Cyprus has enacted legislation to ensure the implementation of Regulation (EU) 2022/2065 on a Single Market for Digital Services (the Digital Services Act) (the DSA).
The new legislation establishes the national authorities, procedures, and penalties to enforce the DSA’s provisions in Cyprus. The DSA applies to a wide range of online intermediaries, including providers of cloud services, messaging, marketplaces and social networks. The most far-reaching rules in the Digital Services Act focus on very large online platforms and very large online search engines.
The Cypriot legislative package comprises:
- legislation for the implementation of the DSA and the appointment of the Cypriot Digital Services Coordinator
- legislation amending the law regulating audiovisual media services
- regulations on the operations and procedures of the new supervisor.
Designation of the Digital Services Coordinator
The Cyprus Radio Television Authority is renamed into the Radio Television and Digital Services Authority and is appointed as the Cypriot Digital Services Coordinator for the purposes of the DSA and the implementing national legislation (the Cyprus DSA Authority).
The Cyprus DSA Authority is the single, central point of contact and supervision for all matters related to the DSA in Cyprus. It is tasked with overseeing the compliance of all intermediary service providers within its jurisdiction and will represent Cyprus on the European Board for Digital Services. The new framework explicitly requires the Cyprus DSA Authority to act with independence, impartiality, and transparency.
While the Cyprus DSA Authority holds the primary role in the new framework, other authorities also designated to oversee specific aspects of the DSA’s implementation:
- The Ministry of Energy, Commerce, and Industry will supervise obligations related to the traceability of traders on online marketplaces, the transparency of online advertising, and the fairness of terms and conditions
- The Office of the Commissioner for Communications will handle matters concerning the conditional liability exemptions for intermediary services, ensuring that providers meet the criteria to be shielded from liability for the content they transmit or store
- The Office of the Commissioner for Personal Data Protection will be responsible for supervising compliance with the DSA’s strict privacy-related provisions, such as the prohibition on using sensitive personal data (e.g., political beliefs, sexual orientation) for targeted advertising and the complete ban on targeting advertisements to minors.
Ambit of the Cypriot DSA implementing legislation
The Cypriot framework has a very wide ambit, as it is applicable to all providers of intermediary services that:
- are established in Cyprus
- are not established in Cyprus but their designated legal representative resides or is established in Cyprus
- have a “substantial connection” to Cyprus (which is determined on the basis of specific criteria)
- do not have a “substantial connection” to Cyprus, but provide their intermediary services in Cyprus.
Key Powers of Cyprus DSA Authority and Sanctions
To ensure the DSA has real teeth, the new laws grant significant and robust powers to the Coordinator and other competent authorities.
- Investigative Powers: The Coordinator can request information, conduct on-site inspections of business premises (which may include accessing databases, algorithms, and internal documents related to compliance), and compel the attendance of witnesses for testimony.
- Administrative Fines: In cases of non-compliance, the authorities can impose substantial and dissuasive administrative fines. For serious infringements, these can reach up to 6% of the annual global turnover of the provider. For providing incorrect, incomplete, or misleading information during an investigation, fines can be up to 1% of the annual income or global turnover. These figures are designed to be a powerful deterrent and ensure compliance is a board-level priority.
- Criminal Offences: The law establishes criminal liability for certain violations, particularly for individuals who obstruct investigations or repeatedly fail to comply with binding orders. Penalties can include imprisonment for up to one year, a financial penalty of up to €10,000, or both.
- Supervisory Fees: The Coordinator is empowered to levy annual fees on service providers. This “polluter pays” principle ensures that the cost of supervising the digital market is borne by the platforms themselves, not the Cypriot taxpayer.
Complementing the main law, the new regulations set out the detailed operational procedures for the Cyprus DSA Authority, ensuring due process and clarity. These cover:
- the process for individuals and entities to submit complaints against providers for alleged DSA violations
- the framework for the Cyprus DSA Authority to launch ex-officio investigations into systemic issues, even without a specific complaint
- rules on the handling and protection of personal data in accordance with GDPR during all enforcement activities.
Establishment of a Cyprus Registry of Intermediary Service Providers
A key measure mandated by the new framework is the creation and maintenance of a Registry of Intermediary Service Providers for Cyprus.
All providers falling under the scope of the law will be required to register within three months of the registry’s operation. They must provide essential information, including their name, address, and official points of contact for both users and authorities.
Contact our TMT practice to discuss your precise requirements.