1. GOVERNING TEXTS

1.1. Legislation

Cybersecurity is primarily governed in Cyprus by Law No. 89(I)/2020 on the Security of Network and Information Systems (only available in Greek here) ('the NIS Implementation Law'), which entered into force on 12 August 2020, and is duly harmonised with the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('NIS Directive'). The NIS Implementation Law replaced and repealed the previous initial transposing legislation.

The NIS Implementation Law designates the national competent authorities and sets out their relevant powers and assigned tasks and responsibilities.

However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

The Regulatory Administrative Act 39/2022 (only available in Greek here) ('the Incident Notification RAA') addresses the obligation of operators of essential services, operators of critical information infrastructures, and digital service providers to notify incidents, which have a significant impact on the continuation of their services.

The Incident Notification RAA identifies the conditions for determining the significance of the impact of a potential security incident, which would trigger the obligation to submit an incident notification to the relevant competent authority. The Incident Notification RAA also regulates the procedure for submission of such incident notifications, their content, the manner of submission, and the applicable timeframes.

Other relevant RAAs include:

• RAA No. 358/2010 regarding the Creation of Computer Security Incident Response Teams ('CSIRT/CERT') (only available in Greek here), and their powers and obligations;
• RAA No. 41/2022 on Network and Information Systems Security (Security Measures for Network and/or Electronic Communications Service Providers) (only available in Greek here) ('RAA 41/2022'), which prescribes minimum additional obligations relating to the security of networks and information systems which providers operating electronic communications networks and/or services must comply with;
• RAA No. 190/2015 on the Notification of Personal Data Breaches by Electronic Communication Network Providers (only available in Greek here) ('RAA 190/2015');
• RAA No. 359/2020 Regulations on the Security of Network and Information Systems (Fees) (only available in Greek here) ('RAA 359/2020'), prescribing the method of calculation of administrative fees payable by regulated entities;
• RAA No. 360/2020 Regulations on the Digital Security Authority (Terms of Hiring and of Employment for Members of Staff) (only available in Greek here) ('RAA 360/2020');
• RAA No. 389/2020 Decision on the Security of Network and Information Systems (Security Measures for Operators of Essential Services and of Critical Information Infrastructure) (only available in Greek here) ('RAA 389/2020'), as amended by RAA No. 40/2022 (only available in Greek here) ('RAA 40/2022’);
• RAA No. 403/2020 Decision on the Security of Network and Information Systems (Registration of Digital Service Providers) (only available in Greek here) ('RAA 403/2020');
• RAA No. 408/2020 Decision on the Security of Network and Information Systems (Cybersecurity of 5G Networks and Electronic Communications Services) (only available in Greek here) ('RAA 408/2020'), as amended by Decision RAA No. 310/2021 (only available in Greek here);
• RAA No. 251/2021 Decision on the Collection of Information and on the Imposition of Administrative Fines (only available in Greek here) ('RAA 251/2021');
• RAA No. 252/2021 Decision on the Public Consultation Procedure (only available in Greek here) ('RAA 252/2021');
• RAA No. 345/2021 Decision on the Public Hearing Procedure (only available in Greek here) ('RAA 345/2021').

In addition, we note that in case of cybersecurity incidents involving breaches of personal data, the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and national data privacy laws will also be applicable.

1.2. Regulatory authority

The NIS Implementation Law designates the Digital Security Authority ('the DSA') as the national competent authority for the security of network and information systems and for cybersecurity. The DSA is headed by the Commissioner of Communications who is ultimately under the authority of the Deputy Minister of Research, Innovation And Digital Strategy of the Republic of Cyprus ('the Deputy Minister').

The DSA has, among others, the following powers and responsibilities:

• The DSA acts as an advisory body to the Deputy Minister on all matters pertaining to digital security in Cyprus and is responsible for implementing the relevant digital security strategy in place at all times.
• The DSA constitutes the single point of contact for Cyprus and it exercises a liaison function to ensure cross-border cooperation with the relevant authorities in other EU Member States, the competent authorities of the Republic, and with the NIS Cooperation Group established by the NIS Directive, and the CSIRTs network.
• The DSA is also responsible for receiving incident notifications and for supervising the national, governmental, and academic CSIRTs. In addition, the DSA assesses the compliance of operators of essential services with their obligations regarding security of network and information systems, and the compliance of operators of critical infrastructure with the NIS Implementation Law.
• The DSA also has information-gathering powers, the power to identify digital security measures and monitor compliance therewith, and, where necessary, the power to take corrective measures, as provided in any relevant decision.
• Furthermore, the DSA has powers to impose administrative fines (see section 5 below) where an act or omission is found to be contrary to the provisions of the NIS Implementation Law or pertinent decisions or RAAs.

In exercising its duties, the DSA must comply with the principles of equal treatment, objectivity and proportionality.

1.3. Regulatory authority guidance

RAA 389/2020, as amended, issued by the DSA, prescribes the minimum measures that are expected to be undertaken by operators of essential services and by operators of critical information infrastructure within the context of cybersecurity. RAA 389/2020, as amended, provides specific guidance on various issues including on conducting risk assessments; preparing business continuity and disaster recovery plans, and redundancy, backup, logging, and notification obligations.

Guidance regarding the incident notification procedure may also be drawn from the Incident Notification RAA (see section 1.1. above).

2. SCOPE OF APPLICATION

The NIS Implementation Law applies to network and information systems; critical information infrastructure operators; operators of essential services; electronic communications network providers; providers of electronic communications services and digital service providers.

2.1. Network and Information Systems

The term 'network and information systems' is defined in the NIS Implementation Law as:

• an electronic communications network within the meaning of Section 4(1) of the Law on the Regulation of Electronic Communications and Postal Services (only available in Greek here);
• any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or
• digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance.

2.2. Critical Information Infrastructure Operators

'Critical infrastructure' is defined in the NIS Implementation Law as assets, systems, parts of systems, which are located in the Republic of Cyprus and which are essential for the maintenance of critical societal functions and services, health, security, economic and social welfare of citizens, and the disruption or destruction of which would have a significant impact to the Republic, in case of discontinuity of their functions,

'Critical Information infrastructure operators' are defined as operators of critical information infrastructure that are referred to in a DSA decision.

2.3. Operator of Essential Services

An 'operator of essential services' is defined in the NIS Implementation Law as a public or private entity of a type referred to in a relevant DSA decision, which meets the following criteria:

• an entity that provides a service which is essential for the maintenance of critical societal and/or economic activities;
• the provision of that service depends on network and information systems; and
• an incident would have significant disruptive effects on the provision of that service.

2.4. Cloud Computing Services

The term 'cloud computing services' is defined under the NIS Implementation Law as a digital service that enables access to a scalable and elastic pool of shareable computing resources.

2.5. Digital Service Providers

Pursuant to the NIS Implementation Law, a 'digital service' has the meaning given to it in Article 1(1) of Directive (EU) 2015/1535 Laying Down a Procedure for the Provision of Information in the Field of Technical Regulations and of Rules on Information Society Services and which is of the type referred to in a relevant decision that is issued by the DSA. The types of digital services providers that are currently regulated are online marketplaces, online search engines, and cloud computing services. Cybersecurity obligations are not applicable to micro and small-sized digital service providers.

2.6. Other

As per the NIS Implementation Law definition, providers of electronic communications services are persons that are authorised by the Commissioner of Communications to provide publicly available electronic communications services pursuant to the Law on the Regulation of Electronic Communications and Postal Services.

As per the NIS Implementation Law definition, electronic communications network providers are persons that are authorised by the Commissioner of Communications to provide electronic communications public networks pursuant to the Law on the Regulation of Electronic Communications and Postal Services.

3. REQUIREMENTS

3.1. Security measures

Pursuant to the NIS Implementation Law, the DSA must ensure that operators of essential services, operators of critical information infrastructures and digital service providers undertake appropriate and proportionate technical and organisational measures to manage the risk relating to networks and information systems and to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such services, with a view to ensuring the continuity of those services. This obligation vis-à-vis operators of essential services and operators of critical information infrastructures is specified in greater detail in RAA 389/2020, as amended. The latter expands on security measures such as risk assessments; business continuity and disaster recovery plans, and; redundancy, backup, logging, and notification obligations

Pursuant to RAA 41/2022, public network providers have an obligation to undertake numerous measures to ensure the integrity and continuity of networks and services provided to consumers/subscribers in cases of disruptive damage or force majeure. Such measures include, inter alia, risk assessment exercises, business continuity plans, employing staff on shifts so that there can be immediate reaction to incidents that may cause damage to the offered services to subscribers, the availability of spare parts and of back-up power supply equipment.

A general obligation to implement appropriate technical and organisational measures regarding the processing of personal data is also imposed on all service providers as data controllers, pursuant to the provisions of the GDPR.

3.2. Notification of cybersecurity incidents

The Incident Notification RAA (see section 1.1. above) imposes an obligation on operators of essential services, critical information infrastructure operators, and digital service providers to notify to the DSA incidents with a significant impact to the services they provide, using a prescribed form.

A primary report must be provided to the DSA without any delay and, in any event, not later than six hours after the operator has received knowledge of the incident.

A final report with full details of the incident must be notified to the DSA no later than 15 days after the affected network or information system has been restored.

Providers may submit intermediary notifications where the information they have already notified has been materially altered, or where they are not in a position, despite their efforts, to submit the final complete report within the timeframe of the final report.

Only incidents that have a significant effect must be notified. The significance of the effect is to be determined by taking into account the following factors:

• the number of users affected by the disruption of the essential service;
• the duration of the incident;
• the geographical spread with regard to the area affected by the incident; and
• the impact of the incident on health, safety, national security, economy, social and civil welfare, and on the natural environment.

The notification must include:

• the name of the provider and the services they offer, the time at which the incident took place, the duration of the incident, information regarding the nature and impact of the incident, information regarding the possibility, if any, of a possible cross border impact, and any other information which is considered would assist the DSA.

Notification of incidents in the context of electronic communications.

The Incident Notification RAA requires electronic communications network providers and public communications service providers to notify the DSA of every security breach or every loss of network integrity, which has a significant impact on the functioning of such networks or services. A prescribed form for such notification is provided in the RAA in question.

The Incident Notification RAA provides that security incidents are deemed to have a significant impact when their consequences exceed certain quantitative thresholds, which concern the duration of the incident, along with the number of users of the affected service, or when emergency calls are affected.

The relevant provider must submit a primary notification to the DSA no later than 24 hours after perceiving the security incident.

A final report with full details of the incident must be notified no later than ten days after the network or service affected or disrupted has been restored.

In exceptional circumstances, especially where the information already provided to DSA has been materially altered or where the provider is not in a position, despite its investigations, to submit the final complete report, a provider may submit an intermediary notification.

Where the provider is unable to submit all the necessary information in the final report, the provider must submit all available information and a reasoned justification for the delay in providing the rest of the information.

Where security incidents concerning operators of electronic communication networks and/or services result in breaches of personal data, the operator is subjected to additional notification requirements by virtue of RAA 190/2015. The relevant notification must be filed with the DSA within 24 hours following the detection of the personal data breach at the latest, provided this is possible.

If all the required information is not available within this time, the provider must submit an initial notification within 24 hours and a second notification as soon as possible and, in any event, no later than three days following the initial notification. If it is not possible to obtain the necessary information within this timeframe, the provider must submit a reasoned justification for the delay and provide the necessary information as soon as possible.

RAA 371/2013 provides a prescribed form of notification and the information provided includes:

• the details of the providers;
• the date and time of the incident;
• the circumstance of the breach;
• the type and content of the relevant personal data;
• the technical and organisational measures that were taken or will be taken by the provider;
• the number of persons or users affected;
• possible consequences on such persons or users; and
• any notifications made to the affected persons or users, etc.

Notification of incidents under the GDPR and the Cyprus Data Protection Law

In the case of a personal data breach by a controller, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Office of the Commissioner for Personal Data Protection ('the Commissioner'), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Pursuant to the Law No. 125(I)/2018 providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data ('the Data Protection Law'), where the controller is absolved of its responsibility to inform data subjects by virtue of Article 23 of the GDPR, the former shall perform an impact assessment and a prior consultation with the Commissioner.

3.3. Registration with a regulatory authority

Pursuant to RAA 403/2020, all digital services providers – whether natural or legal persons – that are either residing or seated (as applicable) in Cyprus must register with the DSA. It should be noted that the obligation to register with the DSA as well as all other relevant cybersecurity obligations are not applicable to micro and small-sized digital service providers. The obligated digital service providers are online search engines, online marketplaces, and cloud computing services.

3.4. Appointment of a 'security' officer

Pursuant to the Incident Notification RAA, critical information infrastructure operators, operators of essential services, and digital service providers must provide to the DSA the details of the persons who will be responsible for submitting the necessary incident notifications. In particular the same should provide the relevant name, telephone number, or contact number for 24/7 communication, fax, and email address. In case of substitution of such persons or any change in their contact details, the DSA should be informed immediately.

Furthermore, pursuant to RAA 389/2020, as amended, operators of essential services and operators of critical information infrastructures must designate a security officer. The duties of the security officer are to:

• inform and advise the operator of essential services or critical information infrastructure provider and the employees who have access to network and information systems of their obligations pursuant to the Security Measures Framework ('the Framework'). See Part III of the RAA 389/2020, as amended;
• monitor compliance with the Framework, with other national or European information security provisions, and with the policies of the operator of essential services or of critical information infrastructure in relation to the security of network and information systems;
• provide advice as regards to information security management and monitor its performance pursuant to relevant regulations;
• cooperate with and act as a single point of contact for the DSA on topics related to the activities performed by the DSA as part of its official mandate, including providing support to external audit activities, pro-actively providing documentation and information to the DSA, as per relevant provisions; and
• report on information security threats, vulnerabilities, and risks towards top-level management by the means of formal and recurrent reporting.

3.5. Other requirements

Not applicable.

4. SECTOR-SPECIFIC REQUIREMENTS

Cybersecurity in the health sector

No sector-specific information available.

Cybersecurity in the financial sector

The Central Bank of Cyprus has adopted means of exchanging information about incidents with supervised institutions, through its regulatory and supervisory framework.

Cybersecurity practices for employees

No sector-specific information available.

Cybersecurity in the education sector

No sector-specific information available.

5. PENALTIES

Penalties for non-compliance with the NIS Implementation Law and pertinent regulations may be criminal and/or administrative.

Where the DSA finds that a person, through act or omission, violates the provisions of the NIS Implementation Law, a fine of up to €200,000 may be imposed. Recurring violations are subject to additional fines of up to €10,000 per day of continual violation.

Violations of EU decisions and/or regulations may result in administrative fines of up to €300,400. Recurring violations of EU decisions and/or regulations are subject to an additional fine of up to €200,000. Such violations also constitute a criminal offence and may result in a criminal fine sanction of up to €15,000) and/or up to three years imprisonment.

In cases where it is proven that the person responsible for a violation has acquired an unfair benefit from the violation, the DSA has the power, unless the law otherwise specifies, to impose a fine equal to double the amount of such benefit.

Where an operator of essential services, an operator of critical information infrastructure, or a digital service provider fails to notify a security incident, this constitutes a criminal offense which may result in up to two years imprisonment and/or a fine of up to €10,000.

Where an operator of essential services, an operator of critical information infrastructures or a digital service provider fails to undertake appropriate and proportionate technical and organisational measures to manage cybersecurity risks, as prescribed under the NIS Implementation Law and relevant secondary legislation, this constitutes a criminal offense which may result in up to three years imprisonment and/or a fine of up to €15,000.

Failure to comply with a DSA information request constitutes a criminal offense which may result in up to three years imprisonment and/or a fine of up to a €3,400.

6. OTHER AREAS OF INTEREST

5G networks

Decision RAA 408/2020 sets the minimum requirements for the security of 5G networks and electronic communications services. This decision has been adopted within the context of the NIS Directive, the Directive Establishing the Electronic Communications Code (Directive (EU) 2018/1972), and the EU 5G Toolbox.. Furthermore, Amending Decision 310/2021 has been adopted to enable the electronic submission of 5G-security related documents to the platform of the Digital Security Authority.

Alexandros Georgiades Partner [email protected]  Ioanna Sapidou Senior Associate [email protected] Dr. K. Chrysostomides & Co LLC., Nicosia