Cybersecurity - Cyprus

Law 60(I)/2025 (Security of Networks and Information Systems (Amendment) Law of 2025), enacted 10 April 2025 and in force from 25 April 2025, aligns Cyprus national law with EU NIS2 Directive 2022/2555; it amends the baseline Law 89(I)/2020.

The Digital Security Authority (DSA) is the national NIS supervisory and regulatory body; the National CSIRT (CSIRT-CY) — embedded within the DSA — handles incident management, coordination and response for critical infrastructure operators. The DSA was also designated as Cyprus's AI Act Market Surveillance Authority in January 2025.

The law categorises covered entities as 'essential' or 'important' based on a size-cap rule (medium and large enterprises in Annex I/II sectors: energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, public administration, space, etc.). Approximately ten times more organisations are in scope compared to NIS1, which covered only 70 entities; size criteria are waived for trust service providers, cloud services and data centres.

Entities must submit an early warning to DSA/CSIRT-CY within 6 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. Significant incidents are those causing or capable of causing severe operational disruption or financial loss.

Administrative fines for essential entities can reach €10 million or 2% of total global annual turnover (whichever is higher); for important entities the cap is €7 million or 1.4% of global annual turnover. Management bodies can be held personally liable for persistent non-compliance.

Separate from NIS2, Cyprus's Commissioner for Personal Data Protection enforces GDPR (Regulation 2016/679) breach notification: personal-data breaches must be notified to the Commissioner within 72 hours and to affected individuals without undue delay where high risk arises. Both regimes apply concurrently for incidents involving personal data.