Cyprus NIS2 Compliance: What the Cybersecurity Act Requires from Financial Services, Shipping, and Telecoms

Cyprus’s financial services sector manages approximately €66 billion in banking assets, its merchant fleet is the 3rd-largest ship registry in the EU, and the island’s international internet connectivity flows almost entirely through submarine cables. When Parliament enacted Law 60(I)/2025 on 25 April 2025 — transposing the EU’s NIS2 Directive into Cypriot law — it brought roughly ten times more organisations into scope than its predecessor. For Cypriot banks, shipping management companies, and telecoms providers, the compliance stakes are unusually concentrated. This guide explains who regulates NIS2 in Cyprus, which sectors carry the heaviest obligations, and what management must do to avoid penalties of up to €10 million.

Cyprus’s NIS2 Law — Law 60(I)/2025

Cyprus transposed the EU NIS2 Directive (EU 2022/2555) through the Network and Information Systems Security (Amendment) Law of 2025 — Law 60(I)/2025 — enacted on 25 April 2025. This amended the original cybersecurity statute Law 89(I)/2020 and consolidated all NIS2 requirements into a single national framework covering 18 designated sectors.

Cyprus missed the EU’s October 17, 2024 transposition deadline. The European Commission sent a reasoned opinion on 7 May 2025 noting incomplete notification of transposition measures, placing Cyprus alongside other member states facing infringement proceedings. Legislative transposition is complete; practical implementation — entity identification and active DSA supervision — is ongoing through 2025 and 2026.

What changed from NIS1 to the current law:

• Sector coverage expanded from 7 to 18 designated sectors
• Scope extended down to medium-sized enterprises (50+ employees or €10M+ annual turnover)
• Self-registration replaced by DSA-led national entity assessment
• Management body personal liability provisions introduced
• Incident early-warning compressed to 6 hours (from 24 hours under NIS1)
• Approximately 10 times more organisations in scope — from roughly 70 entities under NIS1 to several hundred today

The Regulatory Structure — DSA and CSIRT-CY

Cyprus’s NIS2 framework distributes responsibilities between two distinct bodies: the Digital Security Authority (DSA) and the national CSIRT (CSIRT-CY). Understanding which body does what is essential for compliance planning.

Digital Security Authority (DSA) is Cyprus’s designated competent authority for NIS2 supervision and enforcement. The DSA, headquartered at Helioupoleos 12, 1101 Nicosia, operates under the oversight of the Commissioner of Communications — Cyprus’s broad regulatory authority for electronic communications. This institutional structure places cybersecurity oversight within the telecommunications regulator’s framework, reflecting the island economy’s dependence on digital infrastructure for cross-border connectivity.

The DSA’s responsibilities under Law 60(I)/2025:

• Conducting national assessments to identify essential and important entities (organisations do not self-register)
• Maintaining the national entity register
• Conducting proactive audits of essential entities and reactive supervision of important entities
• Imposing administrative sanctions and enforcement orders
• Liaising with ENISA and the EU-level NIS Cooperation Group
• Developing the national cybersecurity strategy, subject to Council of Ministers ratification

CSIRT-CY (Computer Security Incident Response Team Cyprus) is the separate operational body for incident response. CSIRT-CY receives and triages significant cybersecurity incident notifications, provides threat intelligence and technical assistance to regulated entities, and coordinates with the EU CSIRTs Network. For incident reporting purposes, the contact address is reporting@csirt.cy.

The supervisory split matters practically: DSA handles compliance oversight, enforcement, and audits; CSIRT-CY handles incident notifications and operational response. Both bodies report contact information through the European Commission’s official NIS2 implementation page for Cyprus.

Does NIS2 Apply to Your Cypriot Organisation?

Law 60(I)/2025 applies to an organisation if it satisfies all three of the following criteria simultaneously:

1. Sector: the organisation provides services in one of the 18 designated sectors
2. Size: the organisation qualifies as medium-sized or larger — meaning 50 or more employees, or annual turnover and balance sheet total exceeding €10 million
3. Establishment: the organisation is established in Cyprus, or — for specific digital service types (DNS, top-level domain registries, cloud computing, data centres, trust services, CDN providers) — provides services to users in Cyprus regardless of establishment location

Size does not determine scope for certain entity types. Qualified trust service providers, top-level domain registries, and DNS service providers fall within scope regardless of their size.

Sector	Entity Type	Classification
Banking	Credit institutions	Essential
Financial market infrastructure	Trading venues, CCPs, payment systems	Essential
Transport	Maritime transport operators, port operators	Essential
Digital infrastructure	Telecoms providers, cable landing station operators, cloud, data centres	Essential
Energy	Electricity, gas, oil, hydrogen operators	Essential
Public administration	Central and regional government bodies	Essential
ICT service management	Managed service providers, managed security service providers	Essential
Digital providers	Online marketplaces, search engines, social platforms	Important
Manufacturing	Medical devices, electronics, machinery, vehicles	Important
Food	Large-scale food production and distribution	Important

The DSA conducts a national assessment to identify which specific Cypriot organisations meet these thresholds. Entities do not self-register and cannot wait to be contacted — if your sector, size, and establishment match the criteria, compliance obligations apply from the law’s enactment date regardless of whether you have received formal DSA notification. For a detailed breakdown of the full scope criteria and size thresholds, see Who Must Comply with NIS2? Scope, Sectors, and Size Thresholds.

Financial Services — The Highest-Stakes Sector in Cyprus

Cyprus’s banking sector held approximately €65.6 billion in total assets at the close of 2024, growing toward €70 billion through 2025 according to aggregate data from the Central Bank of Cyprus. This concentration of financial assets — in a country of approximately 1.3 million people — places Cypriot banks among the most systemically significant financial essential entities on the island and directly in the highest supervision tier under Law 60(I)/2025.

Banking and financial market infrastructure are both classified in Annex I of Directive (EU) 2022/2555 as highly critical sectors. Cypriot credit institutions meeting the medium-enterprise size threshold qualify automatically as essential entities, subject to the DSA’s proactive supervision regime and the €10 million penalty ceiling.

Additional financial entities in scope under the Cypriot law:

• Credit institutions — essential entities
• Financial market operators (stock exchanges, central counterparties, payment systems) — essential entities
• Crypto-asset service providers (CASPs) — important or essential depending on size; CySEC-authorised CASPs represent a growing segment given Cyprus’s position as an EU hub for crypto-regulation
• Investment firms — important entities at medium-enterprise threshold and above
• Insurance undertakings — important entities if meeting the size cap

DORA and NIS2 overlap for banks. Significant Cypriot financial institutions face a dual regulatory layer. The EU’s Digital Operational Resilience Act (DORA), applicable from January 2025, imposes detailed ICT risk management requirements on banks, investment firms, and insurers that substantially overlap with NIS2’s Article 21 obligations. Meeting DORA’s stricter ICT resilience standards generally satisfies the equivalent NIS2 requirements — but the two regimes have separate supervisory chains. DORA supervision runs through the Central Bank of Cyprus and CySEC; NIS2 supervision runs through the DSA. Finance teams must coordinate reporting and evidence across both regimes.

Directors and senior managers at Cypriot financial entities must understand that Law 60(I)/2025 expressly places final accountability for cybersecurity risk management with the management body. Gross negligence proven in connection with a significant incident can result in personal liability — a material change from the pre-2025 framework.

Shipping — Cyprus’s Flag State Registry Under NIS2

Cyprus operates the 3rd-largest merchant ship registry in the European Union and the 11th-largest globally, with a fleet exceeding 24 million gross tonnes. Ship management revenues reached €918 million in the second half of 2024 alone — equivalent to 5.28% of Cyprus’s GDP and a 27% year-on-year increase — making maritime services one of the island’s most economically significant sectors.

Under Law 60(I)/2025, maritime transport falls within the transport sector listed in Annex I (essential entities). The scope includes:

• Shipping companies operating vessels and meeting the medium-enterprise threshold
• Ship management companies managing crewing, technical operations, and fleet IT on behalf of vessel owners — a common structure in Limassol’s ship management cluster
• Port managing bodies and port operators — Limassol’s port, as Cyprus’s primary commercial port, likely meets the essential entity threshold by economic significance
• Short-sea and inland waterway shipping operators

The practical implications for Cyprus’s ship management sector are significant. Companies managing fleets on behalf of non-EU shipowners must assess whether their own IT and operational systems meet Article 21 requirements. Systems most relevant to maritime NIS2 compliance include vessel management software, crew certification and crewing databases, port state control and flag state communication channels, and IT/OT convergence points between fleet management systems and vessel-side networks.

Flag state registration itself — the administrative processing function of the Shipping Deputy Ministry — is covered under the public administration NIS2 sector as a government function, not as a commercial shipping operator obligation.

Telecoms — Submarine Cable Infrastructure and Digital Scope

Cyprus’s geographic position as an island with no land borders makes submarine cables not just the primary international connectivity route but the only one. CYTA (Cyprus Telecommunications Authority) operates cable landing stations at Ayia Napa, Pentaskhinos, and Yeroskipos. Primetel owns Cyprus’s first privately operated cable landing station at Yeroskipos. The island connects to the SEA-ME-WE 3 system — linking Western Europe, the Middle East, and Asia — and, as of October 2025, hosts the newly landed BlueMed cable developed by Sparkle in partnership with Google, connecting Italy, the Mediterranean, the Near East, and India.

Under Law 60(I)/2025’s Annex I digital infrastructure category, electronic communications providers meeting the size threshold qualify as essential entities. Cable landing station operators are covered under the same digital infrastructure scope, making CYTA and Primetel subject to DSA proactive supervision.

Specific NIS2 obligations relevant to Cypriot telecoms operators:

• Supply chain security for cable maintenance and network operations contracts
• Incident reporting to CSIRT-CY within 6 hours of awareness of significant service disruptions
• Physical security measures for cable landing station infrastructure
• Network resilience planning covering cable cut or partial disruption scenarios
• Encryption of traffic across managed infrastructure where applicable under Article 21(2)(h)

The European Commission’s 2025 BEREC report on submarine cable connectivity directly addresses cable landing station resilience. As a terminal node on multiple international cable systems, Cyprus faces disproportionate systemic risk from any single cable disruption — a risk profile the DSA is likely to weight heavily in supervision prioritisation.

Article 21 — The Ten Security Domains You Must Address

Article 21 of Directive (EU) 2022/2555, incorporated into Law 60(I)/2025, requires essential and important entities to implement risk-based measures across ten security domains. Risk-based means your measures must be proportionate to your threat profile, sector, and operational scale — a Cypriot bank faces stricter expectations than a mid-sized food manufacturer, even if both qualify as covered entities.

The ten Article 21(2) domains and their practical implications for Cyprus-based entities:

Domain	Article 21(2)	Minimum Deliverable
Risk analysis and security policies	(a)	Board-approved, written cybersecurity risk policy
Incident handling	(b)	Documented detection, escalation, and CSIRT-CY notification procedure
Business continuity and crisis management	(c)	Tested backup systems; disaster recovery plan covering primary services
Supply chain security	(d)	Vendor risk assessments; contractual cybersecurity requirements for critical suppliers
Secure acquisition, development, and maintenance	(e)	Vulnerability disclosure policy; security review in procurement process
Effectiveness assessment policies	(f)	Regular internal or independent testing; documented remediation tracking
Cyber hygiene and training	(g)	Mandatory staff cybersecurity training programme; documented completion
Cryptography and encryption	(h)	Encryption policy for data in transit and at rest; key management procedure
HR security, access control, and asset management	(i)	Role-based access; leavers procedure; asset inventory
Multi-factor authentication	(j)	MFA for all privileged access; ideally extended to all remote access

ISO/IEC 27001 certification maps directly to several of these domains and provides recognised compliance evidence to the DSA during supervision reviews. The DSA has indicated that conformity assessments by accredited Conformity Assessment Bodies (CABs) will be a standard supervision tool alongside its own inspection powers.

For the full legal basis of the NIS2 Directive and how Cyprus’s law relates to the EU framework, see What Is the NIS2 Directive? A Complete Guide for 2026.

Reporting Incidents to CSIRT-CY

A cybersecurity incident qualifies as “significant” under Law 60(I)/2025 if it causes serious service disruption, financial loss to your organisation, or material damage — financial or otherwise — to other parties. In practice, any incident causing meaningful downtime to a banking transaction system, port operation, or telecoms service is likely to cross this threshold.

Significant incidents must be reported to CSIRT-CY at reporting@csirt.cy in the following stages:

Stage	Deadline	Minimum Content
Early warning	6 hours from awareness	Whether a cyberattack is suspected; any cross-border impact
Initial notification	72 hours from awareness (24 hours for trust service providers)	Updated assessment, severity, indicators of compromise
Final report	1 month after initial notification	Full technical description, root cause, mitigation taken, impact assessment
Progress reports	Every 15 days if incident is ongoing	Status update until restoration is complete

The 6-hour early warning clock starts when your team becomes aware of the incident — not when the root cause is confirmed, not when forensic analysis is complete. Building automated detection and a pre-defined escalation path to CSIRT-CY notification is the only practical way to meet this timeline consistently.

Management Liability — Personal Accountability Under Cypriot Law

Law 60(I)/2025 implements Article 20 of Directive (EU) 2022/2555, which places NIS2 governance responsibility squarely with the management body — the board of directors, executive committee, or equivalent governing body — rather than delegating it entirely to IT or security teams.

Management body obligations include:

• Approving the organisation’s cybersecurity risk management policy — this must be a board-level action, not an IT department sign-off
• Monitoring the policy’s implementation and effectiveness through regular reporting
• Ensuring cybersecurity training obligations for management members themselves

Beyond governance, the law introduces personal liability. Directors, CEOs, and senior managers can be held personally liable if they are proven to have acted with gross negligence in connection with a significant cybersecurity incident. This is the first time personal financial and legal exposure has been explicitly attached to cybersecurity oversight obligations in Cypriot law.

Additional DSA enforcement tools at the individual level include requiring public identification of responsible individuals at persistently non-compliant entities and banning individuals from management functions in cases of serious or repeated violations.

Penalties and DSA Enforcement Powers

Entity Type	Maximum Administrative Fine
Essential entities	€10 million or 2% of global annual worldwide turnover — whichever is higher
Important entities	€7 million or 1.4% of global annual worldwide turnover — whichever is higher
National law violations (additional)	Up to €200,000 (€10,000 per day for continued violation)
EU regulation breaches (additional)	Up to €300,400 (€200,000 per day if repeated)

Beyond fines, the DSA can issue binding corrective action orders, appoint a supervisory officer to oversee compliance at a non-compliant entity, and initiate proceedings for temporary management bans. Cyprus has signalled that enforcement activity will increase through 2025 and 2026 as the DSA completes its national entity identification process.

Cyprus NIS2 Compliance Checklist

Use this checklist to assess where your organisation stands. Each item corresponds to a specific obligation under Law 60(I)/2025.

• ☐ Confirm scope: verify your sector, size (50+ employees or €10M+ turnover), and Cypriot establishment against the three-criteria test
• ☐ Classify entity type: essential (Annex I) or important (Annex II) — this determines your penalty ceiling and supervision intensity
• ☐ Assign management ownership: document board approval of your cybersecurity risk policy; assign a C-level executive as cybersecurity owner
• ☐ Complete an Article 21 gap assessment: assess all ten security domains against your current control environment
• ☐ Build a 6-hour incident notification capability: your team must be able to assess and notify CSIRT-CY within 6 hours of becoming aware of a significant incident
• ☐ Register CSIRT-CY as your notification endpoint: add reporting@csirt.cy to your incident escalation procedure and test it
• ☐ Audit your supply chain: NIS2 extends security obligations to managed service providers, cloud vendors, and critical third-party suppliers
• ☐ Run mandatory cyber hygiene training: Article 21(2)(g) makes staff training a legal obligation — document completion
• ☐ Commission a conformity assessment: ISO/IEC 27001 certification or a CAB audit provides DSA-recognised compliance evidence
• ☐ Coordinate DORA obligations (financial entities): align NIS2 DSA obligations with your Central Bank of Cyprus or CySEC DORA supervision requirements to avoid duplicated evidence-gathering

Frequently Asked Questions

Is Cyprus fully NIS2-compliant as of 2026?
Law 60(I)/2025 enacted the directive into Cypriot law on 25 April 2025. However, the European Commission issued a reasoned opinion in May 2025 noting incomplete transposition notification, and practical supervision — entity identification, registered entity lists, active audits — is still being established. Compliance obligations for covered entities apply from the law’s enactment date regardless of where DSA’s supervisory procedures stand.

Do I need to register with the DSA?
No. The DSA conducts a national assessment to identify covered entities; organisations do not self-register. Waiting to be notified is not a defensible compliance position — if your organisation meets all three criteria, your obligations apply from April 2025.

What is the difference between the DSA and CSIRT-CY?
The DSA is the supervisory and enforcement authority: it identifies entities, audits compliance, and imposes penalties. CSIRT-CY is the operational incident response body: it receives incident notifications and provides technical assistance. For compliance audits and regulatory inquiries, the DSA is your point of contact. For incident notification, use reporting@csirt.cy.

Does NIS2 apply to my Limassol ship management company?
If your company provides maritime transport services, manages vessels on behalf of owners, or operates port facilities, and meets the medium-enterprise threshold (50+ employees or €10M+ annual turnover), you likely fall within the Annex I transport sector as an essential entity. The DSA makes the formal determination through its national assessment, but the law’s criteria are objective and apply regardless of notification.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS2 Cyprus: Requirements & Certification for Compliance — NIS2Certification.eu
2. NIS2 Directive Implementation in Cyprus — European Commission
3. Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2 Directive) — EUR-Lex, OJ L 333, 27 December 2022
4. Cyprus Adopts NIS2 Directive: Key Updates in 2025 Cybersecurity Law — Harneys Regulatory Blog
5. NIS2 Directive Transposition in Cyprus — NIS-2-Directive.com
6. NIS2 Requirements in Cyprus — Michael Kyprianou Law Firm
7. Cyprus Shipping 2025: Ship Registry Growth, Revenues, Prospects — Shipping Telegraph