Read the CySEC Circular C786
Memo #36-2026
CySEC Circular No: C786
Date: 17/06/2026
Subject: Frontier Artificial Intelligence Models and Cybersecurity Risks under the Digital Operational Resilience Act (DORA)
Purpose: To draw the attention of the Regulated Entities to the increasing cybersecurity risks associated with the emergence of frontier AI models.
In Summary:
CySEC has issued the Circular C786 on 17/06/2026 to inform the Cyprus Investment Firms ('CIFs'), Central Securities Depositories, Trading Venues, Crypto-Asset Providers (CASPs), Alternative Investment Fund Managers ('AIFMs') and UCITS Management Companies ('UCITS'), to the increasing cybersecurity risks associated with the emergence of frontier Artificial Intelligence ('AI') models capable of identifying and exploiting software vulnerabilities at unprecedented speed and scale.
According to Circular C786, recent developments in advanced AI systems have highlighted both the potential benefits of such technologies for defensive cybersecurity purposes and the heightened risks arising from their possible malicious use. These developments may significantly accelerate vulnerability discovery and exploitation cycles and increase the sophistication, frequency, and scale of cyber-attacks targeting financial entities and their ICT third-party service providers.
CySEC reminds all Regulated Entities falling within the scope of Regulation (EU) 2022/2554 on Digital Operational Resilience for the financial sector (DORA) that they are obliged to maintain robust ICT risk management frameworks capable of addressing evolving cyber-threats, including those arising from emerging AI technologies.
CySEC notes that it expects such Regulated Entities, proportionate to their size, nature, scale and complexity, to assess whether their existing ICT risk management arrangements remain adequate and, where necessary, to strengthen relevant controls and processes.
Circular C786 also refers to areas for consideration that Regulated Entities are encouraged to consider. These areas include:
• Identification and vulnerability management.
• Protection and prevention.
• Detection capabilities.
• Response and recovery.
• Governance and continuous improvement.
CySEC also reminds the Regulated Entities of specific requirements under DORA. These are referred in Circular C786.
CySEC urges the Regulated Entities to remain vigilant and to take proactive measures to ensure that their digital operational resilience frameworks continue to evolve in line with the changing cyber risk environment. CySEC informs that it will continue to monitor developments relating to frontier AI technologies and it may engage with Regulated Entities, where appropriate, regarding their level of preparedness, governance arrangements, and implementation of relevant ICT risk mitigation measures.
Read the CySEC Circular C786
Read more news at Regulatory News
