NIS2 in Cyprus

1. Quick SME Applicability Snapshot in Cyprus

Does NIS2 apply to SMEs in Cyprus?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Cyprus and, in certain circumstances, foreign digital providers serving the Cypriot market.

SMEs should evaluate whether they fall within Cyprus' national cybersecurity regime based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Cyprus

Cyprus has transposed NIS2 through the Network and Information Systems Security (Amendment) Law of 2025 (60(I)/2025), enacted by Parliament on 10 April 2025 and in force since 25 April 2025.

The amendment updates the Network and Information Systems Security Law of 2020 (L. 89(I)/2020) to align with Directive (EU) 2022/2555. The updated law modernizes obligations relating to governance, incident reporting, supervision, and sanctions, and significantly expands the number of regulated entities — from approximately 70 under NIS1 to an estimated ten times more under the new framework.

Cyprus includes two notable national deviations from the Directive baseline: the early warning deadline is 6 hours from incident detection (stricter than the Directive's 24 hours), and entity identification follows a DSA-led assessment model rather than self-registration. Commission notification completeness remains under review following the May 2025 reasoned opinion (issued prior to enactment).

3. Scope of Application in Cyprus

Cyprus' sectoral scope reflects Directive minimum categories without confirmed national expansion.

4. Size Thresholds and SME Applicability in Cyprus

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope.

Small and micro enterprises may be designated if deemed critical to economic stability, public security, or essential service continuity.

Cypriot authorities retain formal designation powers where justified by systemic risk.

5. Entity Classification Framework in Cyprus

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including audits and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Cyprus' classification structure mirrors the Directive's two-tier model.

6. Cybersecurity Risk Management Requirements in Cyprus

Cyprus aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system security
• Incident prevention and response
• Business continuity and crisis planning
• NIS2 supply chain Cyprus risk controls
• Secure system acquisition and development
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity awareness and training

Measures must reflect state-of-the-art standards and the organization's risk profile. Alignment with ISO/IEC 27001 and recognized Cypriot cybersecurity guidance is encouraged.

Supply chain oversight includes contractual safeguards and vendor monitoring to mitigate cascading cyber risk.

7. Management Liability and Governance in Cyprus

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Cyprus' national framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure adequate cybersecurity knowledge.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned mechanisms.

NIS2 management liability Cyprus standards elevate cybersecurity responsibility to executive level.

8. Incident Reporting Obligations in Cyprus

9. Supervisory Authorities and Enforcement Model in Cyprus

Primary authority: Digital Security Authority (DSA). The Commissioner of Communications is also designated as a supervisory authority. The DSA has published a Concise Guide to the NIS2 Directive to assist in-scope entities.

Cyprus operates a centralized supervisory model supported by sector regulators when required.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination frameworks

The enforcement structure aligns with Directive-level cooperation mechanisms. Cyprus's security measures framework references ISO 27001, NIST SP 800-53, and NIS Cooperation Group guidelines as recognized compliance benchmarks.

10. NIS2 Fines and Sanctions in Cyprus

Cyprus applies Directive-aligned administrative penalties.

NIS2 fines Cyprus enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Cypriot legislation.

11. NIS2 Supply Chain and Vendor Security in Cyprus

Entities must manage third-party cybersecurity exposure through:

• Vendor due diligence
• Contractual security flow-down requirements
• Ongoing ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Cyprus' approach aligns with Directive baseline expectations regarding third-party risk management.

12. Registration and Self-Identification Duties in Cyprus

Entities within scope must:

• Await formal notification from the DSA of identification as essential or important. Cyprus does not require entities to self-register; the DSA conducts a national assessment and notifies entities of their status and obligations.
• Provide corporate identification details
• Disclose sector classification
• Maintain updated contact information. Any changes must be reported to the DSA within two weeks.

The DSA provides a non-binding NIS2 Self-Assessment Tool (available on the DSA website) that organisations can use to make an initial assessment of their potential scope — this does not replace the official identification procedure.

While formal self-registration is not required, entities that believe they may fall within scope should use the DSA's Self-Assessment Tool and prepare for compliance in advance of formal notification.

13. Interaction With GDPR and Other Laws in Cyprus

The General Data Protection Regulation continues to apply concurrently.

Overlap areas include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Cypriot cybersecurity rules

14. Cross-Border Applicability

Entities with their main establishment in Cyprus fall under Cypriot supervision for cross-border services.

Foreign digital providers offering services in Cyprus may be subject to local obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving Cypriot markets.

15. Implementation Timeline in Cyprus

• Directive adoption: 2022
• Network and Information Systems Security (Amendment) Law of 2025 (60(I)/2025) enacted by Parliament on 10 April 2025
• Entry into force: 25 April 2025
• Commission notification: EC reasoned opinion issued May 2025 (prior to enactment); notification completeness under Commission review
• Compliance milestone: DSA-led entity identification and notification process ongoing; entities have obligations from date of DSA notification; early warning deadline is 6 hours — stricter than Directive baseline

Cyprus completed transposition in April 2025. Entities should use the DSA's Self-Assessment Tool to assess their likely scope and prepare compliance programmes in advance of formal DSA notification.

16. Key Takeaways for SMEs in Cyprus

• Medium-sized entities in covered sectors are automatically in scope.
• Small entities may be designated if critical to economic or public stability.
• Board-level governance oversight is mandatory.
• Incident reporting follows 6h / 72h / 1 month deadlines — Cyprus's 6-hour early warning is stricter than the EU Directive baseline of 24 hours.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is a core obligation.
• Early compliance planning reduces enforcement exposure.

FAQ: NIS2 Cyprus SME Guide