Cyprus

(a) What is the NIS2 implementation status?

On 10 April 2025, the Parliament enacted the Law on the Security of Networks and Information Systems (Amendment) of 2025, which amends the Law on the Security of Networks and Information Systems of 2020 (L. 89(I)/2020). Through this amendment, the provisions of the NIS2 Directive have been transposed into Cypriot law.

(b) What is the envisaged NIS2 implementation timeline?

Following the approval of the Law on the Security of Networks and Information Systems (Amendment) of 2025 by the Parliament, the implementation of the NIS2 Directive in Cyprus is considered fully completed.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The implementation of NIS2 brings about a raft of extensive amendments to the Law on the Security of Networks and Information Systems of 2020 (L.89(I)/2020). These amendments modernise and expand the scope of the existing national framework, aligning it with the more stringent requirements of the NIS2 Directive.

Some of the most important amendments include the following:

  • Significant expansion of scope: The amended law substantially broadens the scope of the original L.89(I)/2020 by including sectors previously outside its reach, such as public sector entities, postal services, and digital infrastructure.
  • New classification system: It introduces a distinction between “essential” and “important” entities, based on criteria such as size and societal criticality – including the potential impact of a disruption on the economy, public safety, public order, public health, or the environment.
  • Mandatory cybersecurity measures: Both essential and important entities are now required to implement a defined cybersecurity framework, which includes the adoption of appropriate and proportionate technical, operational, and organisational measures. These are aimed at managing the risks to the systems supporting their services and at preventing or minimising the impact of security incidents.
  • Differentiated supervisory regimes: The law introduces a dual-layer supervisory approach for essential and important entities to ensure a balanced regulatory burden:
  • Essential entities are subject to both ex-ante (proactive) and ex-post (reactive) supervision.
  • Important entities are subject only to ex-post supervision, meaning oversight occurs mainly in response to incidents or non-compliance.
  • Management accountability: The law now expressly provides that the highest level of management bears final responsibility for cybersecurity risk management in both essential and important entities. This marks a significant step toward embedding cybersecurity into corporate governance.
  • Stronger enforcement powers: The Digital Security Authority is now authorised to impose stricter administrative fines on essential and important entities in cases of non-compliance with their legal obligations.

These changes mark a decisive shift toward a more robust and structured national cybersecurity regime, reflecting the EU’s strategic objectives under the NIS2 Directive and strengthening the legal and institutional tools available in Cyprus for managing cyber risks.

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority is the aforementioned Digital Security Authority (DSA) (www.dsa.cy), which remains the national competent authority responsible for overseeing the implementation of the NIS2 Directive in Cyprus.

As part of its effort to guide entities falling within the scope of NIS2 and to raise broader public awareness, the DSA has published a Concise Guide to the NIS2 Directive. This guide provides a high-level overview of the key components of the new legal framework, including:

  • the sectors and entities covered under the scope of NIS2,
  • the incident notification procedures,
  • the risk management and cybersecurity measures required of entities,
  • the supervisory framework applicable to both essential and important entities,
  • the implementation of the Directive and the sanctions foreseen for non-compliance, and
  • the responsibilities of senior management in overseeing cybersecurity risk and compliance.

The DSA Guide (published in Greek) can be found here.

These preparatory actions reflect the DSA’s proactive approach to helping organisations understand and comply with their obligations under the new law. Additional guidance and tools – such as a recently launched self-assessment tool – are also being made available to assist entities in determining whether they fall within the Directive’s scope and what measures they must take to align with the new requirements.

The DSA is expected to continue issuing sector-specific guidance and working closely with stakeholders to ensure effective and practical implementation of the Directive.

(e) What should you be doing/on the lookout for?

Clients should be:

  • evaluating their cybersecurity infrastructure vis a vis the amendments to L.89(I)/2020 and,
  • allocating budget resources for the cost of implementing NIS2

Contact

Theo Demetriou E: t.demetriou@idlaw.com.cy

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page