•
•
CySEC Website Requirements for Forex Brokers: Approved Domains, Required Pages and What to Prepare Before Your CIF Application
For CySEC-regulated brokers, the website is not the last step before launch. It is part of the licensing infrastructure — reviewed by the regulator, checked by liquidity providers, and verified by every banking partner in the chain.
This article is for informational purposes only and does not constitute legal or compliance advice. Website requirements may change as CySEC updates its regulatory framework. Brokers should consult qualified legal and compliance professionals for jurisdiction-specific guidance. WSA builds websites — we do not provide licence applications or legal counsel.
Key Takeaways
1. CySEC maintains a public List of Approved Domains for every regulated CIF. Your domain becomes part of the public record.
Your website is not a marketing afterthought. Regulators, banks, liquidity providers and payment processors review it during due diligence — before you can trade.
MiFID II website obligations are specific: risk warnings with firm-specific loss percentages, PRIIPs KIDs, fee transparency, client categorisation disclosures.
A pre-licence website needs careful scoping. Publishing the wrong claims before approval can delay or jeopardise your application.
CySEC Circular C703 (April 2025) explicitly reminded regulated firms that websites must be "fair, clear, non-misleading" and regularly updated.
Why Your Website Is Part of the CySEC Licensing Process
Most founders building a forex brokerage treat the website as the final step — something to worry about after the licence is approved. This is a misunderstanding of how the process actually works.
When a company applies for a Cyprus Investment Firm (CIF) licence, CySEC evaluates the overall operational readiness of the applicant. This includes the business plan, organisational structure, compliance framework, capital adequacy — and the client-facing infrastructure. The website sits at the centre of that client-facing infrastructure.
Once authorised, every CIF's official domain is published on CySEC's public register. The regulator maintains a List of Approved Domains — a publicly accessible database linking each regulated firm to its authorised website addresses. CySEC also publishes a separate List of Non-Approved Domains, flagging websites that are not operated by authorised entities.
This system exists for investor protection. It means that the domain you choose, the pages you publish, and the disclosures you display become part of your regulated identity — not just a branding exercise.
Beyond CySEC itself, every counterparty in the brokerage supply chain also reviews the website:
Counterparty | What They Check on Your Website |
|---|---|
CySEC | Domain ownership, risk disclosures, fee transparency, legal entity details, client categorisation, marketing claims |
Banking partner | Legal identity, licence visibility, AML/KYC policy, complaints procedure, overall trust signals |
Liquidity provider | Regulatory status, product scope, entity structure, jurisdiction disclosures, operational credibility |
Payment processor | Legal pages, risk warnings, refund/withdrawal policy, SSL certificate, contact information |
If any of these parties find a website that looks incomplete, misleading, or lacking mandatory disclosures, the onboarding process stalls. A poor website does not just affect conversion — it can delay your entire launch by weeks or months.
CySEC Approved Domains: What They Are and Why They Matter
The List of Approved Domains is one of CySEC's investor protection tools. It is a public register, available on the CySEC website, that maps every authorised CIF to its official website domain(s).
For founders, this has several practical implications:
Domain registration timing
Your domain should be registered and structurally ready before you complete the licensing process. CySEC will need to know which domain(s) will be associated with your CIF. Waiting until after authorisation to think about your domain strategy creates unnecessary delays.
Multiple domains
Some CIFs operate multiple brands or regional sites. Each domain used for client-facing activity needs to be approved and listed. Unapproved domains operating under the CIF's umbrella are a compliance risk.
Non-approved domain warnings
CySEC regularly publishes warnings about unauthorised websites. In recent announcements, the regulator has flagged dozens of domains that falsely claim CySEC regulation or impersonate regulated firms. If your website is not on the approved list, potential clients and partners may treat it with suspicion — or avoid it entirely.
Practical takeaway: Register your domain early. Plan your domain architecture (primary site, regional variants, trading platform subdomains) as part of your licensing preparation, not after. Your compliance officer and legal counsel should be aware of every domain the business intends to use.
What Pages a CySEC Broker Website Must Include
The specific pages required on a CIF broker website are driven by MiFID II, ESMA intervention measures, and CySEC's own supervisory expectations. In April 2025, CySEC Circular C703 explicitly reminded regulated firms that websites must be maintained, transparent, accurate, and regularly updated.
Here is the page structure a CySEC-regulated broker should plan for:
Page | Status | What It Must Include |
|---|---|---|
Risk Disclosure | Required | Firm-specific CFD loss percentage (ESMA format). Updated annually. Visible on all product pages. |
Terms & Conditions | Required | Client agreement covering account opening, trading, deposits, withdrawals, disputes. |
AML/KYC Policy | Required | Anti-Money Laundering and Know Your Customer procedures per EU AML directives. |
Privacy Policy | Required | GDPR-compliant data collection, processing, and storage practices. |
Complaints Procedure | Required | How clients can file complaints. Reference to Financial Ombudsman and ICF. |
Client Categorisation | Required | Retail vs professional client status, rights, and protections under MiFID II. |
Trading Conditions & Fees | Required | Spreads, commissions, swap rates, margin requirements. Transparent and comparable. |
PRIIPs KIDs | Required | Key Information Documents accessible before any transaction. |
Company / About | Required | Legal entity name, CySEC licence number, registered address, contact details. |
ICF Disclosure | Required | Investor Compensation Fund membership. Coverage limit (currently €20,000). |
Order Execution Policy | Recommended | Best execution policy under MiFID II. |
Conflicts of Interest | Recommended | How the firm identifies and manages conflicts. |
For a detailed breakdown of how these pages differ across CySEC, FCA, and ASIC jurisdictions, see our Broker Website Compliance Checklist for 2026.
Risk Warnings, Fee Disclosures and MiFID II Website Obligations
CySEC operates under the MiFID II framework and enforces ESMA's intervention measures on CFDs. For broker websites, this translates into specific, non-negotiable obligations.
Risk warnings
Every CySEC-regulated broker offering CFDs must display a firm-specific loss percentage — the proportion of retail investor accounts that lose money when trading CFDs with that firm. This figure must be calculated from real client data and updated at least annually, in line with ESMA's Q&A on CFD intervention measures.
The warning must appear prominently on relevant pages — not only in the footer or in a separate legal document. CySEC expects it to be visible at the point where a client makes a decision, not buried where it requires deliberate effort to find.
Fee transparency
Under MiFID II cost disclosure requirements, brokers must present all costs and charges clearly, including spreads, commissions, overnight financing, and any other fees. The information must be provided in a format that allows comparison — not hidden in ranges without context.
If your website states "spreads from 0.0 pips," CySEC may check whether this reflects typical trading conditions or whether it is an edge case presented as a standard. The principle is simple: marketing claims must match the reality documented in your fee schedule.
Content standards
CySEC expects all website content to be "fair, clear and not misleading" — language drawn directly from MiFID II. This applies to every page, including the homepage, product descriptions, promotional banners, and landing pages used in paid advertising campaigns.
CySEC Circular C703, released in April 2025, explicitly reminded regulated entities that websites must be regularly reviewed and updated. The circular emphasised that firms remain responsible for third-party websites operating under their brand — including affiliate sites and white-label partner pages.
Building a website for a CySEC CIF application?
We build licensing-ready websites with the structure, legal-page architecture and disclosures that regulators, banks and LPs expect.
Pre-Licence Website vs Post-Licence Website: What You Can Publish Before Approval
One of the most common questions from founders in the licensing process: should we build a full website before we have the licence, or wait?
The answer is nuanced and depends on your jurisdiction, your legal counsel's guidance, and how close you are to authorisation. Here are the general principles:
What you can typically publish pre-licence
A corporate-style website that introduces the company, its vision, the team, and the types of services it intends to offer — without making specific product claims or inviting clients to open accounts. Think of it as a credibility layer that regulators, banking partners, and potential employees can review.
This pre-licence site should include the domain you plan to register with CySEC, basic legal pages (privacy policy, cookie notice), company information, and contact details. It should clearly state that the company is in the process of obtaining regulatory authorisation and is not yet offering investment services.
What you should avoid pre-licence
Do not publish trading conditions, account type comparisons, deposit/withdrawal pages, or anything that could be interpreted as soliciting clients before authorisation. Do not display a licence number you do not yet have. Do not use language suggesting the firm is regulated when it is not.
A pre-licence website that reads like a live brokerage creates risk — both regulatory and reputational. CySEC, or the banking partners reviewing your application, may view it as an attempt to operate before authorisation.
WSA approach: We work with pre-licence brokers to build a compliant website in stages. The first stage is a corporate presence suitable for the application process. The second stage — product pages, compliance pages, onboarding flows, trading platform integration — is prepared in parallel and deployed immediately upon authorisation, so there is no launch delay.
For a deeper comparison of landing page vs full website strategies, see our article on fintech landing page vs full brokerage website.
What Liquidity Providers and Banks Check Before Onboarding
Your website is not only reviewed by CySEC. Every counterparty in the brokerage ecosystem conducts their own due diligence — and the website is often the first thing they check.
Liquidity providers evaluate whether your website accurately represents your regulatory status, product scope, and operational credibility. A website with missing risk disclosures, inconsistent entity information or no visible licence number will raise flags — and may result in a slower onboarding process or outright rejection.
Banking partners — particularly those providing segregated client fund accounts — apply their own compliance standards. They check for AML/KYC policy visibility, complaints procedures, and whether the overall website presents a legitimate, well-governed financial institution.
Payment processors look for clear refund and withdrawal policies, visible legal identity, SSL certification, and risk warnings. A payment provider that services regulated brokers will not onboard a firm whose website does not meet basic trust and compliance thresholds.
The practical consequence: a website that looks unfinished, inconsistent, or non-compliant creates friction with every partner in the chain. This is why the website should be built in coordination with the licensing process, not as a last-minute addition.
Common Website Mistakes That Delay CIF Applications
Based on our experience building websites for regulated brokers, these are the issues we see most often:
1. Missing or inconsistent entity information
The company name on the homepage does not match the entity registered with CySEC. Or the licence number appears in the footer of one page but is absent from others. Regulators and banking partners cross-reference these details — inconsistencies trigger additional questions.
2. Risk warnings treated as decoration
A small, grey-on-white disclaimer at the very bottom of the page does not meet CySEC's expectations. Risk warnings need to be prominent, accurate, and visible where investment decisions are made — not only on the legal page.
3. Aggressive marketing claims
"Start trading and earn money today." "Zero risk with our platform." "Guaranteed returns." These statements violate the "fair, clear and not misleading" standard and can trigger supervisory action. CySEC has been increasingly proactive about scanning broker websites for exactly this type of language.
4. No complaints procedure
CySEC requires regulated firms to have a visible and accessible complaints handling process. Many pre-launch websites omit this entirely, creating a gap that needs to be addressed before the site can be considered compliant.
5. Legal pages published as afterthoughts
Terms and conditions copied from a template, privacy policies that reference the wrong jurisdiction, AML policies that describe generic procedures rather than the firm's actual processes. Regulators read these pages. Banking partners read these pages. If they look generic, they undermine the credibility of the entire application.
6. Multi-language inconsistencies
Offering the website in multiple languages but only translating product pages — not legal pages or risk disclosures — creates compliance gaps. If you serve clients in a language, your disclosures must be available in that language.
Frequently Asked Questions
Do I need a website before applying for a CySEC CIF licence?
CySEC evaluates overall operational readiness as part of the licensing process. While a fully live trading website is not required at the point of application, having a structured domain with corporate information, legal pages and a clear site architecture demonstrates preparedness. CySEC maintains a public List of Approved Domains for every regulated CIF, so your domain setup should be planned early. Consult your legal counsel for the specific requirements at the time of your application.
What are CySEC approved domains?
The List of Approved Domains is a public register on the CySEC website that maps every authorised Cyprus Investment Firm to its official website domain(s). CySEC also publishes a List of Non-Approved Domains — websites that are not operated by regulated entities. This system allows investors and partners to verify whether a broker's website is legitimate.
Can a broker apply for a CySEC licence with only a landing page?
A minimal corporate page is possible during the application phase, but it needs to be carefully scoped. It should introduce the company, provide contact information, include basic legal pages, and clearly state that the firm is not yet authorised to offer investment services. Publishing trading conditions, account registration, or anything that solicits clients before authorisation can create regulatory risk.
What pages should a CySEC-regulated broker website include?
At minimum: risk disclosure (with firm-specific CFD loss percentage), terms and conditions, AML/KYC policy, privacy policy, complaints procedure, client categorisation information, trading conditions and fees, PRIIPs KIDs, ICF disclosure, and company information with the CySEC licence number. Additional pages like order execution policy and conflicts of interest policy are strongly recommended.
What website pages do liquidity providers and payment processors check?
Liquidity providers typically check regulatory status, product scope, entity structure and jurisdiction disclosures. Payment processors focus on legal identity, risk warnings, refund/withdrawal policy, SSL certification and contact information. Banking partners review AML/KYC policy, complaints procedures and overall operational credibility. A website missing any of these elements can slow down or prevent counterparty onboarding.
What should a pre-licence broker avoid saying on its website?
Avoid any language suggesting the firm is already regulated, any invitation to open accounts or deposit funds, specific trading conditions (spreads, leverage), performance claims, and any display of a licence number you do not yet hold. The website should clearly state that the company is in the process of obtaining authorisation.
Whether you’re launching something new or improving an existing platform, we’re ready to discuss your goals and explore the best way forward.
