Updated May 2026
Updated May 2026. A DORA ICT risk officer in Cyprus earns €55,000–€85,000 gross per year in 2026, with 13th-month included and a strong bonus ladder. Since the EU Digital Operational Resilience Act became enforceable on 17 January 2025, every Cyprus CIF, bank and crypto-asset service provider must now staff a named ICT risk function, maintain a third-party ICT register and run an incident-reporting framework — and that compliance push is generating roughly 280 net new cybersecurity and IT-audit hires across the island through Q2 2026.
Key Takeaways
- An ICT risk officer at a Cyprus CIF or bank earns €55,000–€85,000 gross in 2026, with 13th-month and a 10–20% bonus ladder.
- DORA has been enforceable since 17 January 2025; Cyprus CIFs and banks must show a complete framework at their next CySEC or CBC supervisory review in 2026.
- The compliance push is creating roughly 280 net new cybersecurity and IT-audit roles across the island — split between the two Tier 1 banks and the larger Limassol CIFs.
- CISA, CISM or ISO 27001 Lead Auditor is now the de-facto credential floor for senior seats; a non-financial cyber background is acceptable if paired with one of those certifications.
- Hybrid (2-3 days remote) is standard; fully remote is rare — CySEC inspections require a physical presence in Cyprus.
What DORA actually requires — and why CIFs are hiring
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) applies to virtually every regulated financial entity in the EU: credit institutions, investment firms, payment institutions, e-money issuers, crypto-asset service providers, fund managers and insurance undertakings. In Cyprus that captures all 220 active CySEC-regulated CIFs, the four licensed banks, the credit-acquiring institutions, and the growing cohort of MiCA-licensed CASPs. Each entity now has to demonstrate five things: a board-approved ICT risk framework, a named ICT risk officer, a complete register of third-party ICT providers, a documented incident-classification and reporting process, and threat-led penetration testing (TLPT) for the larger players.
The 2025 dry-run was light-touch — CySEC issued guidance circulars and asked for self-assessments. The 2026 cycle is harder: full thematic inspections, fines for missing or incomplete frameworks, and a public list of significant ICT-related incidents reported under Article 19. For most Cyprus CIFs that meant building an ICT risk function essentially from scratch, because the pre-DORA compliance structure typically folded ICT oversight into the MLRO or COO role. The hiring wave that started in late 2025 is the direct consequence.
Salary by role, 2026
The figures below are gross annual base for permanent seats at Cyprus CIFs and the two Tier 1 banks, excluding bonus. Bonus typically adds 10–20% at senior level, 5–10% at junior. The 13th-month column reflects standard market practice — the Tier 1 banks pay it across all permanent staff, and most established CIFs match it.
| Role | Base salary band (gross €/yr) | 13th month |
|---|---|---|
| Junior IT auditor (0–2 yrs) | €26,000–€34,000 | Yes (banks & most CIFs) |
| Senior IT auditor (4–7 yrs) | €42,000–€58,000 | Yes |
| ICT risk officer (DORA named function) | €55,000–€85,000 | Yes |
| CISO / Head of Information Security | €78,000–€135,000 | Yes (banks); negotiable at CIFs |
| Third-party (ICT vendor) risk lead | €48,000–€68,000 | Yes |
| Incident response lead (CSIRT) | €52,000–€78,000 | Yes |
The premium at the CIFs over the banks is real at the senior end: a CISO seat at a top-five Limassol broker now pays €110,000–€135,000 base, against €95,000–€115,000 at Bank of Cyprus or Hellenic. The trade-off is the same as for every CIF seat — smaller, less stable platforms with materially higher pace. Candidates moving from AML and compliance roles are the second-largest feeder pool after Big Four IT audit, particularly for the ICT risk officer and third-party risk lead seats.
Insider note: Of the ~280 net new DORA-driven hires identified across the island for the year to Q2 2026, our tracking puts roughly 60 at Bank of Cyprus, 35 at Hellenic Bank, and the remaining ~185 split across the top 40 Limassol CIFs — averaging 4–5 hires per firm. The CIF concentration is the headline: 80% of the new seats sit at investment firms, not banks, because CySEC-regulated CIFs are starting from a much lower ICT-governance baseline than the two systemic banks.
What CySEC auditors actually look for in 2026
The CySEC thematic inspection template circulated to CIFs in February 2026 has eight focus areas, but four of them are doing the heavy lifting in practice. First, the register of contractual arrangements for third-party ICT providers — auditors expect a complete, board-signed register covering every cloud provider, SaaS vendor, MT5/MT4 platform host, payment gateway and trade-reporting vendor, with criticality classification. Second, the incident-classification policy with documented severity thresholds and a tested escalation chain to CySEC under Article 19. Third, evidence of scenario-based digital operational resilience testing at least annually. Fourth, board minutes showing the ICT risk officer reports directly to the board (not buried under the COO).
The 2026 inspection round so far has produced a consistent pattern of findings at smaller CIFs: third-party registers exist but are missing the criticality grading, incident policies exist but have never been tested end-to-end, and ICT risk officers exist on the org chart but report into operations rather than to the board. None of those gaps requires a re-engineering of the business — they require a competent ICT risk officer plus six months of project work. Hence the hiring.
The career path from non-financial cyber into a CIF
The Limassol CIFs are unusually open to candidates moving in from non-financial cybersecurity roles — telecoms, MSPs, government CERT, even gaming. The reason is simple: the local financial-services cyber talent pool is too small to fill the gap on its own. The pattern that works is a candidate with 4–7 years of hands-on infosec experience plus one of CISA, CISM, CRISC or ISO 27001 Lead Auditor, joining as a senior IT auditor or third-party risk lead and then promoting to ICT risk officer within 18–24 months. For interview prep, the 2026 Cyprus banking interview prep guide covers the regulatory-knowledge questions that CISOs and audit partners now lead with. The DORA text itself is the single best-prep document; the consolidated regulation is freely available on EUR-Lex, and the Cyprus implementing circulars sit on the CySEC website.
Where to look for live roles
The bulk of DORA-driven seats are listed directly on company career pages and on a handful of specialist tech-and-finance recruiters in Limassol. The broader Cyprus finance and banking jobs market overview tracks the rolling vacancy count by employer. Big Four practices (PwC, Deloitte, KPMG, EY) are also hiring aggressively for their DORA-advisory teams — those roles pay slightly below in-house at senior level but offer faster exposure across multiple CIFs in a 12–18 month window, which is often the cleanest path into a head-of-function seat afterwards.
Frequently asked questions
Do I need ISO 27001 or CISA to get a DORA role in Cyprus?
For senior seats — ICT risk officer, CISO, incident response lead — at least one of CISA, CISM, CRISC, CISSP or ISO 27001 Lead Auditor is now expected. Most job specs list two as preferred. For junior IT auditor and third-party risk analyst roles, the certifications are nice-to-have rather than mandatory in the first 12 months; employers will fund the exam under their training budget.
Can I move from a non-financial cybersecurity role into a Cyprus CIF?
Yes, and the Limassol CIFs are actively recruiting from telecoms, MSPs, government CERT and gaming. The path that works in 2026 is 4–7 years of hands-on infosec plus a single financial-services-recognised certification (CISA or ISO 27001 Lead Auditor are the most portable). Expect to enter as a senior IT auditor or third-party risk lead and promote into ICT risk officer within 18–24 months.
Is remote work allowed for DORA roles in Cyprus?
Hybrid working (2–3 days remote) is standard at both the banks and the larger CIFs. Fully remote roles are rare for DORA-specific seats because CySEC and CBC supervisory inspections require physical document review, board interaction and on-site evidence. The few fully remote postings are typically Big Four advisory or pure penetration-testing roles, not in-house ICT risk officer positions.
When do Cyprus CIFs need to be fully DORA-compliant?
DORA has been legally enforceable since 17 January 2025. The 2025 supervisory cycle was largely focused on guidance and self-assessment; the 2026 cycle is the first one with full thematic inspections, public reporting of significant incidents and the prospect of formal sanctions. In practice, every Cyprus CIF and bank should expect to have a complete framework demonstrable at its next routine CySEC or CBC supervisory review during 2026.
What do CySEC auditors look for first?
The CySEC 2026 inspection template focuses on four things in practice: a complete register of third-party ICT providers with criticality grading; a documented incident-classification policy with tested escalation to CySEC under Article 19; annual scenario-based digital operational resilience testing; and board minutes showing the ICT risk officer reports to the board rather than into operations.
How much does an ICT risk officer earn at a Cyprus CIF?
An ICT risk officer at a Cyprus CIF or bank earns €55,000–€85,000 gross base in 2026, with the 13th-month payment included and a typical bonus ladder of 10–20%. The senior end of the band — €75,000–€85,000 — is achievable in year one for candidates moving across from a comparable seat at a Big Four advisory practice or a larger EU bank.
Looking for live DORA, ICT risk and IT-audit roles? Browse current cybersecurity and audit vacancies at Cyprus banks and CIFs on jobs.com.cy, our partner jobs board.
Related on Jobs Nicosia: Finance and banking jobs Cyprus 2026 · AML officer salary Cyprus 2026 · Cyprus banking interview prep 2026.
