Cybersecurity · Cyprus
Cybersecurity regulation in Cyprus (2026)
Cyprus shaded by its cybersecurity status
Cyprus transposed the EU NIS2 Directive into national law via Law 60(I)/2025, published 25 April 2025, extending mandatory cybersecurity risk-management and incident-reporting obligations to a significantly wider set of essential and important entities across 18 sectors. The Digital Security Authority (DSA) and the National CSIRT (CSIRT-CY) jointly serve as the competent authorities for implementation and enforcement. The European Commission issued a reasoned opinion on 7 May 2025 for incomplete transposition notification, indicating outstanding implementing measures remain pending.
Key points
Law 60(I)/2025 (Security of Networks and Information Systems (Amendment) Law of 2025), enacted 10 April 2025 and in force from 25 April 2025, aligns Cyprus national law with EU NIS2 Directive 2022/2555; it amends the baseline Law 89(I)/2020.
The Digital Security Authority (DSA) is the national NIS supervisory and regulatory body; the National CSIRT (CSIRT-CY) — embedded within the DSA — handles incident management, coordination and response for critical infrastructure operators. The DSA was also designated as Cyprus's AI Act Market Surveillance Authority in January 2025.
The law categorises covered entities as 'essential' or 'important' based on a size-cap rule (medium and large enterprises in Annex I/II sectors: energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, public administration, space, etc.). Approximately ten times more organisations are in scope compared to NIS1, which covered only 70 entities; size criteria are waived for trust service providers, cloud services and data centres.
Entities must submit an early warning to DSA/CSIRT-CY within 6 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. Significant incidents are those causing or capable of causing severe operational disruption or financial loss.
Administrative fines for essential entities can reach €10 million or 2% of total global annual turnover (whichever is higher); for important entities the cap is €7 million or 1.4% of global annual turnover. Management bodies can be held personally liable for persistent non-compliance.
Separate from NIS2, Cyprus's Commissioner for Personal Data Protection enforces GDPR (Regulation 2016/679) breach notification: personal-data breaches must be notified to the Commissioner within 72 hours and to affected individuals without undue delay where high risk arises. Both regimes apply concurrently for incidents involving personal data.
Timeline - major decisions & events
The Commission escalated infringement proceedings against Cyprus and 18 other Member States for failing to fully notify transposition of the NIS2 Directive; Cyprus faces referral to the EU Court of Justice if it does not comply within two months, even though it had already enacted its implementing law weeks earlier.
European Commission – Digital Strategy ↗The Network and Information Systems Security (Amendment) Law of 2025, Law 60(I)/2025, entered into force, transposing EU Directive 2022/2555 (NIS2) and expanding cybersecurity obligations to a broader set of 'essential' and 'important' entities, with administrative fines up to €10 million or 2% of global annual turnover.
European Commission – Digital Strategy ↗The Cypriot government approved an €8.5 million cybersecurity investment to upgrade defences for public infrastructure, following a documented 45% rise in attempted network breaches between 2023 and 2024 and recurring attacks on critical infrastructure.
Cyprus Mail ↗A series of coordinated cyber attacks targeted Cyprus government websites, public utilities, and private businesses, with six significant incidents recorded in a short window; eleven critical infrastructure operators subsequently received emergency cyber-defence upgrades, and the Digital Security Authority briefed parliament on heightened geopolitical threat levels.
Industrial Cyber ↗A targeted intrusion into Ministry of Defence systems sought to exfiltrate sensitive documents and compromise military infrastructure, becoming one of the most serious state-sector cyber incidents in Cyprus's modern history and highlighting gaps in government network defences.
Fast Forward Cyprus ↗Law 89(I)/2020 replaced the interim 2018 NIS legislation and completed Cyprus's full transposition of EU NIS Directive 2016/1148, granting the Digital Security Authority comprehensive supervisory powers over operators of essential services, digital service providers, and electronic communications providers, with fines up to €200,000.
Antoniou McCollum & Co. ↗The Digital Security Authority published Cyprus's second National Cybersecurity Strategy, revising the 2013 framework with updated priorities around protecting critical information infrastructure, strengthening CSIRT-CY capabilities, and positioning Cyprus as a regional cybersecurity leader.
Digital Security Authority (DSA) – Cyprus ↗Law 125(I)/2018 supplemented the EU General Data Protection Regulation in the Cypriot legal order, established the independent Commissioner for Personal Data Protection as the national supervisory authority, and repealed the prior 2001 data protection law — setting the privacy-security interface that governs incident reporting involving personal data.
Commissioner for Personal Data Protection – Cyprus ↗Law 17(I)/2018 created the Digital Security Authority (DSA) as Cyprus's national competent authority and single point of contact for NIS Directive implementation, consolidating cybersecurity governance previously fragmented across the electronic communications regulator, and formally incorporating the national CSIRT (CSIRT-CY).
Digital Security Authority (DSA) – Cyprus ↗Cyprus - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →