NIS2 Cyprus

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 Directive was transposed into Cypriot law by the Network and Information Systems Security Law of 2025 (60(I)/2025) amending the Network and Information Systems Security Law of 2020 (89(I)/2020 (in Greek: Ο περί Ασφάλειας Δικτύων και Συστημάτων Πληροφοριών (Τροποποιητικός) Νόμος του 2025), hereinafter referred to as the NIS2 Act, which has been in force since 25 April 2025.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

The content of this page is subject to change and will be updated as necessary.

NIS2 entities

The Cypriot NIS2 Act is relevant for both legal entities and natural persons (collectively referred to as ‘entities’) registered in Cyprus and providing products and/or services in an EU country.

The NIS2 Act explicitly defines which public and private entities are subject to the cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services provided, the size of the entity and the location of the entity.

In principle, your entity is subject to the Cypriot NIS2 Act if:

Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act;
Your organisation exceeds the thresholds for medium-sized enterprises; and
Your organisation is established in Cyprus (with the exception of providers of public electronic communications networks and providers of public electronic communications services. These are subject to the Cypriot NIS2 Act if they provide services on Cypriot territory).

Criteria 1: services provided

Annexes I and II of the Cypriot NIS2 Act describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse the services you provide to third parties by (sub)sector. The sectors listed in the Cypriot NIS2 Act correspond to the European NIS2 Directive.

Annex I: Highly critical sectors	Annex II: Other critical sectors
Energy • Electricity • District heating and cooling • Oil • Gas • Hydrogen	Postal and courier services
Transport • Air • Rail • Water • Road	Waste management
Banking	Manufacture, production and distribution of chemicals
Financial market infrastructures	Production, processing and distribution of food
Health	Manufacturing • Medical devices and in vitro diagnostic medical devices • Computer, electronic and optical products • Electrical equipment • Machinery and equipment n.e.c. • Motor vehicles, trailers and semi-trailers • Other transport equipment
Drinking water	Digital providers
Wastewater	Research
Digital infrastructure
Management of ICT services (business-to-business)
Public administration
Space

Criteria 2: company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Cypriot NIS2 Act. Click here to determine whether your organisation is a small, medium-sized or large enterprise. In principle, medium-sized and large enterprises must comply with the obligations under the NIS2 Act.

In addition, the NIS2 Act also applies to the following specific providers, regardless of the size of the entity. These are:

Providers of public electronic communications networks or services
Providers of trust services
Providers of top-level domain name registries (TLD registries)
Providers of domain name registries (DNS service providers.

Furthermore, the NIS2 Act also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

They provide services that are essential for critical societal or economic functions and are not provided by other providers
A disruption of their services would have a significant impact on public order, safety or public health
An incident at them could cause systemic risks with cross-border consequences
They are of strategic or vital importance at national or regional level, for example due to dependencies in other sectors
The entity is a public authority

Criteria 3: established entity in Cyprus

In principle, the Cypriot NIS2 Act can only apply to entities established in Cyprus. However, the following entities are subject to the Cypriot NIS2 Act by way of exception:

Providers of public electronic communications networks or providers of public electronic communications services offering their services in Cyprus;
DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as online marketplace providers, online search engines or social networking service platforms, if they have their main establishment in Cyprus or if they have their legal representative for the EU in Cyprus in the event that they do not have an establishment within the EU;
Public authorities established by Cyprus.

In addition to the three criteria above, when analysing the scope of the NIS2 Act, it should be taken into account that a non-NIS2 organisation may still be affected by the NIS2 Act because the national authority designates the entity as an essential or important entity or because the non-NIS2 organisation is part of the supply chain of an NIS2 organisation.

To determine whether your entity falls within the scope of the Cypriot NIS2 Act, you can use the NIS2 Self-Assessment Tool provided by the DSA.

What does this mean for my company?

1. Registration

In Cyprus, essential and important entities covered by the NIS2 Act are not required to register themselves. Instead, the DSA conducts a national assessment to determine which organisations fall within the scope of the Act. This assessment is based on criticality, sectoral classification and other relevant criteria. The outcome of this analysis results in a provisional list of entities, which is then submitted to the Council of Ministers for approval.

Once an entity has been formally identified as essential or important, it is notified by the DSA of its status and obligations. At that stage, the entity must provide certain information to the DSA:

Name of the organisation
Address and current contact details of the entity, including email addresses and telephone numbers
IP address ranges
Sector and subsector
Overview of EU Member States where services falling within the scope of the NIS2 Act are provided

Any changes to this information must be reported within two weeks.

Although there is currently no formal registration platform available, the DSA does offer a NIS2 Self-Assessment Tool, which organisations can use to make an initial assessment of their potential obligations under the NIS2 Act. This tool is informative and non-binding, and does not replace the official identification procedure carried out by the DSA.

2. Management measures

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecurity management measures include at least:

Policy for risk analysis and security of information systems
Incident management
Business continuity, such as backup management and disaster recovery, and crisis management
Supply chain security
Security when acquiring, developing and maintaining network and information systems, including the response to and disclosure of vulnerabilities
Policies and procedures to assess the effectiveness of measures to manage cyber security risks
Cyber hygiene and cyber security training
Policies and procedures on cryptography and, where applicable, encryption
Security aspects relating to personnel, access policy and asset management
Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and secure emergency communication systems within the entity, where applicable.

The European Commission has elaborated in the implementing regulation 2024/2690 the above minimum cybersecurity measures for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers.

3. Reporting obligation of significant incidents

Essential and important entities are required to notify the national Computer Security Incident Response Team (CSIRT), i.e. CSIRT-CY, when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services relating to the (sub)sectors listed in Annexes I and II.

An incident is considered significant if:

the incident has led or may lead to serious disruption of services or financial losses for the affected entity, or
the incident has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

The significant incident shall be reported by the essential and important entity by emailing the completed form to reporting@csirt.cy or via the online incident reporting form in accordance with the following procedure:

Immediately and within 6 hours of becoming aware of the significant incident, the entity shall submit an early warning, indicating the suspected cause and any cross-border implications;
Immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing an information update and an initial assessment of the incident. For providers of trust services, a deadline of 24 hours applies for the submission of an incident report;
At the request of the competent CSIRT, the entity shall submit an interim report;
1. A detailed description of the incident, as well as its severity and consequences;
2. The type of threat or root cause that is likely to have led to the incident;
3. Applied and ongoing risk mitigation measures;
4. The cross-border impact of the incident, if applicable.No later than one month after the incident report, the entity shall submit a final report stating:
If the incident is still ongoing at the time the final report, as referred to in point 4, is due to be submitted, the entity shall submit a progress report every 15 days after the incident report has been submitted and until the final report is submitted. The final report shall be submitted within 15 days of the restoration of the functioning of the affected network or information system.

The European Commission has defined the criteria for a significant incident in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near misses to the CSIRT-CY.

More information on reporting significant cyber incidents can be found here.

4. Obligations and responsibilities of management

The management bodies of essential and important entities are responsible for compliance with the NIS2 Act and must fulfil various obligations, including:

Approving cyber security management measures and monitoring compliance with them
Undertaking training to acquire sufficient knowledge and skills to identify risks and assess management measures and their impact on their services
Continuously training the employees of the cyber security entity in the field of cyber security

The management bodies are liable for non-compliance with the NIS2 Act.

5. Cooperating with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How can I demonstrate that my company is in compliance with the NIS2 legislation?

As indicated in the chapter ‘Enforcement and sanctions’, the competent authorities carry out inspections of essential and important entities to ensure compliance with the NIS2 Act.

Essential and important entities must have a compliance audit carried out on a frequent basis. Based on an independent conformity assessment by an accredited Conformity Assessment Body (CAB), the entity can obtain a certificate demonstrating compliance with the NIS2 Act to stakeholders. Although the Cypriot NIS2 Act does not mandate specific frameworks, it refers to European standards. An important international standard that can be used for this purpose is ISO/IEC 27001.

If you would like more information about certification, you can make an appointment with an expert here.

Enforcement and sanctions

The competent authority carries out inspections to verify compliance with the requirements by cyber security entities. A distinction must be made between essential and important entities:

Essential entities are checked both proactively (ex ante) and reactively (ex post) and are required to undergo regular conformity assessments.
Important entities are in principle only checked reactively, after an incident or in the event of suspected non-compliance with the law.

The Cypriot NIS2 Act provides for specific sanctions for entities that do not comply with the legal provisions. These sanctions vary according to the nature and seriousness of the infringement and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, requiring the entity to take certain measures, appointing a supervisor to monitor compliance with the NIS2 Act, temporarily prohibiting the performance of management functions, etc.

Administrative fines that may be imposed are also laid down by law and can amount to up to 10,000,000 euros or 2% of the total worldwide annual turnover of the essential entity and up to 7,000,000 euros or 1.4% of the total worldwide annual turnover of the important entity. In addition, the Cypriot NIS2 Act provides for additional fines depending on the nature of the infringement. For example, the DSA may impose a fine of up to 200,000 euros for performing or failing to perform an act that is contrary to national law, with an additional fine of 10,000 euros per day for as long as the infringement continues. For acts that contravene European Union decisions or regulations, the fine can be up to €300,400, with an additional fine of €200,000 per day in the event of a repeat offence.

Timeline

17 October 2024: initial deadline for EU Member States to transpose the NIS2 Directive into national law
25 April 2025: Cypriot NIS2 Act enters into force

Competent authorities

In Cyprus, two national authorities are responsible for implementing and enforcing the NIS2 Directive: the Digital Security Authority (DSA) and the CSIRT-CY. These bodies each play a crucial role in strengthening the cybersecurity of essential and important entities within the country.

The Digital Security Authority (DSA) is the central supervisory authority for cybersecurity and the implementation of the NIS2 Act in Cyprus. This authority is responsible for supervising compliance with the directive by organisations covered by the law. The DSA is responsible for registering entities, conducting audits and inspections, imposing penalties for non-compliance and maintaining communication with European authorities such as ENISA.

In addition to the DSA, CSIRT-CY (Computer Security Incident Response Team Cyprus) also plays an important role within the NIS2 framework. CSIRT-CY is responsible for the operational management of cyber incidents and provides technical support to organisations in preventing, detecting and responding to cyber threats. The team collects and analyses information on vulnerabilities and threats and proactively shares it with relevant entities. CSIRT-CY works closely with other national and European CSIRTs to effectively address cross-border incidents and strengthen Cyprus’ overall cyber resilience.