When a licensed firm undergoes a capital adequacy assessment, the starting point is its prior year financials. Actual revenue, actual costs, actual capital position. The numbers are there, and the assessment is grounded in reality.

A new CIF has none of that. There are no prior year financials, no audited accounts, no track record of income or expenditure. CySEC's capital adequacy assessment for a firm in its first year of operation is based entirely on projections. And those projections come from one place: the business plan.

This is the third and final reason why the business plan is the most consequential document in the entire licensing process, and why it should have existed as a genuine planning tool long before the application was assembled.

What capital adequacy actually requires

Under the Investment Firms Regulation (EU) 2019/2033 , transposed into Cyprus law by Law 165(I)/2021 , a CIF must hold own funds equal to the higher of three measures: its permanent minimum capital requirement (€75,000, €150,000 or €750,000 depending on the investment services the firm is authorised to provide), its fixed overhead requirement, or its K-factor requirement. For firms that do not deal on own account , the majority of CIF applicants , the K-factor requirement is typically modest. The fixed overhead requirement, however, is directly derived from operating costs and applies equally across all capital tiers.

Cyprus CIF Statutory Capital Tiers , Law 165(I)/2021 & EU IFR 2019/2033
€75,000
Investment advice, portfolio management, and/or reception and transmission of orders , where the firm does not hold client money or financial instruments. The entry-level tier for advisory and asset management businesses operating without custody.
€150,000
Firms that hold client money or financial instruments on behalf of clients, or that provide execution of orders on a broader basis , but do not deal on own account and do not underwrite financial instruments.
€750,000
Firms authorised to deal on own account, underwrite financial instruments on a firm commitment basis, or place financial instruments on a firm commitment basis.

The fixed overhead requirement (FOR) is calculated as one quarter of the firm's total annual fixed expenditure from the preceding year. For a new firm with no preceding year, CySEC applies the projected fixed expenditure from the business plan.

Under IFR Article 11, an investment firm's own funds requirement is the highest of three figures: the permanent minimum capital requirement (the €75,000, €150,000 or €750,000 statutory tier), the FOR, and the K-factor requirement. The FOR does not add to the statutory minimum, it competes with it. To illustrate: a €75,000-tier firm projecting €240,000 of qualifying fixed expenditure faces an FOR of €60,000. The FOR sits below the €75,000 permanent minimum, so the binding floor remains €75,000. The same comparison runs at the €150,000 and €750,000 tiers, where larger projected cost bases more frequently push the FOR above the statutory minimum and make it the binding constraint. The expense architecture of the business plan therefore directly determines whether the FOR or the statutory minimum sets the capital floor, and the gap between them.

The expense architecture problem

This is where precision in the business plan pays dividends that most applicants do not anticipate.

The "fixed expenditure" that feeds the FOR is not simply the firm's total cost line. The calculation runs through total expenditure and applies a defined set of deductions specified in Commission Delegated Regulation (EU) 2022/1455. Discretionary bonuses, employee and director profit-shares to the extent variable, fees and brokerage paid to introducers and tied agents, certain fees and charges paid to central counterparties where passed through to clients, non-recurring expenses arising from non-ordinary activities, and tax expenditure all come out before the 25% factor is applied. The result is that a firm with a thoughtful cost structure (variable, contingent and one-off items genuinely identified as such) presents a smaller fixed-overhead base and a smaller FOR than a firm that has bundled everything into a single cost line.

This is not an invitation to misclassify costs. CySEC's authorisation team understands the deductions framework, and a business plan that implausibly categorises staff base salary or rent as variable will invite scrutiny. But within the deductions list set out in the Delegated Regulation, there is genuine room for precision. Performance-linked remuneration, project-based professional fees, and one-off setup costs are legitimately treated as deductions where they meet the criteria, and identifying them as such in the plan is both accurate and appropriate.

The firms that enter the capital adequacy assessment with a well-structured expense breakdown, one that has been built bottom-up, stress-tested, and categorised correctly, face fewer questions and require less capital than firms that have assembled their cost projections loosely.

The balance the business plan must strike

The ideal Year 1 business plan for a CIF applicant holds two things in tension simultaneously: it must be realistic enough to be credible to CySEC, and disciplined enough on the cost side to avoid generating a capital requirement larger than the business genuinely needs.

Realism means the revenue projections are grounded in an actual client pipeline, not aspirational assumptions. It means the headcount reflects the genuine operational needs of the firm, not the minimum required to satisfy the governance checklist. It means the plan can be defended in a conversation with a CySEC examiner who has read hundreds of business plans and knows what a credible one looks like.

Discipline on the cost side means that every line item has been interrogated. It means setup costs have been separated from running costs. It means outsourced functions have been costed accurately, with the understanding that they may eventually need to move in-house as the firm grows. It means the plan reflects what the business actually needs to operate well, not what it might spend if budget were no constraint.

That balance is not difficult to achieve. It requires the same rigour that any well-run business would apply to its financial planning, which returns to the central point of this series. A business plan built to run a business will naturally strike that balance. A business plan built to satisfy a regulator rarely will.

Closing the series

Across these three articles, the same observation has surfaced in different forms. The capital requirement is determined by the business plan. The governance obligations are determined by the business plan. The capital adequacy assessment is determined by the business plan. In each case, the firms that approach the process most successfully are the ones for whom the business plan already existed, as a genuine expression of how they intended to build and run a regulated investment firm, before the licensing process began.

CySEC's requirements are rigorous, but they are not arbitrary. They are designed to ensure that only firms capable of operating responsibly receive authorisation. A firm that has done the planning work already will find that the licensing process largely confirms what it already knows about itself. A firm that has not will find that it reveals what it should have known before it started.

The licence is the beginning. The planning is what comes first.