The deadline for CySEC's annual risk-based supervision reporting has passed for the 2025 cycle, but the obligations it created remain live enforcement risks for any Cyprus-registered CASP that missed the May 8, 2026 cutoff — or submitted a file that never received a "NO ERROR" confirmation. CySEC Circular C771, Section 1.3 & 1.5 Understanding precisely what C771 required is now a prerequisite both for remediation conversations and for preparing to meet the equivalent obligation next year.
What C771 Is and Why It Was Issued
CySEC Circular C771 was issued on April 3, 2026, pursuant to section 25(1)(c)(ii) and (iii) of the Cyprus Securities and Exchange Commission Law of 2009 (the "CySEC Law"), as amended. Those subsections authorise CySEC to collect information from regulated entities for supervisory purposes. The circular is addressed to all Crypto Asset Services Providers registered with CySEC providing services in or from Cyprus.
The subject of the circular is the Risk-Based Supervision Framework ("RBS-F") and, specifically, the electronic submission of information for the year 2025 using Form RBSF-CASP.
Version 3 of Form RBSF-CASP
CySEC Circular C771, Section 1.1 states that CySEC has issued Version 3 of Form RBSF-CASP. The form is issued on an annual basis. Its stated scope is "the collection of various statistical information," and CySEC will use that information "for the purposes of conducting statistical analysis, risk management and other purposes."
Practitioners should note the specific version language. Section 3.4 instructs CASPs to "always ensure that you have the latest version of the Form, i.e. Version 3." Submitting an earlier version would constitute a failed submission.
On the question of what is new: Section 2 is unambiguous — "No additional information is requested on this version of the Form in relation to version 2 of the Form." Version 3 is structurally identical to Version 2 in its data requirements. The compliance burden for an entity that submitted correctly in the previous cycle is therefore unchanged in scope, though the procedural requirements remain fully in force.
Who Must Submit
The scope of the obligation is broader than it may first appear. CySEC Circular C771, Section 1.2 requires submission by two categories:
First, all CASPs that were authorised by December 31, 2025 must complete and successfully submit the form.
Second, and critically, all CASPs registered with CySEC must submit the form "irrespective of whether they were operational as at 31 December 2025."
This is a point that compliance officers at holding structures or dormant CASPs should flag explicitly. The absence of trading activity or client activity during 2025 does not remove the reporting obligation. The trigger is authorisation status as at December 31, 2025, not operational activity.
The Reporting Period and Reference Date
CySEC Circular C771, Section 3.1 specifies that the form "will be completed only for the reporting period 01/01/2025 to 31/12/2025 and using 31/12/2025 as a reference date." All data in the form must reflect the full calendar year 2025, measured to a single balance-sheet-style reference point at year end.
Section 3.3 adds a practical formatting requirement: CASPs must report data in Euro, rounded to the nearest unit. Currency conversion and rounding methodology should be documented internally before populating the form, to ensure consistency across sections.
The form is available only in English. Section 3.2 confirms this. There is no multilingual version.
The Submission Deadline and TRS Process
CySEC Circular C771, Section 1.3 sets the deadline as Friday, May 8, 2026. Submission must be made electronically via CySEC's Transaction Reporting System ("TRS").
The submission is not complete at the moment of upload. Section 1.4 places on each CASP the responsibility to ensure it has received a feedback file in the Outgoing directory of TRS — an official submission confirmation dispatched by the system itself.
Section 1.5 distinguishes two outcomes from that feedback file:
- A "NO ERROR" indication confirms successful submission.
- An error description in the feedback file means the submission has failed. The CASP must review the form, correct all identified errors, re-sign digitally, and re-submit before the May 8 deadline.
The form is treated as successfully submitted to CySEC only when a NO ERROR feedback file is received within the deadline. The feedback file is dispatched only during CySEC regular hours. A file uploaded shortly before midnight on May 8 may not receive its TRS confirmation until after regular hours, effectively missing the deadline. CASPs should plan to submit with sufficient time for TRS to process and return confirmation.
Pre-Submission Validation
Before signing and submitting, Section 3.6 requires that all validation tests contained in the form show TRUE (Green Color). The sections subject to validation are: A, B, C, D, E, F, G, H, I, J, K, and the Validation Tests Worksheet.
The circular does not describe the specific content of those eleven sections; Section 3.5 directs CASPs to the Instructions Worksheet embedded within the form itself for guidance on completing individual fields. The validation requirement is therefore a precondition to signing: a form with any non-TRUE (non-green) validation test result must not be submitted.
File Naming, Format, and Digital Signature
CySEC Circular C771, Section 4 sets out the technical requirements for creating and submitting the form. All three elements — naming convention, file format, and digital signature — are mandatory.
Digital signature. A digital signature is required for successful submission. The form must be signed before being submitted to TRS.
File naming convention. The file must be named according to the following structure:
Username_yyyymmdd_RBSF-CASP
The three components are:
- Username: the TRS credentials username issued to the CASP by the authorisation department, entered in capital letters.
- yyyymmdd: the end date of the reporting period. For the 2025 cycle, this is 20251231.
- RBSF-CASP: the form coding, inserted exactly as it appears, unchanged.
File format. The form must be Excel 2007 version or later. Excel will add the .xlsx extension automatically upon saving. Section 4 is explicit: "This extension should not be inserted manually, under any circumstances." A manually appended extension may result in a corrupted or unrecognised file.
A correctly named file for the 2025 reporting cycle would therefore follow the pattern: [TRS_USERNAME]_20251231_RBSF-CASP.xlsx, where the .xlsx portion is added by Excel, not typed by the preparer.
Penalty Exposure and the Absence of Reminders
CySEC Circular C771, Section 1.6 addresses enforcement directly. Failure to comply "may bear the administrative penalties of section 37(5) of the CySEC Law."
Section 37(5) of the CySEC Law is the general administrative sanctions provision applicable to regulated entities that fail to comply with CySEC requirements. CySEC did not specify in C771 the precise penalty amounts that might apply in a given case; the determination under section 37(5) is made on the facts.
What C771 does state is procedurally significant: "CySEC will not send any reminders to those CASPs, which fail to comply promptly and duly." There is no grace-period notification, no follow-up email, and no cure window attached to a reminder. The deadline of May 8, 2026 was the operative date, and responsibility for meeting it lay entirely with the CASP.
Support Channels
C771 provided two support channels during the query window, which ran from April 3 to April 30, 2026:
- Questions on completing form fields: riskstatistics.cifs@cysec.gov.cy
- Technical and TRS queries: information.technology@cysec.gov.cy
All email communications were required to include the CASP's full name and TRS coding in the subject line. That query window has now closed for the 2025 cycle.
Signatory
The circular was signed by Dr George Theocharides, Chairman, Cyprus Securities and Exchange Commission.
Every answer carries its citation. Primary sources, not summaries. For CASPs reviewing their C771 compliance position or preparing for future RBS-F cycles, OmniLaw.ai provides direct access to CySEC circulars and Cyprus regulatory source text so your compliance analysis is grounded in the original document, not a paraphrase of it.
FAQ
Q: Does a CASP that was authorised but not operational in 2025 need to submit Form RBSF-CASP?
Yes. CySEC Circular C771, Section 1.2 requires submission by all CASPs registered with CySEC "irrespective of whether they were operational as at 31 December 2025." Dormant or non-operational status provides no exemption. The trigger is authorisation as at December 31, 2025.
Q: What does a successful TRS submission look like under C771?
Submission is successful only when the TRS system returns a feedback file containing a "NO ERROR" indication to the CASP's Outgoing directory. That feedback file is dispatched only during CySEC regular hours. Uploading the file without receiving this confirmation does not constitute successful submission under Section 1.5.
Q: What happens if TRS returns an error file?
The CASP must review the form, correct all identified errors, digitally re-sign the corrected file, and re-submit before the May 8, 2026 deadline. A submission that generates an error file and is not corrected and re-submitted in time is treated as non-compliant.
Q: Is Version 3 of the RBSF-CASP form materially different from Version 2?
No. CySEC Circular C771, Section 2 states that "no additional information is requested on this version of the Form in relation to version 2 of the Form." The procedural and technical requirements remain the same as prior cycles; only the version number and reporting period have changed.
