Cyprus

(a) What is the NIS2 implementation status?

The NIS2 Directive has not yet been transposed into Cypriot Law. Amendments to the Law on Security of Networks and Information Systems of 2020 (L.89(I)/2020) – the law that implemented the NIS Directive – have to be made to implement the NIS2 Directive into Cypriot law.

(b) What is the envisaged NIS2 implementation timeline?

The envisaged deadline for the implementation of NIS2 in Croatia is currently pending, as the draft harmonizing bill is still under review. This bill is before the competent Parliamentary Committee on Finance and Budget for final discussion. Once approved by the Committee, the final draft will proceed to Parliament for review and voting. Upon approval by Parliament, the bill will be enacted into national law, completing the NIS2 implementation process. The specific timeline for enactment will depend on the progress of these legislative steps.

(c) What does the NIS2 mean for other national cybersecurity legislation?

NIS2 will bring about a raft of extensive amendments to the Law on Security of Networks and Information Systems of 2020 (L.89(I)/2020). The DSA has published the proposed amendments on its website in a page 50 long document. The proposed amendments have been published in a very helpful correlated list format To the left of the list one finds the relevant article of NIS2 and to the right of the list one finds the proposed amendment to the relevant article of L.89(I)/2020.

Some of the most important amendments are the following:

• a new article 29 by which the DSA will draft and implement a national cybersecurity policy.
• a new article 32A by which the DSA is ordained as the national crisis manager in cases of largescale cybersecurity attacks. As the crisis manager the DSA is tasked with drafting and implementing the country’s national response plan in relation to largescale cybersecurity attacks.
• a new article 34A by which the DSA is ordained as the Peer Review body for Cyprus as is stipulated by article 19 of NIS2.
• large-scale amendments, in essence additions, to article 35 of L.89(I)/2020, which is the article relating to Security Requirements.
• Surprisingly, article 43 of L.89(I)2020 which relates to Sanctions has not been amended. The article remains the same and allows the DSA to impose an administrative fine of up to €200.000,00 for breaches of L.899(I)/2020 and an administrative fine of up to €300.400,00 for breaches of Decisions and/or Regulations of the European Union.

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority is the aforementioned DSA. There is no robust market preparation strategy as of yet, but one would expect that a number of activities and actions will take place as the NIS2 directive’s implementation date nears. Generally speaking in Cyprus, the market is prepared more by private contractors than the relevant supervisory authorities in each particular field.

(e) What should you be doing/on the lookout for?

Clients should be:

• evaluating their cybersecurity infrastructure vis a vis the proposed amendments to L.89(I)/2020 (NIS law) and,
• allocating budget resources for the cost of implementing NIS2