NIS2 Country Guide

NIS2 Cyprus: Security of Networks & Information Systems Laws 89(I)/2020 & 60(I)/2025

See how Cyprus has implemented the NIS2 Directive through the Security of Networks and Information Systems Laws of 2020 and 2025 (89(I)/2020 and 60(I)/2025), which entities are in scope, the role of the Digital Security Authority (DSA), and what your organisation must do to comply.

Get Ready Checklist Get Consultation
Cyprus NIS2 law in force: 2025 Competent authority: Digital Security Authority (DSA)

Introduction: NIS2 Directive & the Cypriot context

Cyprus already had a cybersecurity framework under the Security of Networks and Information Systems Law 89(I)/2020, with the Digital Security Authority (DSA) as the central body for NIS supervision. NIS2 required Cyprus to expand this regime to many more sectors and entities and to strengthen risk management, governance and incident reporting.

With the 2025 amendment law, Cyprus now operates a full NIS2-aligned framework that applies to both essential and important entities across a broad range of sectors, including digital infrastructure and key public and private services.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Cyprus

Cyprus has implemented NIS2 through the Security of Networks and Information Systems (Amendment) Law of 2025, No. 60(I)/2025, which amends the Security of Networks and Information Systems Law of 2020, No. 89(I)/2020. Together, these are often referred to as the Cypriot NIS/NIS2 Laws.

The 2025 amendment aligns Cypriot law with NIS2, expands the number of entities in scope, and updates requirements related to risk management, incident notification, supervision and sanctions.

Status

NIS2 is fully implemented in Cyprus through Law 60(I)/2025, which updates and consolidates the 2020 NIS Law.

Legal structure

The Security of Networks and Information Systems Laws of 2020 and 2025 form a single framework that defines scope, obligations, authorities and penalties for NIS2 entities.

Supervisory approach

The Digital Security Authority remains the lead competent authority, coordinating with sectoral regulators and operating the main national CSIRT for NIS2 entities.

NIS2 Cyprus: what you need to know about compliance

Cyprus follows the NIS2 model of essential and important entities. Obligations are largely aligned with NIS2 Annex I security measures, but implemented through the amended national law and related guidance from the DSA.

Who is in scope?

  • Entities operating in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities operating in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Medium-sized and larger organisations that meet NIS2 staff or turnover thresholds.
  • Certain providers covered regardless of size, including DNS service providers, TLD registries, trust service providers, and some digital infrastructure and cloud services.

Core obligations

  • Implement risk-management measures covering technical and organisational security for relevant systems.
  • Adopt policies and procedures for incident prevention, detection, response and recovery.
  • Report significant incidents and certain cyber threats to the DSA / CSIRT-CY within NIS2 timeframes.
  • Manage supply-chain risks, including security requirements in contracts with key ICT and service providers.
  • Ensure management bodies approve cybersecurity policies, oversee implementation and receive regular training.

Standards & frameworks

The Cypriot NIS2 Laws do not mandate a single standard, but aligning with ISO/IEC 27001, NIST CSF or a similar ISMS framework is an effective way to structure and demonstrate compliance with national requirements.

Designation & registration: Entities in scope may be formally designated as essential or important by the authorities and/or required to register with the DSA, providing information on their services, critical systems and NIS contacts.

Competent authorities & CSIRT

Cyprus operates a relatively centralised model, with the Digital Security Authority at the core of NIS2 supervision, supported by CSIRT-CY and certain sectoral regulators.

Role Authority Notes
National competent authority & Single Point of Contact Digital Security Authority (DSA) Responsible for NIS2 implementation, supervision, strategy and coordination; also acts as the Single Point of Contact towards the EU and other Member States.
National CSIRT CSIRT-CY (within the DSA) Receives incident notifications, shares threat information and supports technical response for NIS2 entities.
Sectoral regulators Various (e.g. electronic communications, energy, finance) In certain sectors, existing regulators support or share supervisory tasks with the DSA, especially where EU sectoral rules (such as telecom or financial services) also apply.

NIS2 timeline & key dates (Cyprus)

2020 — Original Security of Networks and Information Systems Law 89(I)/2020 enters into force.
2022–2024 — NIS2 adopted at EU level; Cyprus prepares amendments to align Law 89(I)/2020 with the new Directive.
2025 — Security of Networks and Information Systems (Amendment) Law 60(I)/2025 takes effect, formally transposing NIS2.
2025–2026 — Designation / registration of entities, rollout of supervisory activities and further guidance by the DSA.

Sector-specific notes for Cyprus

  • Energy: electricity and gas operators, and related infrastructure, are treated as essential entities with strict resilience and incident-reporting obligations.
  • Transport: air, maritime and port services are especially important given Cyprus’s role as a shipping and logistics hub.
  • Financial services: selected financial institutions are in scope alongside EU financial-sector cyber rules; supervision involves both the DSA and financial regulators.
  • Healthcare: hospitals, clinics and critical e-health services must implement robust cybersecurity and incident-management measures.
  • Public administration: core government bodies and certain public entities fall in scope as part of the national cyber-resilience strategy.
  • Digital infrastructure & ICT providers: data centres, cloud providers, major electronic communications operators and managed service providers are a central focus of the Cypriot NIS2 regime.

Penalties for non-compliance

The Cypriot NIS2 framework follows the Directive’s approach to sanctions and allows for significant administrative fines and corrective measures where entities fail to meet their obligations.

  • High administrative fines, including turnover-based penalties in line with NIS2 ceilings for the most serious breaches.
  • Corrective orders, mandatory remediation plans and enhanced supervision where serious deficiencies are identified.
  • Potential personal consequences for management in cases of persistent or reckless non-compliance.

How to prepare for NIS2 in Cyprus

  1. Determine if you are in scope: map your services and size against NIS2 Annex I & II sectors and review DSA guidance for your industry.
  2. Understand your legal obligations: review the consolidated text of the Security of Networks and Information Systems Laws (89(I)/2020 and 60(I)/2025).
  3. Perform a gap assessment: compare your current cybersecurity posture with NIS2-aligned requirements (governance, technical controls, processes, documentation).
  4. Prepare for registration / designation: gather information on critical services, systems, dependencies and NIS contact persons.
  5. Strengthen incident readiness: implement monitoring, alerting, response playbooks and escalation paths to CSIRT-CY and the DSA.
  6. Review supply-chain risk: update contracts with critical suppliers to include security, audit and incident-notification requirements.
  7. Align with a recognised framework: build or refine an ISMS aligned with ISO 27001 or similar to structure your NIS2 compliance journey.
  8. Train management and staff: run awareness and training sessions so leadership and key teams understand NIS2 roles and responsibilities.
Run Eligibility Check Start Readiness Test

Official links & resources

🇨🇾 Digital Security Authority (DSA) — official site
📘 Security of Networks and Information Systems Laws 89(I)/2020 & 60(I)/2025
📊 European Commission — NIS2 implementation in Cyprus
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Cyprus

Has Cyprus fully transposed NIS2?
Yes. The NIS2 Directive is implemented through the Security of Networks and Information Systems Laws of 2020 and 2025 (89(I)/2020 and 60(I)/2025), which together form the core NIS2 framework in Cyprus.
Which law should we look at for NIS2?
You should refer to the consolidated Security of Networks and Information Systems Laws as published by the Digital Security Authority, which incorporate both the 2020 and 2025 texts.
Who is the NIS2 competent authority in Cyprus?
The Digital Security Authority (DSA) is the main NIS2 competent authority, Single Point of Contact and home of CSIRT-CY.
Do we have to register with the DSA?
Entities that fall within the NIS2 scope are expected to be designated and/or to register with the DSA. Check official DSA guidance for the specific registration process and deadlines for your sector.
Is a specific certification like ISO 27001 mandatory?
No particular certification is mandated by name, but frameworks such as ISO/IEC 27001 are strongly recommended as a way to structure and evidence your NIS2 compliance efforts.
Information provided for general guidance; always consult the official Cypriot legislation, DSA publications and legal counsel for definitive NIS2 compliance requirements.