Skip to content
World Watch/Cyprus/Cybersecurity

Cybersecurity ยท Cyprus

Cybersecurity law in Cyprus: NIS2 compliance (2026)

Comprehensive lawNetwork and Information Systems Security (Amendment) Law of 2025, Law 60(I)/2025 (amending Law 89(I)/2020); supervised by the Digital Security Authority (DSA) and CSIRT-CY under EU NIS2 Directive 2022/2555Country index 96 ยท A+

Cyprus shaded by its cybersecurity status

Cybersecurity in Cyprus: comprehensive law, anchored by Network and Information Systems Security (Amendment) Law of 2025, Law 60(I)/2025 (amending Law 89(I)/2020); supervised by the Digital Security Authority (DSA) and CSIRT-CY under EU NIS2 Directive 2022/2555.

Cyprus transposed the EU NIS2 Directive into national law via Law 60(I)/2025, published 25 April 2025, extending mandatory cybersecurity risk-management and incident-reporting obligations to a significantly wider set of essential and important entities across 18 sectors. The Digital Security Authority (DSA) and the National CSIRT (CSIRT-CY) jointly serve as the competent authorities for implementation and enforcement. The European Commission issued a reasoned opinion on 7 May 2025 for incomplete transposition notification, indicating outstanding implementing measures remain pending.

NIS2 & cybersecurity law in Cyprus

In Cyprus, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to โ‚ฌ10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Cyprus implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Cyprus: FAQ

Does NIS2 apply in Cyprus?

Yes. As an EU member, Cyprus has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Cyprus?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Cyprus?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Cyprus?

Up to โ‚ฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

Transposing legislation

Law 60(I)/2025 (Security of Networks and Information Systems (Amendment) Law of 2025), enacted 10 April 2025 and in force from 25 April 2025, aligns Cyprus national law with EU NIS2 Directive 2022/2555; it amends the baseline Law 89(I)/2020.

Competent authorities

The Digital Security Authority (DSA) is the national NIS supervisory and regulatory body; the National CSIRT (CSIRT-CY), embedded within the DSA, handles incident management, coordination and response for critical infrastructure operators. The DSA was also designated as Cyprus's AI Act Market Surveillance Authority in January 2025.

Scope expansion

The law categorises covered entities as 'essential' or 'important' based on a size-cap rule (medium and large enterprises in Annex I/II sectors: energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, public administration, space, etc.). Approximately ten times more organisations are in scope compared to NIS1, which covered only 70 entities; size criteria are waived for trust service providers, cloud services and data centres.

Incident reporting duties

Entities must submit an early warning to DSA/CSIRT-CY within 6 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. Significant incidents are those causing or capable of causing severe operational disruption or financial loss.

Penalties

Administrative fines for essential entities can reach โ‚ฌ10 million or 2% of total global annual turnover (whichever is higher); for important entities the cap is โ‚ฌ7 million or 1.4% of global annual turnover. Management bodies can be held personally liable for persistent non-compliance.

GDPR data-breach overlay

Separate from NIS2, Cyprus's Commissioner for Personal Data Protection enforces GDPR (Regulation 2016/679) breach notification: personal-data breaches must be notified to the Commissioner within 72 hours and to affected individuals without undue delay where high risk arises. Both regimes apply concurrently for incidents involving personal data.

Timeline - major decisions & events

May 7, 2025enforcementofficial
European Commission Issues Reasoned Opinion Against Cyprus for NIS2 Non-Transposition

The Commission escalated infringement proceedings against Cyprus and 18 other Member States for failing to fully notify transposition of the NIS2 Directive; Cyprus faces referral to the EU Court of Justice if it does not comply within two months, even though it had already enacted its implementing law weeks earlier.

European Commission โ€“ Digital Strategy โ†—
Apr 25, 2025lawofficial
Cyprus Enacts NIS2 Transposing Law 60(I)/2025

The Network and Information Systems Security (Amendment) Law of 2025, Law 60(I)/2025, entered into force, transposing EU Directive 2022/2555 (NIS2) and expanding cybersecurity obligations to a broader set of 'essential' and 'important' entities, with administrative fines up to โ‚ฌ10 million or 2% of global annual turnover.

European Commission โ€“ Digital Strategy โ†—
Mar 20, 2025decision
Cyprus Allocates โ‚ฌ8.5 Million to Strengthen National Cybersecurity

The Cypriot government approved an โ‚ฌ8.5 million cybersecurity investment to upgrade defences for public infrastructure, following a documented 45% rise in attempted network breaches between 2023 and 2024 and recurring attacks on critical infrastructure.

Cyprus Mail โ†—
Oct 1, 2024incident
Wave of Cyberattacks Hits Cyprus Critical Infrastructure

A series of coordinated cyber attacks targeted Cyprus government websites, public utilities, and private businesses, with six significant incidents recorded in a short window; eleven critical infrastructure operators subsequently received emergency cyber-defence upgrades, and the Digital Security Authority briefed parliament on heightened geopolitical threat levels.

Industrial Cyber โ†—
Dec 1, 2022incident
Cyberattack Targets Cyprus Ministry of Defence

A targeted intrusion into Ministry of Defence systems sought to exfiltrate sensitive documents and compromise military infrastructure, becoming one of the most serious state-sector cyber incidents in Cyprus's modern history and highlighting gaps in government network defences.

Fast Forward Cyprus โ†—
Aug 12, 2020law
Cyprus Fully Transposes NIS Directive: Law 89(I)/2020 Enters Force

Law 89(I)/2020 replaced the interim 2018 NIS legislation and completed Cyprus's full transposition of EU NIS Directive 2016/1148, granting the Digital Security Authority comprehensive supervisory powers over operators of essential services, digital service providers, and electronic communications providers, with fines up to โ‚ฌ200,000.

Antoniou McCollum & Co. โ†—
Jan 1, 2020guidanceofficial
Cyprus National Cybersecurity Strategy 2020 Published

The Digital Security Authority published Cyprus's second National Cybersecurity Strategy, revising the 2013 framework with updated priorities around protecting critical information infrastructure, strengthening CSIRT-CY capabilities, and positioning Cyprus as a regional cybersecurity leader.

Digital Security Authority (DSA) โ€“ Cyprus โ†—
Jul 31, 2018lawofficial
Cyprus Enacts National GDPR Implementing Law 125(I)/2018

Law 125(I)/2018 supplemented the EU General Data Protection Regulation in the Cypriot legal order, established the independent Commissioner for Personal Data Protection as the national supervisory authority, and repealed the prior 2001 data protection law, setting the privacy-security interface that governs incident reporting involving personal data.

Commissioner for Personal Data Protection โ€“ Cyprus โ†—
Jan 1, 2018lawofficial
Digital Security Authority Established by Law 17(I)/2018

Law 17(I)/2018 created the Digital Security Authority (DSA) as Cyprus's national competent authority and single point of contact for NIS Directive implementation, consolidating cybersecurity governance previously fragmented across the electronic communications regulator, and formally incorporating the national CSIRT (CSIRT-CY).

Digital Security Authority (DSA) โ€“ Cyprus โ†—

Cyprus - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’