NIS2 Compliance in Cyprus: What Every Business Needs to Know

The NIS2 Directive (EU 2022/2555) significantly expands the scope of cybersecurity regulation across the European Union. For Cyprus, this means a substantial increase in the number of organisations now subject to mandatory cybersecurity requirements, incident reporting obligations and management accountability rules. Whether you operate in energy, financial services, digital infrastructure, healthcare or a range of other sectors, NIS2 likely applies to your organisation.

Cyprus and the NIS2 Transposition

EU member states were required to transpose the NIS2 Directive into national law by 17 October 2024. Cyprus is in the process of implementing the Directive through national legislation that assigns oversight responsibilities to the Digital Security Authority (DSA), operating under the Ministry of Research, Innovation and Digital Policy. The DSA serves as the competent authority and national CSIRT (Computer Security Incident Response Team) coordinator in Cyprus.

Organisations in Cyprus should not wait for final national transposition to begin their NIS2 compliance work. The Directive's requirements are clear, and supervisory authorities will expect organisations to demonstrate readiness from the point that national law enters into force.

Which Organisations Are in Scope in Cyprus?

NIS2 distinguishes between two categories of entity, each subject to different supervisory regimes and sanction levels:

Essential Entities (EE)

Essential Entities are subject to proactive, ex-ante supervision and face the highest sanctions (up to €10 million or 2% of global annual turnover). In Cyprus, sectors classified as essential include:

• Energy (electricity, oil, gas, district heating and cooling, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health sector (hospitals, laboratories, pharmaceutical manufacturers, medical device producers)
• Drinking water and wastewater
• Digital infrastructure (internet exchange points, DNS providers, TLD registries, cloud computing providers, data centres, content delivery networks, trust service providers, electronic communications networks)
• ICT service management (managed service providers and managed security service providers)
• Public administration (central government)
• Space

Important Entities (IE)

Important Entities are subject to reactive, ex-post supervision (typically triggered by incidents or complaints) and face lower sanction caps (up to €7 million or 1.4% of global annual turnover). Sectors include:

• Postal and courier services
• Waste management
• Manufacture, production and distribution of chemicals
• Food production, processing and distribution
• Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
• Digital providers (online marketplaces, online search engines, social networking platforms)
• Research organisations

Why NIS2 Matters Specifically for Cyprus

Cyprus has a unique economic profile that makes NIS2 particularly significant. The island is home to a large concentration of financial services firms, investment companies, fintech businesses and shipping companies — many regulated by the Cyprus Securities and Exchange Commission (CySEC) and the Central Bank of Cyprus. These sectors fall squarely within NIS2's scope and must simultaneously manage cybersecurity obligations under NIS2 alongside their existing GDPR, MiFID II and AML compliance programmes.

The Limassol and Nicosia technology clusters also host a growing number of ICT service providers and managed service providers, who face the most demanding NIS2 requirements as Essential Entities in the ICT service management sector.

Core NIS2 Obligations

NIS2 Article 21 sets out the minimum cybersecurity risk management measures that all in-scope entities must implement:

• Risk analysis and information system security policies
• Incident handling — detection, analysis, containment and recovery
• Business continuity — backup management, disaster recovery and crisis management
• Supply chain security — security in relationships with direct suppliers and service providers
• Security in network and information systems acquisition, development and maintenance — including vulnerability handling and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk management measures
• Basic cyber hygiene practices and cybersecurity training
• Policies and procedures regarding the use of cryptography and encryption
• Human resources security, access control policies and asset management
• Use of multi-factor authentication, secured voice, video and text communications, and encrypted communications

Incident Reporting Obligations

NIS2 introduces strict, legally binding reporting timelines that differ fundamentally from voluntary reporting under existing frameworks:

• Early warning — within 24 hours of becoming aware of a significant incident
• Incident notification — within 72 hours with an initial assessment of severity and impact
• Final report — within one month of the incident notification, including root cause, impact and remediation measures

An incident is "significant" if it has caused or is capable of causing severe operational disruption, financial loss, or material damage to other persons. Organisations in Cyprus should build these timelines into their incident response procedures well before an incident occurs.

Management Accountability Under NIS2

One of NIS2's most significant innovations is the personal accountability it imposes on management bodies. Under Article 20, management body members must approve cybersecurity risk management measures, oversee their implementation, and follow cybersecurity training sufficient to understand and assess risks. Individual managers can be held personally liable for compliance failures and may be temporarily barred from management roles in cases of repeated serious infringements.

This means that cybersecurity is no longer solely an IT matter in Cyprus — it is a boardroom responsibility with direct legal consequences for senior leaders.

Getting NIS2-Ready in Cyprus

1. Determine your classification: Confirm whether your organisation qualifies as an Essential Entity or Important Entity under the national implementing law
2. Register with the DSA: Once registration mechanisms are established, in-scope entities must formally register with the Digital Security Authority
3. Conduct a gap assessment: Measure your current cybersecurity posture against NIS2 Article 21 requirements
4. Update your incident response procedure: Embed the 24h/72h/1-month reporting timelines into your IR process
5. Engage your board: Ensure management approves cybersecurity measures and completes the required training
6. Strengthen supply chain security: Assess the security practices of your key suppliers and update contracts accordingly
7. Implement MFA and encryption: These are explicit requirements under Article 21(2)(j)

Conclusion

NIS2 represents a fundamental shift in cybersecurity regulation for Cyprus. Organisations that treat it as an IT compliance checklist rather than a governance transformation will struggle with both implementation and ongoing supervision. A structured approach — starting with entity classification and gap assessment, and building through policy, training and technical controls — is the most effective path to compliance.