DISPATCH ·

Building a CySEC-regulated CFD broker stack in 2026

Phase 2 closed with 140 reviewed vendors across 14 chapters. This dispatch synthesises that corpus into a coherent CySEC-regulated CFD broker stack across all 14 layers, three operator archetypes (lean startup, mid-market, tier-1), and the three procurement mistakes Cyprus operators make most often.

tags · synthesis · cysec · stack-building · phase-2-close

Why this dispatch exists

Brokerage Atlas Phase 2 closed with Chapter XIV brokerage hosting - 14 chapters covering the founding canon of the brokerage tech stack, 140 reviewed vendors. The audience question that defined Phase 2 was “which vendors should I evaluate in each category?” The audience question that defines what comes next is “given my jurisdiction, what is the actual integrated stack I should buy?”

This dispatch synthesises the corpus for a single operator profile: a CySEC-regulated CFD broker building or refreshing its tech stack in 2026. Cyprus is the largest single regulated CFD broker market inside the EU and the deepest jurisdiction in our Phase 1 coverage (alt-WL platforms and KYC/AML were both Cyprus-anchored). Future dispatches will clone the template for DMCC/UAE, hybrid prop firm operators, and crypto exchange WL operators under MiCAR.

The dispatch covers: what makes Cyprus procurement different, the 14 chapters mapped to a CySEC operator stack in dependency order, three archetype stacks (lean startup, mid-market, tier-1), and the three procurement mistakes Cyprus operators make most often.

What makes Cyprus procurement different

CySEC procurement is shaped by four constraints that other jurisdictions either share or do not:

EU data residency under GDPR and MiFID II. All client identification, transaction, and conduct data must reside in an EU member state or in a jurisdiction with an adequacy decision. This is a hard constraint on hosting, KYC/AML, CRM database location, and comms surveillance. UK adequacy is currently valid post-Brexit; US transfers require Standard Contractual Clauses and Schrems II diligence; Hong Kong, Cayman, and similar offshore jurisdictions require Article 46 transfer mechanisms that most CySEC compliance teams treat as procurement disqualifiers.

The August 2025 CySEC sanctions regime and the EU AMLR July 2027 transition. Cyprus has been the most active EU sanctions jurisdiction since 2022. CySEC has issued more enforcement actions per regulated entity than any other EU national regulator. The KYC/AML stack must be calibrated for ongoing PEP and sanctions screening, not just onboarding-time identity verification. The EU AMLR (Anti-Money Laundering Regulation) transition window through July 2027 means procurement decisions made in 2026 must be forward-compatible with the new harmonised framework.

MiFID II / MiFIR transaction reporting obligations. Every CySEC-regulated broker submits transaction reports under MiFIR Article 26 to an ARM (Approved Reporting Mechanism). ESMA’s 2023 review found roughly 30% of MiFIR reports contained errors. This makes transaction reporting a two-decision procurement: the primary ARM vendor plus the accuracy-testing layer.

Cypriot operating reality. Most CySEC operators are smaller than equivalent FCA-regulated firms but have a wider product mix (CFD plus crypto-asset services plus copy trading plus IB networks). The procurement decision is therefore as much about vendor bundling as about vendor quality: an operator with 30 employees cannot maintain 12 separate vendor relationships, even if best-of-breed would marginally outperform a bundled suite.

The 14 chapters mapped to a CySEC CFD broker stack

Foundation: what you decide first

Chapter XIV - Brokerage hosting and VPS infrastructure. Decide this first because every other layer inherits its data residency, latency, and DR posture. For a CySEC broker, the relevant decisions are: where the broker’s own MT4/MT5/cTrader server cluster lives, what low-latency network connects to liquidity providers, and what VPS partner to recommend to retail clients running EAs.

For CySEC data residency, the credible institutional paths are Beeks Group at FR2 (Frankfurt, EU-resident), Equinix FR2 direct, or Pulsant for UK-onshore with explicit EU broker carveouts (only if the CySEC operator’s data governance allows post-Brexit UK adequacy reliance). For client-VPS partnerships, ForexVPS.net carries the largest broker integration list (40+) and a public partnership program. FXVM is PARTIAL FIT for CySEC operators specifically because the Hong Kong operating entity creates a GDPR Article 46 SCC requirement that most Cyprus compliance teams treat as procurement-disqualifying for a retail-facing partnership.

Trading layer: your platform and execution

Chapter II - Alternative white-label platforms. Phase 1 chapter, Cyprus-anchored. The 10 reviewed alt-WL platforms cover non-MetaTrader options for operators wanting a differentiated client experience or a multi-asset venue beyond the MT4/MT5 default. Most CySEC operators run MT4/MT5 plus one alt-WL (cTrader, Match-Trader, Sirix, or TradingView-powered). The decision is shaped by client segment: pure CFD operators stay on MetaTrader; multi-asset or institutional-leaning operators add cTrader or a TradingView integration.

Chapter VIII - Liquidity providers. LP procurement is where CySEC operators frequently underspend. The LP decision shapes execution quality, spread competitiveness, and ultimately client retention. A CySEC operator running pure A-book or hybrid A-book/B-book needs at least two LPs for redundancy and price improvement. The Phase 2 corpus covers tier-1 prime broker LP arrangements through to mid-market PoP and crypto-asset liquidity.

Chapter IX - Risk management. Hybrid A-book/B-book execution requires explicit pre-trade and post-trade controls. CySEC operators are subject to ESMA negative-balance protection requirements, mandatory leverage caps for retail clients (1:30 majors, 1:20 minors, 1:10 commodities, 1:5 stocks/CFDs, 1:2 crypto-CFDs for retail), and CySEC’s specific guidance on B-book disclosure to clients. The risk management stack must enforce these limits programmatically.

Compliance layer: the supervisory stack

Chapter III - KYC / AML for brokers. Phase 1 chapter, Cyprus-anchored to the August 2025 CySEC sanctions regime and the EU AMLR July 2027 transition. Onboarding-time identity verification plus ongoing PEP/sanctions screening. Most CySEC operators run a primary KYC vendor (for onboarding flow) plus a secondary screening vendor (for ongoing monitoring) plus a manual case-management layer for ambiguous cases.

Chapter XIII - RegTech and compliance reporting. Three sub-decisions:

  • Trade surveillance (MAR / MAD II): Nasdaq SMARTS is the gold standard with 25+ regulator deployments and the deepest historical pattern library; tier-1 CySEC operators should evaluate it directly. Eventus Validus is the modern challenger for mid-market with AI/ML augmentation and stronger crypto coverage. NICE Actimize Xceed is the integrated enterprise option but rarely matches mid-market CySEC budget envelopes.

  • Transaction reporting (MiFIR Article 26): Cappitech is the default delegated reporting choice for CFD brokers - now part of S&P Global Market Intelligence, 650+ firm client base, multi-regulator coverage. MarketAxess Trax is regulated as ARM and APA but heavily fixed-income oriented. Kaizen Reporting is the accuracy-testing layer on top - the ESMA 2023 review showing 30% MiFIR error rates is the reason this is a separate procurement.

  • Comms surveillance (FCA SYSC 10A / MiFID II Article 16): Behavox for modern AI-driven coverage including off-channel mobile and collaboration platforms. Smarsh for incumbent archiving with the broadest channel coverage (Gartner MQ Leader 2025).

Operations layer: where the business runs

Chapter IV - Broker CRMs. The CRM is the operational backbone: client cabinet, deposit/withdrawal flow, KYC handoff, IB tracking, support ticketing. Most CySEC operators standardise on B2Core, Leverate LXSuite, Match-Trader CRM, or a Brokeree Traders Room build. The decision interacts with platform choice (Chapter II): operators running Match-Trader natively almost always use Match-Trader CRM for the integration tightness.

Chapter VI - Payments. Cyprus brokers face an unusually wide PSP procurement decision because retail client geographies span EU SEPA, MENA card rails, LATAM local rails, crypto rails, and bank-transfer fallbacks. Most operators run 4-6 PSPs in parallel for geographic coverage and redundancy. The decision is shaped by the broker’s marketing geography rather than by CySEC requirements specifically.

Chapter VII - IB management. Channel sales infrastructure is undervalued in early-stage CySEC operators. IB networks contribute disproportionately to FTD (first-time deposit) volumes for new operators. The IB management decision interacts with CRM choice (most platforms have native IB modules but third-party specialists offer deeper attribution, multi-tier hierarchies, and CPA/revshare hybrid models).

Chapter V - Turnkey suites. The alternative procurement path. Instead of integrating Chapters II + IV + VI + VII + VIII separately, operators can buy a turnkey suite from B2Broker, Leverate, Match-Trade, Soft-FX, or Quadcode that bundles platform + CRM + liquidity + payments + IB. This is the right call for lean startup operators with limited engineering capacity and the wrong call for mid-market operators that have outgrown the bundled product’s customisation envelope.

Retention layer: where lifetime value grows

Chapter XI - Broker analytics and market signals. Trader-facing widgets (Trading Central, Autochartist, FXStreet) extend account life by giving clients structured market context. Engagement analytics (Solitics, Myfxbook integration) close the loop between trading behaviour and retention campaigns. Most CySEC operators run 2-4 analytics products in parallel.

Chapter XII - Copy and social trading. Retention infrastructure that converts losing-retail-trader churn into copy-network account extension. CySEC operators have specific procurement options: cTrader Copy is the strongest native option (STRONG PICK) with published Spotware Store pricing and tier-1 CySEC reference deployments. Brokeree Social Trader is the plugin route for MT4/MT5/cTrader operators wanting cross-broker functionality. DupliTrade is the only directly CySEC-regulated independent network in the chapter; ZuluTrade is HCMC-regulated from Athens with 80+ broker integrations. FXJunction is LIMITED for CySEC procurement specifically because its Comoros registration carries no recognised financial services authorisation.

Vertical-specific layers (optional)

Chapter I - Prop firm technology. Optional. Only relevant if the CySEC operator runs a prop firm vertical alongside its brokerage. Prop firm tech procurement is qualitatively different from broker procurement because the legal model is challenge-based education rather than CFD trading. Phase 1 chapter, DMCC/UAE-anchored.

Chapter X - Crypto exchange white-label. Optional. Relevant for CySEC operators registered as CASPs (Crypto-Asset Service Providers) under MiCAR. The Cyprus CASP registration window opened in 2024; operators registered as CASPs need a separate crypto trading venue distinct from the CFD platform.

Three archetype stacks for CySEC operators

Minimum viable CySEC CFD broker stack

For operators with 1-5,000 active accounts, sub-$10M AUM, lean engineering team. Optimise for: time to market, single-vendor accountability, total stack cost under $300k/year.

  • Hosting: Beeks Proximity Cloud at FR2 (managed colo, EU-resident, single contract).
  • Trading platform: MT4/MT5 server cluster managed by Beeks; one alt-WL added in Year 2 (cTrader or Match-Trader).
  • Liquidity: Two tier-2 LPs for redundancy (turnkey vendor will recommend their preferred partners).
  • CRM + IB + payments + KYC: Turnkey bundle from B2Broker (B2Core CRM + B2BinPay + B2Prime liquidity + integrated IB) OR Leverate (LXSuite CRM + Sirix optional second platform + integrated PSP partnerships). Single vendor accountability.
  • Risk management: Bundled with the turnkey stack at minimum viable scope.
  • KYC/AML: Phase 1 KYC vendor selection for primary onboarding; bundled sanctions screening; manual case management.
  • RegTech: Cappitech for delegated MiFIR reporting (the default for CFD brokers). No standalone trade surveillance at this scale - rely on platform-bundled alert layers for the first 18 months.
  • Comms surveillance: Smarsh for email and chat archiving (MiFID II Article 16 record-keeping).
  • Analytics + copy trading + crypto WL: Deferred to Year 2. Solitics or Trading Central for entry-level engagement once active account count justifies the per-seat costs.

Total estimated annual stack cost: $180,000 to $300,000 depending on volume tier.

Mid-market CySEC CFD broker stack

For operators with 5,000-25,000 active accounts, $10-50M AUM, dedicated tech and compliance teams. Optimise for: differentiated client experience, customisation envelope beyond turnkey limits, multi-vendor redundancy.

  • Hosting: Direct Equinix FR2 colo plus Beeks managed compute for non-latency-critical workloads. Cross-connect to two tier-1 LPs.
  • Trading platform: MT4/MT5 plus cTrader plus optionally a Match-Trader deployment for crypto-CFD vertical.
  • Liquidity: Two tier-1 LPs (one prime broker, one PoP), plus crypto-asset liquidity provider if MiCAR-registered.
  • CRM: Standalone CRM (B2Core OR Match-Trader CRM if running Match-Trader platform) - the customisation envelope justifies the unbundling.
  • Payments: 4-6 PSPs in parallel for geographic coverage. PSP procurement decoupled from CRM.
  • IB management: Specialist IB platform layered on top of CRM (deeper attribution, multi-tier hierarchies).
  • Risk management: Specialist risk-aggregation platform plus pre-trade controls plugin on MT4/MT5.
  • KYC/AML: Primary KYC vendor for onboarding plus secondary continuous monitoring vendor plus manual case management team.
  • RegTech: Cappitech for MiFIR reporting plus Kaizen Reporting for accuracy testing (defensive procurement) plus Eventus Validus for trade surveillance (modern challenger fits mid-market budget). Behavox for comms surveillance covering email plus mobile plus Microsoft Teams.
  • Analytics: Trading Central plus Autochartist for trader-facing widgets plus Solitics for engagement analytics. Three products in parallel.
  • Copy trading: cTrader Copy native if running cTrader; Brokeree Social Trader plugin if MT4/MT5-only.
  • Crypto exchange WL: B2BX or Soft-FX if MiCAR-registered.

Total estimated annual stack cost: $1.2M to $2.8M.

Tier-1 CySEC CFD broker stack

For operators with 25,000+ active accounts, $50M+ AUM, in-house engineering and compliance, multi-jurisdiction authorisations beyond Cyprus. Optimise for: best-of-breed across every layer, vendor accountability via SLAs, public-company vendor preference for financial stability.

  • Hosting: Direct Equinix at multiple IBXs (FR2 plus LD4 plus NY4 plus TY3 for institutional cross-region capability). Avelacom or Lucera for the low-latency network layer between IBXs.
  • Trading platform: MT4/MT5 plus cTrader plus proprietary or partially-licensed alt-WL plus institutional execution platform.
  • Liquidity: 5-8 LP relationships including tier-1 prime brokers (Goldman, Morgan Stanley, Citi) plus multiple PoPs plus crypto-asset liquidity for CASP operations.
  • CRM: Best-of-breed standalone CRM, often partially-customised on top of B2Core or Match-Trader CRM, with in-house engineering filling gaps.
  • Payments: 6-10 PSPs plus direct bank-acquirer relationships for high-volume corridors.
  • IB management: Specialist IB platform with in-house attribution analytics layered on top.
  • Risk management: Specialist risk-aggregation platform plus institutional pre-trade controls plus quant-built post-trade analytics layer.
  • KYC/AML: Tier-1 KYC vendor for onboarding plus dedicated screening vendor plus continuous monitoring vendor plus in-house compliance ops team plus periodic third-party audit.
  • RegTech: Nasdaq SMARTS for trade surveillance (the regulator-grade standard worth the spend at tier-1 scale) plus Cappitech plus Kaizen Reporting plus Behavox for comms plus CUBE or Corlytics for regulatory horizon scanning.
  • Analytics: Multi-vendor stack including trader-facing widgets plus institutional data feeds (Acuity, Newsquawk) plus proprietary analytics.
  • Copy trading: Native cTrader Copy plus Brokeree plug-in for MT4/MT5 cross-broker depth plus possibly a sponsored ZuluTrade or DupliTrade partnership for network access.
  • Crypto exchange WL: B2BX or Soft-FX or institutional crypto-native platform (ChainUp, AlphaPoint) if running a separate CASP venue.
  • Prop firm vertical: Separate Phase 1 procurement under DMCC, VARA, or CySEC if the operator runs a prop firm alongside the brokerage.

Total estimated annual stack cost: $6M to $20M+ depending on volume tier and proprietary platform investment.

Three procurement mistakes Cyprus operators make most often

Mistake 1: Buying a turnkey suite at mid-market scale. Turnkey suites are sized for lean startup operators (1-5,000 accounts). At mid-market scale, the customisation envelope is the binding constraint - the bundled CRM cannot integrate with the operator’s preferred KYC vendor, the bundled PSP relationships do not cover the operator’s marketing geographies, the bundled IB module lacks the attribution depth the channel sales team needs. The result is a turnkey suite plus shadow tools plus integration debt. Mid-market operators should procure CRM, payments, IB management, and risk management separately rather than under a turnkey umbrella, even if the unbundled total cost is 30-50% higher.

Mistake 2: Underinvesting in transaction reporting accuracy. The default CySEC procurement is “Cappitech handles MiFIR reporting.” Operators stop there and treat transaction reporting as a solved problem. The ESMA 2023 review found roughly 30% of MiFIR reports contain errors. CySEC has issued enforcement actions specifically for transaction reporting accuracy. Kaizen Reporting exists as a separate procurement precisely because the primary reporting vendor is not accountable for the broker’s own data quality. Mid-market and tier-1 CySEC operators should budget for both layers.

Mistake 3: Treating comms surveillance as email-only. FCA enforcement since 2022 has focused on off-channel comms - WhatsApp, Signal, personal email, mobile messaging. CySEC has begun parallel inquiries. A comms surveillance vendor that only covers Outlook plus Bloomberg Terminal misses the actual conduct risk surface. Operators should evaluate Behavox or Smarsh specifically on their mobile and collaboration platform coverage (Microsoft Teams, Slack, WhatsApp Business), not on their email archiving features. The procurement question is “what channels can you capture and retain?” not “what is your surveillance accuracy rate?”

What Phase 3 covers next

Phase 2 produced the founding canon: 14 chapters, 140 reviewed vendors, vendor-neutral procurement reference for any regulated broker. Phase 3 makes that corpus operationally useful by adding jurisdiction-specific synthesis (this dispatch is the first), per-archetype stack guidance (CFD broker covered above; prop firm operator and crypto exchange WL operator to follow), vendor refresh cycles for the chapters most exposed to M&A activity (broker analytics, KYC/AML, RegTech), and selected category re-audits where the vendor landscape has shifted materially since the original Phase 2 research.

The next dispatch in this series will cover the DMCC and VARA-regulated broker stack synthesis for UAE-domiciled operators. After that: hybrid prop firm plus broker operators under the dual-licensing model that has become common in the UAE and Cyprus. After that: CASP and crypto exchange WL operators under MiCAR.

If you operate a CySEC-regulated broker and the synthesis above does not match your actual stack reality, that is the editorial signal we are looking for. The corpus improves through ground-truth from operators.