NIS2 Cyprus Compliance Guide: Security of Networks and Information Systems Law and DSA Requirements for 2026

Cyprus transposition of NIS2 has been one of the most distinctive in the EU — not for its speed (it missed the October 2024 deadline by six months), but for its strictest-in-class early warning requirement: just 6 hours instead of the Directive’s standard 24 hours. The Security of Networks and Information Systems Law (N.89(I)/2020), comprehensively amended by Law N.60(I)/2025, establishes the Digital Security Authority (DSA) as Cyprus’s Single Point of Contact, competent authority, and CSIRT host — all under the supervisory oversight of OCECPR (Office of the Commissioner of Electronic Communications and Postal Regulation). Cyprus also uniquely references NIST 800-53 alongside ISO 27001, and mandates a Cybersecurity Maturity Assessment for all in-scope entities.

This guide covers Cyprus’s NIS2 transposition, DSA enforcement, CSIRT-CY incident reporting procedures, entity classification, sector-specific requirements, penalties, implementation milestones, and practical steps for compliance.

Cyprus’s NIS2 Transposition: Where Things Stand

The Legal Framework

Cyprus implemented NIS2 through a two-stage legislative process:

• Security of Networks and Information Systems Law (N.89(I)/2020): The original 2020 law transposed NIS1 (Directive 2016/1148). It established OCECPR as the competent authority and created the foundation for network and information systems security in Cyprus.
• Security of Networks and Information Systems (Amendment) Law (N.60(I)/2025): Published on 25 April 2025, this amendment transposes NIS2 comprehensively, replacing and significantly expanding the 2020 law. It introduces the DSA as the new central authority, expands entity scope, adds personal liability provisions, and sets the enhanced penalty framework.

Cyprus is not among the majority of Member States that transposed on time. The European Commission issued a Reasoned Opinion on 7 May 2025 for failure to notify full transposition by the 17 October 2024 deadline. The legislative process is now complete, and implementation is ongoing.

Key Dates and Timeline

Milestone	Date
NIS2 Directive adopted	January 2023
Original NIS Law (N.89(I)/2020)	2020 (NIS1 transposition)
EU Transposition Deadline	17 October 2024
Amendment Law (N.60(I)/2025) published	25 April 2025
Amendment enters into force	April 2025
EC Reasoned Opinion issued	7 May 2025
Entity registration and classification	Ongoing (2025–2026)
Full supervisory regime expected	2026

Important: Cyprus missed the EU transposition deadline and received a Reasoned Opinion from the European Commission. The legislative framework is now in place, but the full supervisory and enforcement infrastructure is still being stood up. Entities should treat the April 2025 law as in force and begin compliance preparations immediately.

Comparison with Other EU Countries

Cyprus’s transposition shares characteristics with several EU states in our country guide series:

• Greece (ENSI): Similar delayed transposition timeline, comparable multi-authority model with national CSIRT
• Croatia (NCSC-HR/CERT.hr): Also imposes strict early warning timelines; similar phased implementation approach
• Romania (ANSI): Similar late transposition, comparable penalty structure
• Bulgaria (DAEU): Southeast European neighbor, similar DSA-style central authority model
• Malta (MITA): Small EU member state, comparable size thresholds and single-authority approach
• Spain (INCIBE): More mature transposition, stronger guidance ecosystem — useful reference for best practices

Key Regulatory Bodies

DSA — Digital Security Authority (Αρχή Ψηφιακής Ασφάλειας)

The Digital Security Authority (DSA) is Cyprus’s central body for NIS2 implementation and enforcement:

• Single Point of Contact (SPOC) for EU-level coordination under NIS2 Article 8
• National Competent Authority (NCA) for Essential and Important Entities
• CSIRT Authority — hosts CSIRT-CY
• Supervised by OCECPR for policy and strategic oversight

The DSA was originally established under Law 17(I)/2018 and assumed NIS powers from OCECPR. Following the N.60(I)/2025 amendment, DSA now holds expanded NIS2 powers.

Contact:

• Address: Helioupoleos 12, 1101 Nicosia, Cyprus
• Email: Info.dsa@ocecpr.org.cy
• Phone: +357 22 693 115

OCECPR — Office of the Commissioner of Electronic Communications and Postal Regulation

OCECPR (Το Γραφείο του Επιτρόπου Ηλεκτρονικών Επικοινωνιών και Ταχυδρομικών Ρυθμίσεων) serves as the supervisory authority over DSA:

• Sets strategic cybersecurity policy direction
• Oversees DSA operations
• Was the original NIS competent authority (appointed 2004) under the pre-NIS2 framework
• Retains regulatory oversight functions for electronic communications sector

Contact:

• Email: info@ocecpr.org.cy
• Phone: +357 22 693 100

CSIRT-CY — National Computer Security Incident Response Team

CSIRT-CY is Cyprus’s national CSIRT, operated by the DSA:

• Full Member of FIRST (Forum of Incident Response and Security Teams) since 2018
• Certified by Trusted Introducer
• Handles all incident reporting for Essential and Important Entities
• Coordinates cross-border incident response with EU CSIRTs Network

Contact:

• Address: 1 Andrea Chaliou, 2408 Egkomi, Nicosia, Cyprus
• Incident Reporting Email: reporting@csirt.cy
• General Email: info@csirt.cy
• Main Phone: +357 22 693 094
• Emergency Phone: +357 22 693 095
• Business Hours: 07:30 to 22:00 Monday to Friday
• PGP Fingerprint: 065F DA54 5AED 5BCD ACFC C974 A147 FE8E 0807 DC32

Sectoral Competent Authorities

Cyprus uses a multi-authority model with sectoral regulators overseeing entity compliance within their domains:

Authority	Sector
Digital Security Authority (DSA)	Digital infrastructure, DNS, cloud, data centres, trust services
Central Bank of Cyprus	Banking, financial market infrastructures
Cyprus Securities and Exchange Commission (CySEC)	Investment firms, crypto-asset services
Cyprus Energy Regulatory Authority (CERA)	Electricity, oil, gas
Deputy Ministry of Shipping	Maritime transport
Ministry of Health	Healthcare
Ministry of Transport, Communications and Works	Road, rail, air transport
Cyprus Water Board / Water Boards	Water supply and distribution

Which Entities Are Affected?

Essential Entities

Essential Entities under Cyprus law include operators in these sectors (Annex I of NIS2 Directive, as transposed):

• Energy: Electricity operators, oil and gas pipeline operators, LNG facilities
• Transport: Air carriers, airport managing bodies, port operators, rail operators, road transport operators
• Banking and Financial Market Infrastructure: Credit institutions, investment firms, crypto-asset service providers (MiCA), benchmark administrators
• Health: Hospitals, private clinics, blood banks, laboratories, pharmaceutical wholesalers, medical device manufacturers
• Water Supply and Distribution: Dams, reservoirs, water treatment facilities, key distributors
• Digital Infrastructure: Cloud computing service providers, data centre operators, DNS providers, TLD registries
• Electronic Communications: Providers of public electronic communications networks and services
• Public Administration: Central and local government bodies
• Space: Operators of ground-based infrastructure supporting EU space programmes

Important Entities

Important Entities include (Annex II of NIS2 Directive):

• Postal and Courier Services: Cyprus Post, private courier operators
• Waste Management: Collection, treatment, and disposal operators
• Chemicals: Production and distribution of hazardous substances
• Food Production: Large-scale food processing and distribution
• Manufacturing: Certain manufacturing sectors as designated
• Digital Service Providers (DSPs): Online marketplaces, search engines, social media platforms (with EU revenue threshold)

Size Thresholds

Category	Employees	Annual Revenue
Medium Enterprise	50+	>€10 million
Large Enterprise	250+	>€50 million

Cyprus applies the standard NIS2 size-cap rule. Entities below the medium threshold are generally out of scope unless they provide critical digital services regardless of size — specifically, electronic communications providers, trust service providers, DNS providers, cloud computing providers, and data centre operators.

Entity Designation Process

The DSA has published a self-assessment tool at nis2.dsa.cy to help organizations determine whether they fall within scope. Entities that meet the criteria must:

1. Complete the DSA’s self-assessment tool
2. Register with the DSA
3. Submit basic profile information including sector classification
4. Await formal notification of classification as Essential or Important Entity
5. Complete the mandatory Cybersecurity Maturity Assessment (based on C2M2, ISO 27002, and NIST 800-53 standards)

The DSA maintains and regularly updates the national registry of in-scope entities.

Cyprus-Specific Requirements (Beyond NIS2 Minimums)

Cyprus has introduced several requirements that go beyond the NIS2 Directive’s minimum standards:

6-Hour Early Warning (Most Strict in EU)

Unlike the NIS2 Directive’s 24-hour early warning requirement, Cyprus law mandates early warning within 6 hours of becoming aware of a significant incident. This is one of the strictest timelines in the EU and requires entities to have near-real-time incident detection and escalation procedures.

Mandatory Cybersecurity Maturity Assessment

The DSA requires all classified entities to complete a Cybersecurity Maturity Assessment using a framework based on:

• C2M2 (Cybersecurity Capability Maturity Model)
• ISO 27002 (Information Security Controls)
• NIST 800-53 (Security and Privacy Controls)

This assessment is currently available in Greek only through the DSA portal.

NIST 800-53 as an Explicit Reference Standard

Unlike most EU Member States that reference ISO 27001/27002 as their technical baseline, Cyprus’s DSA explicitly references NIST SP 800-53 as an approved security framework. This is notable for US-headquartered multinationals operating in Cyprus, as their existing NIST-based security programmes may align more directly with local requirements.

DSA Registration Requirement

All potentially in-scope entities must proactively register with the DSA through the nis2.dsa.cy portal. There is no “silent if exempt” provision — entities must submit basic profile information regardless of classification outcome.

Penalties and Enforcement

Entity-Level Fines

Cyprus has adopted the NIS2 maximum penalty framework:

Entity Type	Maximum Fine
Essential Entities	€10 million OR 2% of global annual turnover (whichever is higher)
Important Entities	€7 million OR 1.4% of global annual turnover (whichever is higher)

The turnover-based calculation means that large multinationals in-scope could face fines far exceeding the nominal euro amounts.

Personal Liability for Management

Cyprus law includes explicit provisions for individual administrative liability of senior management:

Violation	Maximum Fine
Person violating law provisions (individual)	Up to €200,000 per violation
Repeated violation (daily continuation)	Up to €10,000 per day
Violation of EU Decisions/Regulations	Up to €300,400
Repeated EU Decision violations	Up to €200,000 for repeated violations
Non-compliance with information request	Up to €5,000

Senior management can be held personally accountable for failures to implement required security measures or for non-cooperation with supervisory authorities.

Enforcement Status

As of April 2026, the DSA is still establishing its full supervisory regime following the April 2025 law entry into force. The EC Reasoned Opinion of 7 May 2025 indicates ongoing scrutiny of Cyprus’s implementation进度. Entities should not wait for enforcement to begin before implementing compliance measures — the grace period for supervisory onboarding does not exempt entities from substantive compliance obligations.

Compliance Requirements

Article 21 Risk Management Measures

Under Article 21 of NIS2 (transposed into Cyprus law), Essential Entities must implement:

1. Risk analysis and information security policies — documented security strategies, updated annually
2. Incident handling — processes for prevention, detection, response, and recovery
3. Business continuity and crisis communication — backup procedures, disaster recovery, crisis management plans
4. Supply chain security — assessing security of suppliers and service providers (including ICT third-party providers)
5. Security in network and information system acquisition, development, and maintenance — secure development lifecycle
6. Policies on effective use of cryptography and encryption — encryption of sensitive data at rest and in transit
7. Human resources security — background checks, security awareness training, disciplinary processes
8. Asset management — inventory of information assets, classification, access control
9. Access control policies — least privilege, MFA for privileged access, periodic access reviews
10. Use of multi-factor authentication — mandatory for all access to network infrastructure

Important Entities must implement measures proportionate to their risk profile, with a similar (though less prescriptive) set of requirements.

Incident Reporting Requirements

Cyprus’s reporting timelines are stricter than the NIS2 Directive minimums:

Notification Stage	Deadline	Content Requirements
Early Warning	6 hours (vs. NIS2’s 24h)	Initial notification that a significant incident has occurred
	(Cyprus-specific: significantly stricter than EU standard)
Full Incident Notification	72 hours	Incident description, severity, initial impact assessment, indicators of compromise
Final/Progress Report	1 month	Detailed incident report, root cause analysis, mitigation measures, indicators of compromise

Important: The 6-hour early warning is among the most demanding requirements in the EU. Entities must have security monitoring and escalation procedures capable of detecting and escalating significant incidents within this window — even outside business hours.

Where to report: Incidents should be reported to CSIRT-CY via:

• Email: reporting@csirt.cy
• Phone (business hours): +357 22 693 095
• PGP-encrypted email using CSIRT-CY’s public key (fingerprint: 065F DA54 5AED 5BCD ACFC C974 A147 FE8E 0807 DC32)

Supply Chain Security

Under Article 21(8) of NIS2 as transposed, entities must assess and manage security risks arising from their ICT supply chain and relationships with third-party service providers. This includes:

• Security assessments of software vendors and ICT service providers
• Contractual security requirements in vendor agreements
• Monitoring of supplier security posture
• Business dependency mapping for critical ICT services
• Considerations for cloud migration and outsourcing

The DSA’s guidance emphasises that entities cannot transfer NIS2 obligations to third parties and remain responsible for compliance even when services are outsourced.

Implementation Roadmap for Cypriot Entities

Phase 1 — Immediate (April–June 2026)

1. Determine scope — Use the DSA self-assessment tool at nis2.dsa.cy to establish whether your entity is in scope
2. Register with DSA — Submit entity profile and await classification notification
3. Identify your competent authorities — Determine which sectoral authority governs your entity
4. Assign NIS2 responsibilities — Designate a security officer and establish internal governance
5. Map your network and information systems — Complete a comprehensive asset inventory

Phase 2 — Foundation (July–December 2026)

1. Conduct Cybersecurity Maturity Assessment — Complete the DSA’s C2M2/NIST 800-53 based assessment
2. Gap analysis against Article 21 requirements — Identify deficiencies in current security posture
3. Update incident response procedures — Ensure processes can meet the 6-hour early warning deadline
4. Supply chain security review — Assess ICT third-party providers and update contracts
5. Begin staff awareness training — Establish security training programme for all personnel

Phase 3 — Full Compliance (2027)

1. Implement Article 21 measures — Deploy technical and organisational controls meeting all requirements
2. Test incident reporting procedures — Conduct tabletop exercises simulating 6-hour early warning scenario
3. Establish business continuity plans — Crisis communication, disaster recovery, backup procedures
4. Submit to DSA audit — Cooperate with supervisory authority assessments
5. Maintain ongoing compliance — Annual review, continuous monitoring, regular DSA reporting

Cyber Insurance Implications for Cypriot Entities

Why Cypriot Entities Need Cyber Insurance

Cypriot entities face a convergence of heightened risk and regulatory pressure:

• 6-hour early warning requirement means incidents must be detected, escalated, and reported within hours — a tight window that increases the importance of having incident response retainers and insurance-coverage pre-arranged
• Personal liability for management means directors and officers can face individual fines of up to €200,000 — a D&O exposure that cyber insurance can address
• Turnover-based penalty calculations mean large financial institutions and telecoms could face fines in the tens of millions of euros — making liability limits a material risk management consideration
• Ongoing EC scrutiny of Cyprus’s transposition means enforcement is likely to be vigorous once the DSA’s supervisory infrastructure is fully operational

What Underwriters Should Ask

When underwriting Cypriot entities under NIS2, insurers should seek:

1. Has the entity completed the DSA self-assessment and received classification as Essential or Important?
2. Does the entity’s incident response plan meet the 6-hour early warning deadline — and has this been tested?
3. What is the entity’s Cybersecurity Maturity Assessment score using the C2M2/NIST 800-53 framework?
4. Has the entity conducted a supply chain security assessment of critical ICT third-party providers?
5. Does the entity use multi-factor authentication across all privileged access points?
6. What encryption standards are in place for sensitive data at rest and in transit?
7. Does the entity have a tested business continuity and disaster recovery plan?
8. Are there documented incident reporting procedures that include the 72-hour full notification and 1-month final report requirements?
9. What is the entity’s ICT asset inventory and classification?
10. Has management liability (D&O exposure for individual fines) been explicitly considered in the coverage?

Coverage Considerations

For Cypriot entities, cyber insurance policies should explicitly address:

• Regulatory defence costs — Coverage for legal costs defending against DSA investigations and enforcement actions
• Personal liability extensions — D&O coverage for management individual fines under NIS2 personal liability provisions
• Incident response costs — Pre-approved forensic, legal, and PR retainers that can be activated within hours
• Business interruption — Loss of income resulting from a cyber incident, including supply chain attacks
• Data restoration — Costs to restore or recreate data following a ransomware or destructive attack
• GDPR叠加 exposure — Many in-scope sectors (health, banking) also have GDPR obligations — combined coverage is important

For broker advisory guidance, see our posts on NIS2 penalties explained and cyber insurance coverage gaps.

Key Takeaways

1. Cyprus missed the October 2024 EU deadline and received a Reasoned Opinion from the European Commission — transposition is now complete but enforcement infrastructure is still being established
2. The 6-hour early warning requirement (vs. NIS2’s standard 24 hours) is among the strictest in the EU and demands near-real-time incident detection and escalation
3. Register with the DSA immediately using nis2.dsa.cy — proactive registration is required even if the entity ultimately falls outside scope
4. Complete the mandatory Cybersecurity Maturity Assessment based on C2M2, ISO 27002, and NIST 800-53 — this is a unique feature of Cyprus’s transposition
5. Personal liability for management includes individual fines of up to €200,000 per violation — directors and officers should understand their personal exposure
6. Entity fines reach up to €10M or 2% of global turnover for Essential Entities and €7M or 1.4% for Important Entities
7. Supply chain security is a key DSA focus area — ICT third-party providers must be assessed and monitored
8. CSIRT-CY operates business hours (07:30–22:00) — entities must have out-of-hours escalation procedures for the 6-hour early warning requirement

---

Next Steps:

• Take the NIS2 Compliance Checker — Answer 15 questions to get a personalised gap analysis and compliance roadmap for Cyprus requirements
• NIS2 Gap Analysis and Readiness Assessment — Understand how to benchmark your current posture against DSA requirements
• NIS2 Article 21 Technical Measures — Full breakdown of the 10 risk management measures required under Cyprus law
• NIS2 Penalties Explained — Understand the full penalty framework including personal liability
• Cyber Insurance Buying Guide — How to select coverage that addresses Cyprus-specific NIS2 exposures

This guide reflects the legal framework as of April 2026 following the entry into force of Law N.60(I)/2025. The DSA’s supervisory procedures and guidance continue to evolve. Entities should consult the DSA official website and seek legal counsel for entity-specific compliance assessments.