Cybersecurity ยท Cyprus
Cybersecurity law in Cyprus: NIS2 compliance (2026)
Cyprus shaded by its cybersecurity status
Cybersecurity in Cyprus: comprehensive law, anchored by Network and Information Systems Security (Amendment) Law of 2025, Law 60(I)/2025 (amending Law 89(I)/2020); supervised by the Digital Security Authority (DSA) and CSIRT-CY under EU NIS2 Directive 2022/2555.
Cyprus transposed the EU NIS2 Directive into national law via Law 60(I)/2025, published 25 April 2025, extending mandatory cybersecurity risk-management and incident-reporting obligations to a significantly wider set of essential and important entities across 18 sectors. The Digital Security Authority (DSA) and the National CSIRT (CSIRT-CY) jointly serve as the competent authorities for implementation and enforcement. The European Commission issued a reasoned opinion on 7 May 2025 for incomplete transposition notification, indicating outstanding implementing measures remain pending.
NIS2 & cybersecurity law in Cyprus
In Cyprus, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to โฌ10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Cyprus implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Cyprus: FAQ
Yes. As an EU member, Cyprus has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to โฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
Law 60(I)/2025 (Security of Networks and Information Systems (Amendment) Law of 2025), enacted 10 April 2025 and in force from 25 April 2025, aligns Cyprus national law with EU NIS2 Directive 2022/2555; it amends the baseline Law 89(I)/2020.
The Digital Security Authority (DSA) is the national NIS supervisory and regulatory body; the National CSIRT (CSIRT-CY), embedded within the DSA, handles incident management, coordination and response for critical infrastructure operators. The DSA was also designated as Cyprus's AI Act Market Surveillance Authority in January 2025.
The law categorises covered entities as 'essential' or 'important' based on a size-cap rule (medium and large enterprises in Annex I/II sectors: energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, public administration, space, etc.). Approximately ten times more organisations are in scope compared to NIS1, which covered only 70 entities; size criteria are waived for trust service providers, cloud services and data centres.
Entities must submit an early warning to DSA/CSIRT-CY within 6 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. Significant incidents are those causing or capable of causing severe operational disruption or financial loss.
Administrative fines for essential entities can reach โฌ10 million or 2% of total global annual turnover (whichever is higher); for important entities the cap is โฌ7 million or 1.4% of global annual turnover. Management bodies can be held personally liable for persistent non-compliance.
Separate from NIS2, Cyprus's Commissioner for Personal Data Protection enforces GDPR (Regulation 2016/679) breach notification: personal-data breaches must be notified to the Commissioner within 72 hours and to affected individuals without undue delay where high risk arises. Both regimes apply concurrently for incidents involving personal data.
Timeline - major decisions & events
The Commission escalated infringement proceedings against Cyprus and 18 other Member States for failing to fully notify transposition of the NIS2 Directive; Cyprus faces referral to the EU Court of Justice if it does not comply within two months, even though it had already enacted its implementing law weeks earlier.
European Commission โ Digital Strategy โThe Network and Information Systems Security (Amendment) Law of 2025, Law 60(I)/2025, entered into force, transposing EU Directive 2022/2555 (NIS2) and expanding cybersecurity obligations to a broader set of 'essential' and 'important' entities, with administrative fines up to โฌ10 million or 2% of global annual turnover.
European Commission โ Digital Strategy โThe Cypriot government approved an โฌ8.5 million cybersecurity investment to upgrade defences for public infrastructure, following a documented 45% rise in attempted network breaches between 2023 and 2024 and recurring attacks on critical infrastructure.
Cyprus Mail โA series of coordinated cyber attacks targeted Cyprus government websites, public utilities, and private businesses, with six significant incidents recorded in a short window; eleven critical infrastructure operators subsequently received emergency cyber-defence upgrades, and the Digital Security Authority briefed parliament on heightened geopolitical threat levels.
Industrial Cyber โA targeted intrusion into Ministry of Defence systems sought to exfiltrate sensitive documents and compromise military infrastructure, becoming one of the most serious state-sector cyber incidents in Cyprus's modern history and highlighting gaps in government network defences.
Fast Forward Cyprus โLaw 89(I)/2020 replaced the interim 2018 NIS legislation and completed Cyprus's full transposition of EU NIS Directive 2016/1148, granting the Digital Security Authority comprehensive supervisory powers over operators of essential services, digital service providers, and electronic communications providers, with fines up to โฌ200,000.
Antoniou McCollum & Co. โThe Digital Security Authority published Cyprus's second National Cybersecurity Strategy, revising the 2013 framework with updated priorities around protecting critical information infrastructure, strengthening CSIRT-CY capabilities, and positioning Cyprus as a regional cybersecurity leader.
Digital Security Authority (DSA) โ Cyprus โLaw 125(I)/2018 supplemented the EU General Data Protection Regulation in the Cypriot legal order, established the independent Commissioner for Personal Data Protection as the national supervisory authority, and repealed the prior 2001 data protection law, setting the privacy-security interface that governs incident reporting involving personal data.
Commissioner for Personal Data Protection โ Cyprus โLaw 17(I)/2018 created the Digital Security Authority (DSA) as Cyprus's national competent authority and single point of contact for NIS Directive implementation, consolidating cybersecurity governance previously fragmented across the electronic communications regulator, and formally incorporating the national CSIRT (CSIRT-CY).
Digital Security Authority (DSA) โ Cyprus โCyprus - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ