Cyprus cybersecurity framework – new legislation on network and information security

Cyprus has now fully transposed Directive 2016/1148 on security of network and information systems (the “NIS Directive”), through the Security of Networks and Information Systems Law of 2020 (Law 89(I)/2020) (the “Cyprus NIS Law”), which came into force on 12 August 2020.

While the text of the NIS Directive has generally been transposed into the Cypriot legal order, the Cyprus NIS Law also specifically addresses network and information security requirements for electronic communication services provides (i.e. telecommunications operators).

The Cyprus NIS Law creates a framework for security of network and information systems in all critical information infrastructures in Cyprus and enhances the island State’s existing capabilities of handling and responding to cyberattacks. The key purpose of the Cyprus NIS Law and its subsidiary legislation is to ensure that the Cypriot network infrastructure can respond to cyberattacks and other cybersecurity threats.

The Digital Security Authority (“DSA”) is designated by the Cyprus NIS Law as the competent supervisory authority for the enforcement of its provisions and the adoption of national cybersecurity strategies. The Cyprus NIS Law also entrusts the Cypriot computer-security incident response team (“CSIRT-CY”) with responsibility to offer technical support and for monitoring, risk-handling, management and responding to cybersecurity incidents while participating in the CSIRTs network of the member states. CSIRT-CY is tasked with implementing proactive and reactive security services to reduce the risks of network information and cybersecurity incidents, as well as respond to such incidents.

Under the NIS Directive, EU Member states have to supervise the cybersecurity of critical market operators in their jurisdiction:
• Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector)
• Ex-post supervision for critical digital service providers (online marketplaces, cloud and search engines)

The Cyprus NIS Law identifies the following types of operators and providers falling under its ambit:

  • operators of essential services
  • critical information infrastructure operators
  • electronic communications providers
  • digital services providers

Under the Cyprus NIS Law, critical infrastructure comprises the assets, systems of parts thereof within the territory of Cyprus, which are essential for the maintenance of operations of vital importance for society, health, security, the economic and social welfare of citizens and the interruption of operation or destruction of which would have a significant impact to the State, as a result of an inability of maintaining these operations.

Under the Cyprus NIS Law, the criteria for the identification of both operators of essential services as well as critical information infrastructure operators are for such operators to be:

(a) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities
(b) the provision of that service depends on network and information systems; and
(c) an incident would have significant disruptive effects on the provision of that service.

While the NIS Directive introduces the obligation on essential services providers and digital service providers (providers of search engines, cloud computing services and online marketplaces) to take the appropriate security measures and to notify of serious incidents, the Cyprus NIS Law also imposes the said obligation to providers electronic communication services. As a result, providers electronic communication services are also supervised by the DSA within the ambit of the Cyprus NIS Law and should therefore comply with applicable cybersecurity requirements.

Specifically, network and electronic communication service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and electronic communication services. The DSA is responsible to ensure that these providers notify every incident regarding security having a significant impact on the operation of networks and electronic communication services.

The Cyprus NIS Law confers the DSA with wide ranging powers with respect to all providers, including the power to carry out investigations, request information and impose administrative fines for infringements of statutory provisions.

in terms of information requests, the DSA is empowered, amongst others, to request information regarding their network and information system security, including their security policies, from digital services providers, operators of essential services, critical information infrastructure operators, electronic communications providers.

The DSA has the power to impose administrative fines of up to EUR 200,000 for any infringement of the Cyprus NIS Law, as well as a fine of up to EUR 10,000 for each day the infringement persists. Infringement of any decisions or regulations could result in administrative fines of up to EUR 300,400, as well as additional fine up to EUR 200,000 where the infringement persists.

The Cyprus NIS Law, provides inter alia for criminal liability in relation to the following:

  • failure to comply with notification obligations under the Cyprus NIS Law (entailing, on conviction, a potential sentence of imprisonment of up to two (2) years and/or a fine of up to EUR 10,000)
  • failure take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems under the Cyprus NIS Law, (entailing, on conviction, a potential sentence of imprisonment of up to three (3) years and/or a fine of up to EUR 15,000)
  • failure to provide information requested by the DSA (entailing, on conviction, a potential sentence of imprisonment of up to three (3) years and/or a fine of up to EUR 3,400)

Updated regulations on cybersecurity as well as incident reporting matters are expected to be issued pursuant to the Cyprus NIS Law with respect to digital services providers, operators of essential services, critical information infrastructure operators, electronic communications providers active in Cyprus.

Contact us for more information on cybersecurity requirements in Cyprus.