CySEC Circular C763, issued on 23 March 2026, mandates that all regulated entities authorized by 31 December 2025 must complete and electronically submit a new Sectoral Risk Assessment (SRA) Form. This requirement is a critical step in maintaining regulatory compliance in Cyprus, and failure to meet the Friday, 17 April 2026 deadline could result in significant regulatory breaches.
This post breaks down everything compliance officers, AML officers, and management need to action immediately.
CySEC Circular: What Is the CySEC SRA Form and Why Does It Exist?
The SRA Form is a structured self-assessment tool through which CySEC collects data to build a sector-wide picture of the AML/CFT control environment across Cyprus’s financial services industry. This is not a routine reporting exercise , it feeds directly into CySEC’s own Sectoral Risk Assessment, informing supervisory priorities, enforcement focus, and future regulatory guidance.
The circular is issued pursuant to Section 25(1)(c)(ii) & (iii) of the Cyprus Securities and Exchange Commission Law of 2009, as amended, and is signed by CySEC Chairman Dr George Theocharides.
Who Is Obliged to Submit?
Any entity authorised by CySEC by 31 December 2025 must submit — even if the authorisation was never operationally used. The following twelve categories of regulated entities are in scope:
- Cyprus Investment Firms (CIFs)
- EU Investment Firm Branches in Cyprus (CBRs)
- Administrative Service Providers (ASPs)
- Alternative Investment Fund Managers (AIFMs)
- Internally Managed Alternative Investment Funds
- Internally Managed AIFs with Limited Number of Persons (AIFLNPs)
- Companies with sole purpose of managing AIFLNPs
- Small AIFMs
- UCITS Management Companies
- Internally Managed UCITS
- Crypto-Asset Service Providers (CASPs)
- Crowdfunding Service Providers (CSPs)
Dual-Authorisation Entities: A Critical Rule
Entities holding more than one authorisation must submit a separate SRA Form for each authorisation. For example, a firm holding both a CIF and a CASP licence must file two distinct Forms , one under the “CIFs & CBRs” sector and one under the “CASPs” sector. The single exception is a CIF authorised to perform AIF management functions, which files only one Form under the “CIFs & CBRs” sector.
CySEC Circular: What the SRA Form Covers
The Form is divided into two core sections:
Section A — General Information captures mandatory identifiers including:
- Reporting period: 01/01/2025 – 31/12/2025
- Submission date (actual date of filing)
- Entity name exactly as it appears on the CySEC authorisation
- TRS Identification Code assigned by CySEC
- Entity type and sector (selected from drop-down lists)
- File name in the prescribed naming convention
Section B — AML/CFT Controls Assessment requires entities to score their AML/CFT control environment across 14 questions, each rated on a scale of 1 to 10, where 10 represents the highest level of effectiveness. Where a question does not apply, “N/A” must be selected.
File Naming Convention – Get It Right
Incorrect file naming is a common technical error that will result in a rejected submission. The required format is:
TRS username_yyyymmdd_SRA-[SECTOR CODE]
Where yyyymmdd is the reference date, i.e., 20251231 for this cycle. Sector codes are as follows:
The file must be saved as an Excel 2007+ (.xlsx) file — do not manually type the .xlsx extension, as Excel will add it automatically.
Submission Process and Confirmation
Submission is via CySEC’s Transaction Reporting System (TRS). After uploading the digitally signed Form, entities must actively verify receipt of a feedback file in their TRS Outgoing directory. The submission is only considered complete when the feedback file contains a “NO ERROR” indication. If errors are flagged, the entity must correct and re-submit before the deadline — note that feedback files are only dispatched during CySEC’s regular operating hours.
Before submitting, ensure the Validation Test at the bottom of the Form and in the Validation Tests Worksheet shows TRUE (Green).
Key Dates at a Glance
Date Action Required
CySEC Circular: Where to Direct Queries
CySEC has set strict communication channels:
- Completion queries (field-by-field questions): Email risk.statistics@cysec.gov.cy — written queries only, submitted before 8 April 2026
- Technical/digital signature queries: Email information.technology@cysec.gov.cy or visit the CySEC website
- All emails must include the entity’s full name and TRS coding in the subject line
Where can I find the official circular?
You can access the full text and technical annexes via the CySEC Official Website or the European Securities and Markets Authority (ESMA).
The Compliance Officer’s Action Checklist
With less than three weeks until the deadline, here is what your team should be doing now:
- Confirm authorisation status — verify your entity was authorised by 31 December 2025
- Identify all authorisations held — determine how many separate Forms are required
- Retrieve your TRS credentials — if not previously registered, request access from CySEC immediately
- Download the new SRA — Form from CySEC’s website (the old form is no longer applicable)
- Complete Section A with exact entity details matching your authorisation
- Score all 14 AML/CFT control questions in Section B honestly and accurately
- Apply the correct file naming convention before digital signing
- Submit via TRS and confirm the NO ERROR feedback file is received before 17 April 2026
- Retain the feedback file as evidence of successful submission
For firms navigating these changes, our team offers specialized internal audit services
and AML compliance support
to ensure your “report card” to the regulator remains exemplary. We also assist with AIF/AIFM setups to ensure all reporting structures are robust from day one.
Why This Matters Beyond a Tick-Box Exercise
CySEC’s Sectoral Risk Assessment is not a passive data collection exercise. The results directly shape how the regulator allocates its supervisory resources, which sectors face enhanced scrutiny, and what thematic reviews or on-site inspections follow. Entities that submit accurate, well-considered responses effectively participate in shaping a fair and proportionate regulatory environment. Those that submit incorrectly, late, or not at all, signal to CySEC that their AML/CFT governance may warrant closer attention.
The SRA Form is, in effect, your entity’s AML/CFT report card to the regulator — treat it accordingly.
CX Financia provides regulatory compliance intelligence and advisory support to licensed financial services firms in Cyprus and the EU. For assistance with your SRA Form submission or AML/CFT compliance framework, contact our team.
Disclaimer: This blog post is for informational purposes only and does not constitute legal or regulatory advice. Regulated entities should refer directly to CySEC Circular C763 and consult qualified compliance professionals for guidance specific to their circumstances.