party registers, or incident reporting procedures. We fill the gaps, we do not discard what works.

Our firm is small. Does DORA's proportionality principle help us?

Yes, meaningfully. DORA Article 16 provides a simplified ICT risk management framework for smaller entities, including sub-threshold investment firms, payment institutions, and small non-life insurance undertakings. However, the Register of Information obligation applies to all in-scope entities regardless of size. We scope your engagement to your actual proportionality category.

CySEC has already written to us about the Register of Information. What do we do?

Contact us immediately. The RoI Build tier was designed for exactly this situation. We can prepare and validate a submission-ready Register of Information within two weeks of engagement start.

What happens after the Full Build is complete?

Your documentation is live and regulator-ready. For ongoing compliance — annual RoI updates, regulatory change monitoring, management reporting — we offer a DORA Governance Retainer on a monthly basis. This is optional; the Full Build is self-contained.

Start with a 20-minute call.

Tell us your entity type and your regulator. We will confirm your DORA scope, your most urgent obligations, and what a realistic compliance timeline looks like. No obligation to proceed.

Book a DORA/NIS2 Readiness Call