Current status of implementation


Cyprus has not as yet implemented the NIS Directive into national law. A draft law was published on 11 January 2018 (to the Cyprus Official Gazette) for the implementation of the NIS Directive (referred to as "the Draft Law").

Implementation Act


Not yet adopted/implemented.

Determination of operators of essential services (Art. 5 NIS)

No identification of the operators of essential services has been made yet. According to Article 2 (1) of the Draft Law, operators of essential services means a public or a private entity of a type referred to Annex II of the Directive which meets the below criteria: (a) the entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (b) the provision of that service depends on network and information system and (c) an incident would have significant disruptive effects on the provision of that service.
Reporting obligations

Operators must notify the competent authority without undue delay of any incident having a substantial impact on the provision of the services. Providers of digital services must notify the competent authority without undue delay of any incident having a substantial impact on the provisions of the services within the territory of Cyprus or any other EU member state.
Sanctions regime

Section 15 of the Draft Law provides that any person who prevents any employee of the competent authority to fulfill his duties is guilty of an offence and subject to imprisonment of up to 6 months and / or to a fine of up to EUR 8,000. Section 16 of the Draft Law provides that any person who breaches the Law, the regulations or the decisions of the competent authority is guilty of an offence and subject to imprisonment of up to 6 months and / or to a fine of up to EUR 8,000. Section 29 of the Draft Law provides for administrative fines of up to EUR 8,500 for violations of the Law or the decisions of the competent authority.
Competent authorities

The Cyprus Digital Security Authority is an independent authority which is competent for the information security at national level, including the prosecution and repression of administrative fines.
Jurisdictional applications

Operators of critical infrastructures are subject to Cyprus law if the infrastructure is located in Cyprus.
Remarks (if any)

The information regarding the implementation of the NIS Directive in this document is provided on the basis of the Draft Law.


Last reviewed 28.02.2018