Who Regulates NIS2 in Cyprus: DSA, Commissioner of Communications, and CSIRT-CY’s 6-Hour Window

Cyprus’s NIS2 compliance landscape doesn’t funnel through a single body. When the Network and Information Systems Security (Amendment) Law 60(I)/2025 entered into force on 25 April 2025, it confirmed a three-authority structure that distributes responsibility across the Digital Security Authority (DSA), the Commissioner of Electronic Communications and Postal Regulation, and CSIRT-CY. Each plays a distinct role — and confusing them costs time during an incident when minutes matter.

The most operationally significant difference from the EU-wide NIS2 baseline: Cyprus tightened the early warning window from 24 hours to 6 hours. An entity that detects a significant cybersecurity incident at 09:00 on a Monday must submit an initial notification to CSIRT-CY no later than 15:00 the same day. This guide maps all three authorities, their legal mandates, and exactly what your organisation must do — and by when.

Cyprus’s Three-Authority NIS2 Structure

Most EU member states designate a single competent authority for NIS2. Cyprus formally designates two — the DSA and the Commissioner of Electronic Communications and Postal Regulation — while housing the national CSIRT function inside the DSA. Each body has a different function, and knowing which to approach for what matters in practice.

Authority	Role under NIS2	Primary contact point
Digital Security Authority (DSA)	National Competent Authority (NCA); Single Point of Contact (SPOC); supervision, audits, enforcement	dsa.cy
Commissioner of Electronic Communications and Postal Regulation	Supervisory oversight body for DSA; co-designated supervisory authority under the 2025 law	Via DSA operational channels
CSIRT-CY	National Computer Security Incident Response Team; 6-hour early warning recipient; technical incident handling	reporting@csirt.cy

Under Article 8 of Directive (EU) 2022/2555, member states may designate one or more competent authorities responsible for cybersecurity supervision [2]. Cyprus exercises that flexibility by formally designating both the DSA and the Commissioner of Communications as supervisory authorities, while the DSA serves as the operational NCA and SPOC for all cross-border liaison functions required under Article 8 [2].

The Digital Security Authority — Cyprus’s Primary NCA

The DSA is the authority your compliance programme engages with directly. Established by Law 17(I)/2018 — the Security of Network and Information Systems Law — it began operations in April 2018 as an independent state agency under the supervision of the Commissioner of Communications [8]. When it launched, it absorbed the NIS and cybersecurity powers that had previously sat with the Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR) under Law 112(I)/2004 [8].

Under the 2025 amendment, the DSA simultaneously holds five functions:

• National Competent Authority (NCA) — supervises essential and important entities across all sectors designated under NIS2 Annex I and Annex II, covering energy, transport, banking, healthcare, digital infrastructure, public administration, space, postal services, waste management, manufacturing, and food production [3]
• Single Point of Contact (SPOC) — coordinates with other EU member states, the European Commission, and ENISA on cross-border cybersecurity matters, fulfilling the liaison function required by Article 8 of NIS2 [2]
• National Cybersecurity Coordination Centre (NCC-CY) — Cyprus’s node within the European Cybersecurity Competence Network, promoting research and capacity-building
• National Certification Authority for Cybersecurity (NCCA) — oversees EU cybersecurity certification schemes under the EU Cybersecurity Act
• Host of CSIRT-CY — the national Computer Security Incident Response Team operates within DSA’s organisational structure, not as a separate agency

For supervisory purposes, the DSA applies proactive oversight to essential entities — onsite inspections, ad hoc audits, certification verification, and direct information requests — while important entities receive primarily reactive supervision, triggered by reported incidents or third-party complaints [6][7].

DSA Enforcement Powers

The 2025 amendment expanded the DSA’s enforcement toolkit. Before or instead of financial penalties, the DSA can issue binding instructions requiring remediation within a fixed deadline, suspend certifications and authorisations, appoint a monitoring supervisor, and temporarily prohibit specific individuals from exercising management functions [7]. The last measure targets boards and C-suite executives directly: Law 60(I)/2025 holds the highest level of management personally responsible for cybersecurity risk management [6].

Cyprus in the NIS2 Peer Review Programme

In the first NIS2 pilot peer review, Cyprus participated as the learner peer, with Greece, Italy, and Luxembourg serving as reviewer peers. Peer reviews under NIS2 assess whether member state authorities have the operational capacity to perform their supervisory duties. Cyprus’s participation signals both institutional readiness and willingness to benchmark its framework against other EU implementations — relevant context if you are assessing whether DSA supervision is likely to be active or aspirational in practice.

The Commissioner of Communications — Oversight Layer

The Commissioner of Electronic Communications and Postal Regulation (OCECPR) has held NIS and cybersecurity responsibilities in Cyprus since 2004, predating the DSA by 14 years. Between 2010 and 2015, the Commissioner published legislation covering security requirements for electronic communications providers and actively supervised compliance in that sector [8]. When the DSA was spun out as a dedicated cybersecurity agency in 2018, it took over those powers — but the Commissioner retained institutional standing in the governance structure.

Under Cyprus’s NIS2 transposition, the Commissioner is formally designated as a supervisory authority alongside the DSA [7]. In practice, this means the Commissioner’s oversight remains most relevant for electronic communications providers, where the OCECPR historically held deep sectoral expertise. For the majority of NIS2-regulated entities — energy, healthcare, banking, digital infrastructure, manufacturing — the Commissioner is an institutional oversight layer rather than a direct operational contact. The DSA will be your primary compliance relationship.

The structure is not unusual in EU NIS2 implementation. Several member states have designated multiple authorities with partially overlapping remits; Cyprus’s approach formally anchors the DSA within a pre-existing regulatory hierarchy rather than creating an entirely new governance chain. For compliance officers, the practical implication is straightforward: file incident reports with CSIRT-CY, engage the DSA for supervisory questions, and expect the Commissioner’s involvement primarily if your organisation also holds electronic communications licences.

CSIRT-CY — Where to Send Incident Reports

CSIRT-CY is the operational incident response arm of the DSA. It operates around the clock and is Cyprus’s contact point within the EU’s CSIRTs Network — the cross-border coordination mechanism that NIS2 mandates for all national teams. Its core mandate covers threat monitoring at national level, technical assistance to entities handling significant incidents, and coordination with peer CSIRTs across EU member states.

Incident reports are submitted to: reporting@csirt.cy

The CSIRT-CY incident reporting form at csirt.cy/en/incident-reporting-form captures the information required for triage: incident classification, affected systems, initial impact assessment, and mitigation steps already taken. Completing this form — not just sending a free-text email — is the recommended submission method because it structures the data CSIRT-CY needs to respond quickly and, where requested, provide technical guidance back to your team.

CSIRT-CY also maintains an advisory channel at info@csirt.cy for general cybersecurity enquiries. The distinction matters operationally: reporting@csirt.cy is for incident notifications; info@csirt.cy is for non-incident questions. Sending a significant incident notification to the wrong address does not satisfy your reporting obligation under the 2025 law.

For entities with dual reporting obligations — for example, a Cypriot bank subject to both NIS2 and DORA — the CSIRT-CY pathway covers NIS2. DORA’s separate incident reporting obligations to the relevant financial supervisor run in parallel and do not replace NIS2 notifications.

Incident Notification Requirements: Cyprus’s Stricter 6-Hour Window

The single most operationally significant difference between Cyprus’s NIS2 law and the EU baseline is the early warning timeline. Article 23 of Directive (EU) 2022/2555 sets a 24-hour early warning window from the point an entity becomes aware of a significant incident [1]. Cyprus’s Law 60(I)/2025 tightened this to 6 hours [4][5].

The practical implication: a Cyprus-operating entity that detects a significant incident at 08:00 must submit an initial notification to CSIRT-CY by 14:00 the same day. Six hours is not the time available to draft and review the notification — it is the time between detection and submission. Entities that have not pre-built their internal notification process will find this window extremely tight during an active incident response.

Reporting stage	NIS2 EU baseline	Cyprus Law 60(I)/2025	Recipient
Early warning	24 hours	6 hours	CSIRT-CY (reporting@csirt.cy)
Incident notification	72 hours	72 hours	CSIRT-CY
Progress report	On request from authority	Every 15 days if incident unresolved	CSIRT-CY / DSA
Final report	1 month after incident notification	1 month after incident notification	DSA

Trust service providers face a separate timeline: they must report significant incidents affecting their trust services within 24 hours of becoming aware, regardless of the 6-hour rule that applies to other entities [1].

For a detailed breakdown of what each reporting stage requires — including how to determine whether an incident crosses the “significant” threshold and what information must accompany each submission — see our NIS2 Article 23 incident notification guide.

Scope, Classification, and Penalties

Three criteria determine whether the DSA has supervisory authority over your organisation:

• You provide services in a sector listed under NIS2 Annex I (essential) or Annex II (important)
• You exceed the medium-sized enterprise threshold: 50 or more employees, or annual turnover and balance sheet total exceeding €10 million
• You are established in Cyprus — with an exception for digital service providers and telecommunications entities, which may be in scope regardless of establishment location [4]

Sector	Entity classification
Energy, Transport, Banking, Financial market infrastructure, Health, Drinking water, Waste water, Digital infrastructure, ICT service management (B2B), Public administration, Space	Essential (Annex I)
Postal and courier services, Waste management, Manufacture of critical products (medical devices, electronics, machinery, vehicles), Food production and distribution, Chemical production, Digital providers (marketplaces, search engines, social platforms), Research organisations	Important (Annex II)

Cyprus does not operate a formal entity registration process. The DSA identifies in-scope entities through national assessment and notifies them directly. Once notified, an entity must report any material changes to its organisational information within two weeks [4].

Administrative Penalties

The DSA can impose the following fines under Law 60(I)/2025:

• Essential entities: up to €10,000,000 or 2% of annual worldwide turnover, whichever is higher [4]
• Important entities: up to €7,000,000 or 1.4% of annual worldwide turnover, whichever is higher [4]
• National law violations: up to €200,000 additionally [4]
• EU regulation violations: up to €300,400 additionally [4]
• Ongoing non-compliance: daily penalties may run alongside the main fine [4]

Senior management can face personal liability where non-compliance results from wilful neglect. The DSA may temporarily restrict specific individuals from exercising management functions — a direct consequence for boards and executives who fail to treat cybersecurity governance as a board-level responsibility [6].

Practical Steps: Building Your Cyprus NIS2 Compliance Baseline

These are the immediate actions that align with the DSA’s supervisory expectations for newly in-scope entities:

• Confirm scope: Use the DSA’s self-assessment tool at dsa.cy to verify whether you meet both sector and size thresholds. Do not wait for the DSA to contact you — self-identification is your obligation.
• Assign management accountability: Document who at board level owns NIS2 compliance. Law 60(I)/2025 holds senior management personally responsible; this needs to be reflected in your governance structure before any DSA audit request arrives.
• Implement Article 21 security measures: The 10 security domains under Article 21 of NIS2 apply to both essential and important entities. Incident handling, access control, and backup policies are consistently among the first controls DSA auditors examine.
• Register CSIRT-CY as your incident notification recipient: Add reporting@csirt.cy to your incident response runbook as the mandatory first contact. Set internal escalation SLAs that allow notification submission within 6 hours of detection — not 24.
• Pre-complete the CSIRT-CY reporting form: The template at csirt.cy/en/incident-reporting-form requires incident classification, affected systems, impact scope, and early mitigation steps. Drafting this for the first time during an active incident consumes the 6-hour window. Prepare it as a pre-incident exercise.
• Set up a change notification process: Any material change to organisational information — ownership, sector classification, size — must reach the DSA within two weeks [4].

For the full NIS2 incident reporting process, including how to classify incident severity and what the 72-hour notification must contain, see our incident reporting guide.

Frequently Asked Questions

Is the Commissioner of Communications the same as the DSA?

No. The DSA is an independent agency that operates under the supervision of the Commissioner of Electronic Communications and Postal Regulation (OCECPR). The Commissioner is the institutional oversight body in the governance hierarchy; the DSA is the operational authority that directly supervises NIS2-regulated entities and handles enforcement.

Can I send NIS2 incident reports directly to the DSA instead of CSIRT-CY?

CSIRT-CY is the designated incident notification recipient. Because CSIRT-CY operates within the DSA’s structure, the report ultimately reaches the same institution — but reporting to CSIRT-CY via reporting@csirt.cy satisfies the formal notification obligation. A general email to a DSA administrative address may not. Use the designated channel and the structured reporting form.

Does the 6-hour early warning apply to all NIS2 entities in Cyprus?

Yes, for both essential and important entities established in Cyprus. The 6-hour window applies from the moment the entity becomes aware of a significant incident, as set by Law 60(I)/2025. Trust service providers are subject to a separate 24-hour window for incidents affecting their trust services specifically [1].

What counts as a “significant incident” requiring notification?

Cyprus’s law follows the NIS2 definition: an incident that causes or is capable of causing severe operational disruption, significant financial loss, or material impact on other persons. The DSA may issue sector-specific guidance on thresholds. When uncertain, the conservative approach is to notify — a notification that turns out to be unnecessary carries far less risk than a failure to notify that is later scrutinised.

Conclusion

Cyprus’s NIS2 governance is built on three interlocking layers: the DSA as primary competent authority and enforcement body, the Commissioner of Electronic Communications and Postal Regulation as the institutional oversight layer with roots in national cybersecurity law going back to 2004, and CSIRT-CY as the hands-on incident response team. The authority you engage for compliance supervision is the DSA; the address you send incident reports to is reporting@csirt.cy — within 6 hours of detection, not 24.

Cyprus’s transposition, completed in April 2025 after a brief delay past the EU deadline, now ranks among the stricter member state implementations for early warning timelines. For entities building their incident response processes, that 6-hour window should drive the design of internal notification chains before any incident occurs — not after.

For country-level context on how other EU member states have structured their NIS2 authorities, see our guides on Germany, France, and the Netherlands, or return to our Cyprus NIS2 overview.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

[1] Article 23: Reporting Obligations — Directive (EU) 2022/2555 (NIS2)

[2] Article 8: Competent Authorities and Single Points of Contact — Directive (EU) 2022/2555 (NIS2)

[3] Cyprus NIS2 Transposition — nis-2-directive.com

[4] NIS2 Cyprus: Requirements & Certification for Compliance — nis2certification.eu

[5] Harneys — Cyprus Adopts NIS2 Directive: Key Updates in 2025 Cybersecurity Law

[6] Eversheds Sutherland — Cyprus NIS2 Implementation Overview

[7] Michael Kyprianou Law Firm — NIS2 Requirements in Cyprus

[8] Digital Security Authority (DSA) — CybersecurityIntelligence.com