NIS 2 Status in Cyprus
What the directive requires, how Cyprus is transposing it, and where the DSA fits in.
Overview
The NIS 2 Directive is the EU layer. It binds every member state, including Cyprus, with a uniform minimum level for essential and important entities. Cyprus has to lift that floor into Cypriot law and supervise it underneath.
Cyprus did not transpose NIS 2 by the 17 October 2024 deadline. The European Commission sent Cyprus a reasoned opinion on 7 May 2025 for failure to notify full transposition. Cypriot reporting points to amending Law 60(I)/2025, which updates the pre-existing Law on the Security of Networks and Information Systems 89(I)/2020. Readers should verify the exact gazette reference against the Cyprus Official Gazette before relying on it for a filing.
The Digital Security Authority (DSA, Αρχή Ψηφιακής Ασφάλειας) is the competent authority. The national CSIRT-CY operates alongside it. Registration mechanics and sectoral guidance are still being published, and details on the entity register were not finalised in the public DSA materials we reviewed.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. It sets the obligations every member state has to transpose, including the size and sector test for essential and important entities.
EU implementing act
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for providers of digital infrastructure. Directly applicable in Cyprus, no Cypriot transposition needed.
Cypriot transposition
Law 89(I)/2020 on the Security of Networks and Information Systems, as amended by Law 60(I)/2025
The Cypriot NIS 2 framework. The 2020 law originally transposed NIS 1. Public sources indicate it was amended in 2025 to bring the NIS 2 obligations into Cypriot law. The Commission still considered transposition incomplete as of 7 May 2025, so secondary measures and DSA guidance are expected to follow.
Law 89(I)/2020 as amended
The 2020 Cypriot Law on the Security of Networks and Information Systems is the carrier statute. Public references indicate a 2025 amending law (60(I)/2025) is being used to bring NIS 2 obligations into Cypriot law. The exact text, definitions of essential and important entities, supervisory powers of the DSA, reporting timelines and penalties should be checked against the Cyprus Official Gazette before any filing.
DSA as competent authority
The Digital Security Authority (DSA) acts as the Cypriot competent authority for cybersecurity matters and is named on the European Commission NIS 2 country page. CSIRT-CY operates as the national CSIRT and is co-located with the DSA. Sectoral regulators retain their roles where lex specialis applies, in particular for the financial sector under DORA.
EU deadlines still apply
Cyprus missed the 17 October 2024 transposition deadline. Once Cypriot law catches up, the directive timing carries over: identification of entities in line with Article 27 NIS 2, early warning within 24 hours, incident notification within 72 hours and a final report within one month. Until the Cypriot rules are fully in force, the directive-level obligations remain the reference point.
In Cyprus, Cypriot law applies
Activities on Cypriot territory follow the Cypriot transposition. A German parent with a Cypriot subsidiary reads Law 89(I)/2020 (as amended) for that subsidiary, not the BSIG. The directive-level obligations are the same. Procedure, registration channel and penalties live in Cypriot law.
Cyprus cannot fall below the EU floor
The directive is a minimum harmonisation. Cyprus is allowed to go stricter. Cyprus is not allowed to drop below the directive, neither on the obligations for essential and important entities, nor on reporting deadlines, nor on management body accountability. A reasoned opinion from the Commission only sharpens that point.
DSA
The Digital Security Authority is the Cypriot competent authority for NIS 2 and the named contact on the European Commission country page. It sits administratively close to the Office of the Commissioner of Electronic Communications and Postal Regulation. Operational details on the registration register were not finalised in the materials we reviewed.
CSIRT-CY
The Cypriot national CSIRT. Co-located with the DSA in Nicosia. Acts as the technical contact point for incident notification and cross-border coordination.
ENISA
The EU cybersecurity agency. Publishes guidance, runs the European vulnerability database and coordinates cross-border. Not a supervisor for Cypriot entities. That sits with the DSA.
Cyprus is in the EU, so we can just apply the German BSIG rules to our Cypriot operations.
The directive-level obligations are identical, but the carrier statute, the competent authority, the registration channel and the penalty regime are Cypriot. A Cypriot subsidiary reports to the DSA and CSIRT-CY, not to the BSI. Internal group policy can be common, the filings cannot.
Cyprus has not transposed NIS 2, so we have nothing to do until the law is finalised.
The directive is the floor, and the 24 hour, 72 hour and one month incident timing applies as an EU obligation regardless of where Cyprus is in the transposition cycle. The Commission reasoned opinion from 7 May 2025 increases the pressure on Cypriot operators, not the leeway. Build the obligation register against the directive now and slot in Cypriot specifics as they get published.
We are not a Cypriot critical infrastructure operator, so NIS 2 does not apply to us in Cyprus.
NIS 2 scope in Cyprus is set by Annex I and II of the directive plus the size test, not by the old Cypriot critical infrastructure list. Many medium-sized providers in digital services, managed services, manufacturing and waste management end up in scope even though they were never on a Cypriot critical infrastructure register. Check applicability against the directive.
Most Cypriot operators we see still treat NIS 2 as a future Cypriot law problem. That is half right. The carrier statute is moving slowly. The directive obligations are not. Management bodies in Cyprus are accountable for risk management approval and their own training the moment the Cypriot law enters fully into force, and arguably already today via the directive standing behind a delayed transposition.
The practical step is the same as everywhere in the EU: check applicability against the directive, prepare to register once the Cypriot mechanism is published, set up the four continuous obligations (keep registration data current, incident notification, supply chain risk, oversight by the management body), and document the minimum. The DSA and CSIRT-CY are the contact points already in place.
We build the NIS 2 obligation register at the EU layer, not on a single national transposition. The same checklist fits a Cypriot subsidiary under Law 89(I)/2020 as amended, a German parent under BSIG and a Dutch sister under the Cyberbeveiligingswet. The article references switch per country, the substantive obligations do not.
For Cypriot scope, start with applicability, then incident timing, supply chain clauses and management body sign-off. Where the DSA publishes sectoral guidance, we will link it. We will not copy it.
- Directive (EU) 2022/2555 (NIS 2), EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- European Commission, NIS 2 Directive country page Cyprus, digital-strategy.ec.europa.eu
- Law 89(I)/2020 on the Security of Networks and Information Systems, as amended (reportedly by Law 60(I)/2025), Cyprus Official Gazette
- Digital Security Authority (DSA), Αρχή Ψηφιακής Ασφάλειας, dsa.gov.cy
- CSIRT-CY, csirt.cy
- Commission reasoned opinion of 7 May 2025 on non-notification of NIS 2 transposition by Cyprus