Cyprus
(a) What is the NIS2 implementation status?
The Cypriot supervisory authority, the Digital Security Authority (hereafter “the DSA”), has on the 21.8.2023 announced a public consultation in relation to the proposed amendments to the Law on Security of Networks and Information Systems of 2020 (L.89(I)/2020), which is the law that adopted into Cypriot law the original NIS directive. The public consultation ends on the 29.9.2023. Any interested parties has until that time to send in any opinions on the proposed amendments to the law, through which NIS2 will be adopted in the Cypriot law. To this effect, the DSA has created a comparative table with the articles of L.89(I)/2020 on one side and the proposed amendments to the said law on the other and published it on its website.
(b) What is the envisaged NIS2 implementation timeline?
The DSA’s website specifically states that NIS2 will be put into force on the 18.10.2024 therefore one would suspect that the supervising authority intendeds the amended legislation to have passed into law for that particular deadline (that they appear to have set themselves notionally). On the other hand, after speaking with the DSA we have been informed that there is no strict implementation timeline. The DSA has an unofficial timeline for implementation. Once the public consultation is finished, the proposed amendments have to be then sent to the Law Office of the Republic of Cyprus for a legal audit. Thereafter they will be sent to a parliamentary select committee for discussion and then finally be put before the floor of the Parliament for a vote. The notional deadline of the directive coming into force may or may not be missed depending on how fast the Law Office of the Republic and the Parliament proceed on the said amendments.
(c) What does the NIS2 mean for other national cybersecurity legislation?
NIS2 will bring about a raft of extensive amendments to the Law on Security of Networks and Information Systems of 2020 (L.89(I)/2020). The DSA has published the proposed amendments on its website in a page 50 long document. The proposed amendments have been published in a very helpful correlated list format To the left of the list one finds the relevant article of NIS2 and to the right of the list one finds the proposed amendment to the relevant article of L.89(I)/2020.
Some of the most important amendments are the following:
- a new article 29 by which the DSA will draft and implement a national cybersecurity policy.
- a new article 32A by which the DSA is ordained as the national crisis manager in cases of largescale cybersecurity attacks. As the crisis manager the DSA is tasked with drafting and implementing the country’s national response plan in relation to largescale cybersecurity attacks.
- a new article 34A by which the DSA is ordained as the Peer Review body for Cyprus as is stipulated by article 19 of NIS2.
- large-scale amendments, in essence additions, to article 35 of L.89(I)/2020, which is the article relating to Security Requirements.
- Surprisingly, article 43 of L.89(I)2020 which relates to Sanctions has not been amended. The article remains the same and allows the DSA to impose an administrative fine of up to €200.000,00 for breaches of L.899(I)/2020 and an administrative fine of up to €300.400,00 for breaches of Decisions and/or Regulations of the European Union.
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority is the aforementioned DSA. There is no robust market preparation strategy as of yet, but one would expect that a number of activities and actions will take place as the NIS2 directive’s implementation date nears. Generally speaking in Cyprus, the market is prepared more by private contractors than the relevant supervisory authorities in each particular field.
(e) What should you be doing/on the lookout for?
Clients should be:
- evaluating their cybersecurity infrastructure vis a vis the proposed amendments to L.89(I)/2020 (NIS law) and,
- allocating budget resources for the cost of implementing NIS2
Contact
Theo Demetriou E: t.demetriou@idlaw.com.cy
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page