KINANIS LLC

The Digital Operational Resilience Act The financial services sector’s heavy reliance on IT exposes entities to heightened risks of cyberattacks and operational disruptions stemming from intricate system, process, and human factors—risks that will only intensify as technology continues to expand across all facets of the industry. To address these emerging risks, the European Union adopted the Digital Operational Resilience Act (DORA) in January 2023, aiming at enhancing the digital operational resilience of information and communication technology (ICT) systems, designed to protect financial institutions from ICT risks. DORA focuses on enhancing the resilience of information and communication technology systems in the financial sector, including everything from data storage to network security. The regulation will be applicable as from the 17th of January 2025 and all affected entities must meet DORA’s requirements by that date. Key provisions of DORA The absence of uniform rules on digital operational resilience across the financial services sector is why DORA applies to almost all financial entities. This includes both traditional financial institutions, like banks and insurers, as well as newer financial players, such as crypto-asset service providers and crowdfunding platforms. This broad scope reflects the increasing reliance on the technology, across the financial services sector, as well as the need for a unified regulatory approach. More specifically, DORA applies, among others, to: credit institutions, payment institutions, account information service providers, electronic money institutions; investment firms, central securities depositories, central counterparties, trading venues, trade repositories and data reporting service providers; crypto-asset service providers as authorised under MICAR and issuers of asset-referenced tokens; managers of alternative investment funds and management companies; insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries; crowdfunding service providers; securitisation repositories; ICT third-party service providers.  To assist financial entities to enhance their digital operational resilience, DORA imposes rules and obligations focusing on certain pillars. ICT Risk Management and Third – Party Risk DORA imposes the full responsibility and accountability on the management body of the financial entity to establish and maintain internal governance and control protocols ensuring the effective and prudent management of ICT risk. This pillar focuses on the protection and prevention, the detection and the response and recovery for ICT related incidents. It is important to note that the tools, methods, processes, and policies are subject to specific regulatory technical standards to be adopted by the designated European Union authorities. Further, since in practice financial entities rely on third-party service providers for critical ICT services and infrastructures, this pillar mandates a comprehensive approach to managing these third-party risks. This includes due diligence processes and regular assessments, ensuring that any potential risk deriving from engaging third parties does not compromise the resilience of the financial entity. Digital Operational Resilience Testing As part of the ICT-risk management framework mentioned above and with the aim to assess the readiness of the financial entities to handle ICT-related incidents, identify weaknesses and to implement corrective measures, financial entities must establish and maintain a comprehensive digital operational resilience testing programme, including a range of assessments, tests, methodologies, practices, and tools. The testing methodologies may involve vulnerability assessments, scenario-based tests, and penetration tests. ICT related incidents This pillar mandates the development of mechanisms for early detection and management of ICT-related incidents, according to which the financial entities must establish incident response and recovery plans to quickly address and mitigate the impact of ICT disruptions. This includes requirements for timely reporting of significant cyber incidents to regulatory authorities, which helps to understand emerging threats. Information sharing DORA encourages the collaboration and information sharing between the financial entities. This pillar promotes the exchange of information related to cyber threats, vulnerabilities, and incidents in order to enhance the ability of the financial entities to be prepared and respond to cyber threads or other technical vulnerabilities that may arise. Oversight of critical ICT third-party service providers Recognizing the systemic risks posed by the failure of major ICT service providers, this pillar establishes a framework for the regulatory oversight of such entities. It aims to ensure that critical service providers adhere to strict resilience standards, minimizing the risk they pose to the financial sector. Oversight mechanisms may include regulatory assessments, audits, and the ability for authorities to intervene directly if necessary.  Why is DORA relevant and important? Due to the increasing dependence on digital technologies, financial services entities are exposed to cybersecurity threats and operational disruptions. By moving forward to more sophisticated technology models, financial entities are exposed to risks associated with system failures, cyberattacks, and third-party service provider vulnerabilities become more apparent. Therefore, DORA represents a critical regulatory development aiming to mitigate these risks by establishing comprehensive, uniform standards for digital operational resilience. DORA is important especially for its provisions for robust risk management practices, including ICT resilience testing, third-party oversight, and incident reporting. These measures are designed to safeguard financial institutions against the increasing frequency and severity of cyber incidents and operational disruptions. While DORA's benefits are clear, its implementation may present challenges, particularly for smaller institutions and emerging firms. These entities may struggle with the high costs of compliance, including the need for significant investments in cybersecurity infrastructure and ongoing monitoring efforts. Nevertheless, DORA's implementation represents a necessary evolution in financial regulation, one that aligns with the emerging digital threats. By establishing a unified approach to digital resilience, DORA not only mitigates the risk of large-scale disruptions but also establishes a more secure and trustworthy financial ecosystem, How can Kinanis Law Firm and TDVG assist A unique combination of business and technology expertise Bringing together deep business insights with cutting-edge technology know-how, Kinanis LLC and TDVG deliver solutions that drive real impact. This unique blend allows clients to implement tailored, innovative strategies that enhance efficiency, compliance and growth. Legal services In anticipation of the implementation date of DORA, being the 17th of January 2025, our company is equipped to provide you with guidance regarding the risk management strategies, supporting the integration of robust cybersecurity measures and to assist you during the navigation of this complex regulatory landscape. Technology services TDVG, in cooperation with Kinanis LLC, has implemented a robust framework for third-party risk management that incorporates both the “Contracts Management 360” and “Know-Your-Counterparty Pro” applications. This comprehensive solution, delivered on a secure Oracle Cloud platform and governed to ensure security, auditability and compliance, is designed to enhance control and oversight in managing third-party relationships. It provides an end-to-end approach to systematically identify, document and mitigate contractual and counterparty risks. Through this collaboration, TDVG and Kinanis LLC offer an integrated approach to third-party risk management that aligns with regulatory standards and supports operational resilience. Authors: Savvina Miltiadou and Thrasos Thrasyvoulou

The Emerging Companies Market (“ECM”) is a recognised unregulated market of the Cyprus Stock Exchange (“CSE”), offering the opportunity to Cyprus and international companies to list their shares or bonds. Since its launch, it has evolved from a market primarily focusing on small domestic companies, to an international market eager to welcome companies from around the world.  Certainly, this transition, along with the main benefits of a listing, indicate the promising potential of the ECM to facilitate business growth. Yet again, it seems that the potentials of listing on the ECM have been underestimated or not explored enough possibly given the size of the market when compared to other European non-regulated markets. Having the non-constant business and political environment in mind that has been evolving with greater speed than ever in the last few years, the need for regulation and transparency may be the only way forward. Access to the European Market The ECM is addressed to companies, either incorporated in Cyprus or abroad, which seek to float their securities to a recognised secondary market of a European Union Member State, granting access to the rules and safeguards of the European Union. Further, Cyprus is considered as a respectable EU jurisdiction, with a modernised and adaptive legal and regulatory framework and with tax incentives for both the listed company and its investors. Therefore, a listing on the ECM provides a significant strategic advantage for the listed companies which aim to enhance their EU market presence and attract more investors. Simplified legal framework and cost effectiveness Unlike regulated markets, the ECM, as a Multilateral Trading Facility (MTF), operates in accordance with simplified rules and regulations specifically designed to meet the needs of small and medium size emerging companies. The simplified legal framework reduces the complexity and the costs for the set up and maintenance of the listed company, when compared to the regulated market of the CSE or other European jurisdictions. In effect, listed companies on ECM can operate effectively under a lighter, yet flexible and trustworthy legal framework. Transparency Despite the simplified legal framework, there are significant transparency rules in place, which strengthen the status of the ECM and may attract issuers.  It is important to note that the ECM is recognised as a market which is subject to equivalent international standards which ensure adequate transparency of ownership information and therefore, when it comes to beneficial ownership registries same rules as listed companies on the main market apply. General Listing Requirements The general listing requirements apply for both the regulated market and the ECM. Namely: The issuer should be a properly established and operating public company in case of listing shares . The issuer must be authorized to issue the specific securities which seeks to float in pursuance to the law of the country of its incorporation, the Memorandum and Articles of Association or any other document governing the terms of its incorporation and relations among its members. The application for listing refers to all securities of the same class that have already been issued or are expected to be issued as well as any rights or other financial derivatives that are converted or entitle to be converted into securities of the same class of securities to be listed. The securities proposed for floatation must be fully paid and freely transferable. Equal treatment must be secured to the beneficiaries of securities of the same category, in respect of all rights or obligations related thereto. The issuer must be prepared and able to deliver its Register to the Central Depository and Registry and to respond to any obligation upon the undertaking or the future keeping of the Register or Registers of its shareholders. Special Listing Requirements for ECM The issuer must be a public company with a satisfactory number of investors (at least 10). No minimum share capital must be dispersed among the public. The issuer must have published audited accounts, had normal operations and related activities for at least the two years preceding the application. Newly established companies will be able to be listed if the Cyprus Stock Exchange (CSE) council, judges that potential shareholders are given satisfactory information that would allow them to access properly the value of the titles, from the Nominated Advisor (NOMAD) of the issuer. Throughout the floatation procedure, the issuer must have a Nominated Advisor (NOMAD). There is no criterion for the minimum market capitalization an issuer must fulfil or maintain. The above-mentioned benefits and straight forward listing requirements for listing on the ECM evidently show that the potentials of the non-regulated of Cyprus Stock Exchange are undervalued especially in this new era of heavy regulation and transparency. It is the case that investors do turn to more sophisticated and regulated paths for their investment and in this respect, it is time for businesses to explore  new opportunities. Our firm, being an approved Nominated Advisor, is equipped to assist you to facilitate the listing of your company on the ECM. Further, we can assist with preparation and submission of the necessary documents in relation to the listing, incorporation of a Cyprus public company or conversion of a private company to public, full legal administrative, management and accounting support for the lifetime of the company, general regulatory compliance. For more information, please do not hesitate to contact our Financial Services and Funds Department, at [email protected] . Author: Savvina Miltiadou