NIS2 Implementation in the EU |
|
Cyprus |
|
|
(Europe)
Firm
Chrysostomides Advocates & Legal Consultants
Contributors
Alexandros Georgiades |
|
| Status of the legislative process | Enacted |
| Status of the NIS2 Implementation Act | The Security of Networks and Information Systems Amending Law No. 60(I)/2025, ("The Cyprus NIS2 Transposition Law"), which transposes the NIS2 Directive, has been duly enacted and is currently in force. |
| Significant deviations of the National Implementation Act from the NIS2 Directive, if any | A significant deviation of the Cyprus NIS2 Transposition Law from the NIS2 Directive concerns the mandatory significant incident reporting requirements. Specifically, entities must submit an early warning to the national competent authority (the Digital Security Authority) for a significant incident within 6 hours (and not 24 hours as per the NIS2 Directive) of becoming aware of a significant incident. Additionally, in the event of an ongoing incident at the time of submission of the final report, entities must submit a progress report every 15 days after the submission of the 72-hour incident notification, (as opposed to the one-off submission of the progress report as per the NIS2 Directive) and a final report within 15 days (and not within one month as per the NIS2 Directive) from the restoration of the operation of the network or information system affected. |
| Date of entry into force of the Implementation Act | The Cyprus NIS2 Transposition Law (The Security of Networks and Information Systems Amending Law No. 60(I)/2025) entered into force as of the 25 April 2025. |
NIS2 Implementation in the EU
Cyprus
(Europe) Firm Chrysostomides Advocates & Legal ConsultantsContributors Alexandros Georgiades Ada Athanasiadou
Updated 30 Jan 2026Enacted
The Security of Networks and Information Systems Amending Law No. 60(I)/2025, ("The Cyprus NIS2 Transposition Law"), which transposes the NIS2 Directive, has been duly enacted and is currently in force.
A significant deviation of the Cyprus NIS2 Transposition Law from the NIS2 Directive concerns the mandatory significant incident reporting requirements. Specifically, entities must submit an early warning to the national competent authority (the Digital Security Authority) for a significant incident within 6 hours (and not 24 hours as per the NIS2 Directive) of becoming aware of a significant incident.
Additionally, in the event of an ongoing incident at the time of submission of the final report, entities must submit a progress report every 15 days after the submission of the 72-hour incident notification, (as opposed to the one-off submission of the progress report as per the NIS2 Directive) and a final report within 15 days (and not within one month as per the NIS2 Directive) from the restoration of the operation of the network or information system affected.
The Cyprus NIS2 Transposition Law (The Security of Networks and Information Systems Amending Law No. 60(I)/2025) entered into force as of the 25 April 2025.