Cyprus NIS2 Penalties: €10M Cap for Essential Entities, Personal Director Liability Under Law 60(I)/2025, and DSA’s Binding Enforcement Powers

Cyprus enacted the Network and Information Systems Security (Amendment) Law 60(I)/2025 on 25 April 2025 — completing the country’s transposition of the NIS2 Directive (EU) 2022/2555. The law amends Cyprus’s original 2020 cybersecurity statute and introduces a substantially tougher enforcement framework: a €10 million maximum administrative fine for essential entities, mandatory cybersecurity governance obligations for management boards, and a new escalated sanction that can temporarily bar directors from exercising managerial functions.

For organisations operating in Cyprus, enforcement is not a future risk. The Digital Security Authority (DSA) is actively empowered to conduct inspections, issue binding instructions, and impose administrative penalties. The Commissioner of Communications holds concurrent supervisory authority for the electronic communications and digital services sector.

This guide covers the exact penalty tiers under Cypriot law, the personal liability exposure directors now carry, the enforcement tools available to the DSA, and what Cyprus financial entities need to know about the DORA and NIS2 compliance hierarchy. For the full EU-wide NIS2 penalty framework and how Cyprus compares to other member states, see our central penalties guide.

Who Is Covered — Essential vs Important Entity Classification

Cyprus’s NIS2 transposition uses the EU-wide size-cap rule as its primary classification mechanism. The distinction between entity types matters beyond labelling: it determines which supervision regime applies and how frequently the DSA can initiate contact without evidence of a specific incident.

Classification	Typical sectors	Size threshold	Supervision model
Essential entity	Energy, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, space	Large enterprise: 250+ employees or €50M+ annual turnover; or designated regardless of size for systemic risk	Proactive (ex ante): regular audits, inspections, and security scans — not triggered by incidents
Important entity	Postal services, waste management, chemicals, food, manufacturing, digital providers, research	Medium enterprise: 50–249 employees or €10M–€50M annual turnover	Reactive (ex post): triggered by incidents or evidence of non-compliance only

Three categories are classified as essential regardless of headcount or revenue: trust service providers, cloud computing service providers, and data centre service providers. For these entities, company size offers no route to the lower classification or the lighter reactive supervision regime that comes with it.

Cyprus NIS2 Fine Tiers: €10M vs €7M, Secondary Penalties, and What Triggers Each

Law 60(I)/2025 implements the NIS2 minimum penalty thresholds from Article 34 of the Directive without national uplift. The figures below represent both the EU-mandated floor and the ceiling applied by Cypriot authorities.

Entity type	Maximum fine	Turnover alternative	Applies when
Essential entity	€10,000,000	2% of total worldwide annual turnover	Whichever is higher; violations of Article 21 or Article 23
Important entity	€7,000,000	1.4% of total worldwide annual turnover	Whichever is higher; violations of Article 21 or Article 23

The “whichever is higher” mechanism matters for large organisations. An essential entity with €600 million in global annual turnover has a potential maximum exposure of €12 million — because 2% of turnover exceeds the nominal €10 million ceiling. The turnover basis uses the preceding financial year.

Both tiers are triggered by violations of Article 21 (cybersecurity risk-management measures) or Article 23 (incident reporting obligations). A failure in either area — inadequate technical controls or a missed notification deadline — qualifies independently.

Secondary fine tiers are less widely cited but operative under Cypriot law:

• Violations of other national NIS2 law provisions: up to €200,000 plus €10,000 per day of continued non-compliance
• Breaches of applicable EU regulations in scope: up to €300,400, with €200,000 per day for repeat or continuing infringements

These secondary tiers cover conduct outside the Article 21/23 core — for example, failure to respond to a DSA information request, obstruction of an on-site inspection, or ignoring a binding instruction within the DSA’s mandated deadline. They can run alongside the primary fine tiers, not as an alternative to them.

Director and Management Personal Liability Under Law 60(I)/2025

Under Cyprus’s NIS1 framework, compliance obligations fell primarily on the entity as a legal person. Law 60(I)/2025 shifts part of that burden directly to the individuals leading it — through two distinct mechanisms that operate independently of each other.

The Article 20 governance obligation. Management bodies of essential and important entities must formally approve the cybersecurity risk-management measures their organisation adopts under Article 21. This approval is not delegable to a CISO, IT department, or external consultant — the management body owns the decision, its documentation, and its ongoing implementation oversight. Management body members must also undergo regular cybersecurity training; organisations must provide equivalent training to all employees.

A DSA inspection that finds no formal management approval of the organisation’s risk management framework constitutes evidence of an Article 20 breach — even where the underlying technical controls are sound. The governance gap is independently enforceable, not a sub-component of the Article 21 fine.

The Article 32(5) temporary ban. When an essential entity continues to fail after initial DSA enforcement, the DSA may apply for a temporary prohibition on named individuals at CEO or legal representative level from exercising managerial functions within the entity. This is not a financial penalty — it is a personal, role-specific sanction that remains in place until compliance is achieved.

What “personal liability” means in practice. Law 60(I)/2025 attaches liability for the entity’s infringement to the management body — it does not create criminal liability for ordinary compliance gaps. Two distinct routes lead to personal consequences: formal management body liability for entity-level violations, and the Article 32(5) temporary ban, which affects the named individual’s role directly. For boards considering how to structure NIS2 governance, our board and directors compliance guide covers the documentation requirements in detail.

The DSA’s Enforcement Toolkit — Eight Powers in Escalation Order

The DSA does not move directly to fines. Article 32(4) of the Directive provides competent authorities with an ordered toolkit of increasing severity. Lower-severity measures are applied first; escalated measures become available when initial interventions have been insufficient or exhausted.

Order	Enforcement power	What the DSA can require
1	Warning	Formal notice of a violation without immediate financial consequence
2	Binding instruction	Directive specifying required action and compliance deadline
3	Cease-conduct order	Stop specified behaviour causing or risking an incident
4	Compliance mandate	Align with specific risk-management standards within a set timeframe
5	Threat notification order	Inform affected users or service recipients about a cyber threat
6	Audit implementation order	Implement prior security audit recommendations within a DSA-set deadline
7	Monitoring officer	DSA officer appointed to oversee compliance activities for a defined period
8	Administrative fine	Imposed standalone or in addition to any of the measures above

Where an essential entity continues to fail after these measures have been applied or considered, Article 32(5) escalated powers become available: temporary suspension of certifications or authorisations for service provision, and a temporary prohibition on named management from exercising their functions.

For important entities, the same toolkit applies under Article 33(4) but is activated reactively — the DSA engages only following an incident or credible evidence of non-compliance, not on a scheduled proactive cycle.

Proactive vs Reactive Supervision — What Each Entity Category Should Expect

The supervision model determines when the DSA arrives and in what context. The operational implications differ significantly between entity categories.

Essential entities are subject to proactive (ex ante) supervision. The DSA may conduct on-site and off-site inspections, independent security audits commissioned from qualified third parties, targeted audits following significant incidents, security scans using non-discriminatory criteria, and ongoing documentation requests — all as part of a standard oversight cycle, not triggered by any specific failure. An essential entity should treat its Article 21 documentation as permanently audit-ready.

Important entities face reactive (ex post) supervision. The DSA engages only when it has received evidence of non-compliance or following a significant incident report to CSIRT-CY. Important entities will not typically face proactive audit cycles, but the trade-off is that when the DSA does engage, it is already in an adversarial context.

For compliance resourcing decisions, the practical split is this: essential entities need continuous documentation readiness. Important entities should prioritise strong incident response capabilities and post-incident record-keeping, since a missed notification or inadequate response is the primary trigger for DSA engagement. For more detail on the Cypriot supervisory authority structure, see our guide on who regulates NIS2 in Cyprus.

CSIRT-CY — Incident Reporting Timelines

CSIRT-CY is Cyprus’s national Computer Security Incident Response Team, operating under the DSA. For entities covered by Law 60(I)/2025, CSIRT-CY is the designated reporting point for significant cybersecurity incidents.

The Article 23 reporting timeline is mandatory and non-negotiable:

• 6-hour early warning: initial notification when a significant incident is identified. Minimum contents: whether a malicious act is suspected; whether cross-border impact is likely.
• 72-hour detailed report: full notification covering incident nature, initial severity assessment, indicators of compromise where available, affected services, and containment actions taken.

A “significant incident” is one that causes — or is capable of causing — severe operational disruption or financial loss to the affected entity, or material damage to third parties. The 6-hour clock starts from when the incident is identified, not when its full significance is confirmed. Organisations that wait for certainty before notifying CSIRT-CY routinely miss the deadline and expose themselves to a secondary Article 23 fine on top of any Article 21 enforcement.

DORA and NIS2 — The Lex Specialis Rule for Cyprus Financial Entities

Banks, investment firms, payment institutions, e-money providers, insurers, investment funds, and crypto-asset service providers established in Cyprus face a regulatory layering question: when DORA and NIS2 impose overlapping cybersecurity obligations, which framework governs enforcement?

The answer is DORA’s lex specialis principle. Where DORA and NIS2 cover the same obligation for a financial entity, DORA’s more specific requirements take precedence. The NIS2 Directive acknowledges this hierarchy and defers to sector-specific legislation where comprehensive sector rules already apply.

In Cyprus, two financial supervisors implement DORA. The Cyprus Securities and Exchange Commission (CySEC) supervises investment firms, fund managers, and crypto-asset service providers — CySEC issued Circular C700 on 8 April 2025 providing DORA implementation guidance. The Central Bank of Cyprus (CBC) supervises banks and credit institutions under the same framework.

The practical implication: Cyprus financial entities do not face dual administrative penalties for the same incident under both DORA and NIS2. The lex specialis rule assigns primary enforcement authority to CySEC or CBC — not the DSA — for overlapping obligations. However, NIS2 obligations in areas outside DORA’s scope remain active and fall within DSA jurisdiction. The most common residual gaps are supply chain security (Article 21(2)(d)) and physical security policies (Article 21(2)(f)), which DORA’s ICT-focused perimeter leaves unaddressed. Financial organisations should map their DORA compliance programme against NIS2 Article 21 to identify and close those remaining gaps.

The DSA and Commissioner of Communications — How Supervisory Authority Is Divided

Law 60(I)/2025 designates two national competent authorities. The Digital Security Authority (DSA) is the primary NCA with supervisory authority across all sectors covered by the law. The Commissioner of Communications holds concurrent supervisory authority specifically for electronic communications providers, internet service providers, and digital communications infrastructure operators.

The Commissioner’s regulatory mandate pre-dates NIS2. Under Law 60(I)/2025, cybersecurity supervision for these providers runs through both authorities in parallel — it does not transfer exclusively to the DSA.

For telecoms operators and digital service providers in Cyprus, this dual-authority structure has three operational consequences. Either authority may issue compliance inquiries or initiate inspections. Significant incidents must be reported to CSIRT-CY regardless of which supervisor oversees the sector. Risk management documentation must satisfy the standards that both authorities apply — not just one of them.

Fine Calculation — Eight Factors the DSA Must Apply

When the DSA moves to impose an administrative fine, Cypriot law requires it to consider the proportionality factors from Article 32(7) of the Directive. These determine whether the fine is effective, proportionate, and dissuasive in the specific circumstances. Organisations that understand these factors can build documentation that directly supports a mitigation argument.

The eight factors are: the nature, gravity, and duration of the infringement; material or non-material damage caused; whether the conduct was intentional or negligent; actions taken to prevent or mitigate damage; the entity’s degree of responsibility; prior infringements by the same entity; degree of cooperation with the DSA; and the entity’s financial standing.

Three factors are immediately actionable. Timely CSIRT-CY notification and a documented incident response directly addresses the prevention and mitigation factor. Transparent engagement with DSA inspectors and prompt responses to information requests addresses the cooperation factor. Maintaining Article 20 governance records — board approval minutes, training completion records, risk assessment sign-offs — directly addresses the degree of responsibility factor.

Factor 6 — prior infringements — carries the highest systemic risk. An entity that received a DSA warning and failed to act on it in good time faces materially higher fine exposure in any subsequent enforcement action than a first-time respondent in identical circumstances. The DSA correspondence log is not a procedural formality; it is evidence.

Frequently Asked Questions

Can the DSA fine an entity that suffered a cyberattack even if it had security measures in place?

Yes. The fine assessment focuses on whether the entity implemented the risk-management measures required by Article 21 — not on whether an incident occurred. A well-documented Article 21 compliance programme provides a strong mitigation argument on the factors for intent, degree of responsibility, and prevention actions. The absence of documentation removes that argument entirely, regardless of the entity’s actual security posture.

Does Law 60(I)/2025 apply to non-Cypriot companies providing services in Cyprus?

The NIS2 Directive and its Cypriot transposition apply to entities established in an EU member state. For entities established in multiple member states, the jurisdiction rules of Article 26 of the Directive apply — the competent authority is typically that of the member state where the entity has its main establishment for the relevant network and information systems. A non-Cypriot company with a Cypriot subsidiary operating systems from Cyprus may fall under DSA jurisdiction depending on the facts.

Can the DSA issue binding instructions and impose a fine for the same violation simultaneously?

Yes. Under Article 32(4) and Article 34, administrative fines may be imposed in addition to — not instead of — the other enforcement measures in the toolkit. The DSA may issue a binding instruction, set a compliance deadline, and impose a fine for the original violation in the same enforcement action, with periodic penalty payments available if the binding instruction is not implemented within the required timeframe.

Key Takeaways

• Law 60(I)/2025 (in force 25 April 2025) is fully active — the DSA has immediate powers to inspect, instruct, and fine.
• Essential entities face up to €10M or 2% of global turnover; important entities face up to €7M or 1.4%. A large essential entity may exceed the €10M nominal ceiling via the turnover-based calculation.
• Management bodies must formally approve and oversee Article 21 measures under Article 20. This obligation is independently enforceable — a governance gap can be fined separately from any Article 21 technical failure.
• The Article 32(5) temporary management ban is a personal, role-specific sanction — not a financial penalty. It removes the named individual from their position until compliance is achieved.
• DORA takes precedence over NIS2 for Cyprus financial entities on overlapping obligations. CySEC and CBC — not the DSA — are the primary enforcement authorities. Residual NIS2 gaps in supply chain and physical security remain under DSA jurisdiction.
• The Commissioner of Communications holds concurrent supervisory authority alongside the DSA for telecoms and digital communications providers — either authority may inspect.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. Cyprus Adopts NIS2 Directive: Key Updates in 2025 Cybersecurity Law — Harneys Regulatory Blog
2. NIS2 Requirements in Cyprus: Navigating Compliance Requirements — Michael Kyprianou Law Firm
3. NIS2 Cyprus: Requirements and Certification for Compliance — NIS2 Certification
4. NIS2 and DORA: What Cyprus Companies Need to Know — Cloudlayer8
5. DORA: Key Compliance Considerations for Cyprus Financial Entities — Michael Kyprianou Law Firm
6. NIS2 Directive Article 32: Supervisory and Enforcement Measures — Essential Entities — nis-2-directive.com
7. NIS2 Directive Article 33: Supervisory and Enforcement Measures — Important Entities — nis-2-directive.com
8. NIS2 Directive Article 34: General Conditions for Administrative Fines — nis-2-directive.com
9. NIS2 Directive Article 20: Governance — nis2resources.eu