Cyprus Cybersecurity in 2026: NIS2, the DSA, and a Threat Surface That Doubled

Cyprus holds the rotating Presidency of the Council of the European Union from 1 January to 30 June 2026 under the motto "An Autonomous Union. Open to the World." The published Presidency programme places cybersecurity, digital sovereignty, and critical infrastructure protection among its named priorities. The Council legislative agenda already includes the Commission's Cybersecurity Act, presented on 14 January 2026, and the Digital Networks Act, presented on 20 January 2026. For a Member State of roughly 920,000 people, the symbolic and operational weight is substantial.

At the same time the local picture has tightened sharply. The Cyprus Mail reported in February 2026 that one in three Cyprus citizens, and roughly half of all Cypriot businesses, had been targeted by a cyberattack within the previous twelve months. Maritime cyberattacks globally rose 103 percent year on year in 2025, from 408 incidents to 828, a fact that matters disproportionately for Cyprus given the size of its shipping registry. Domestic DDoS volumes continued to climb through 2025 according to public reporting from the Cyprus Mail and the National CSIRT advisory feed.

Behind these numbers sits the more important shift: the legal regime that governs how Cypriot businesses must protect themselves has been fully rebuilt. NIS2 is now in force locally, the Digital Security Authority has expanded supervisory teeth, and the Office of the Commissioner for Personal Data Protection has been steadily building case law since 2018. This article walks through what changed, what is enforceable now, and what the threat landscape looks like in primary source terms.

The foundation is the Network and Information Systems Security Law of 2020, designated L. 89(I)/2020. That law established the Digital Security Authority as the central supervisory authority for cybersecurity in the Republic and incorporated the National Computer Security Incident Response Team, known operationally as the National CSIRT. The 2020 framework already aligned Cyprus with the original NIS Directive of 2016, but the European baseline has since moved on.

On 10 April 2025 the Cypriot Parliament enacted L. 60(I)/2025, which amends the 2020 law to transpose NIS2, formally Directive (EU) 2022/2555. The amending law has been in force since 25 April 2025. In substance it expands the population of regulated entities to medium and large enterprises across a wider set of sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, manufacture of certain critical products, food production, and digital service providers including cloud, data centres, content delivery networks, and online marketplaces. It introduces explicit incident reporting timelines, management body accountability for cybersecurity, and an administrative fine ceiling that for essential entities can reach the higher of 10 million euro or 2 percent of worldwide annual turnover.

Despite the April 2025 transposition, the European Commission on 7 May 2025 sent a reasoned opinion under Article 258 TFEU to nineteen Member States, Cyprus included, for failing to notify full transposition of NIS2. This means the Commission considered the local notification incomplete relative to the directive's text. Whether or not that opinion ultimately produces a Court of Justice referral, the practical signal is unambiguous. The Commission is enforcement minded on NIS2, and Cypriot organisations should not assume that quiet compliance with L. 89(I)/2020 as it stood in 2024 is sufficient under the amended regime.

Under the amended law, two national bodies enforce cybersecurity in Cyprus. The Digital Security Authority is the central supervisory authority. It registers regulated entities, conducts audits and inspections, issues binding instructions, and imposes fines. The National CSIRT, sitting inside the DSA structure, runs the operational layer: vulnerability advisories, incident response coordination, and threat intelligence sharing. Its public CVE feed at csirt.cy has tracked a steady stream of advisories through 2025 and 2026, including widely deployed software such as 7 Zip, Trend Micro Apex One, MongoDB, and the WPC Admin Columns plugin family.

This split mirrors the structural pattern that the European Union Agency for Cybersecurity (ENISA) has encouraged across Member States, with a strategic and supervisory function distinct from a tactical and operational function. In its 2024 Report on the State of Cybersecurity in the Union, ENISA recorded 188 incidents reported by national authorities from 26 EU Member States and 2 EFTA countries, and introduced the EU Cybersecurity Index as a comparative measure of Member State cybersecurity posture. Cyprus participates in both reporting streams.

For organisations operating in Cyprus, the practical implication is that cyber incidents now have two notification destinations. Significant incidents at regulated entities under NIS2 must reach the supervisory authority on a defined timeline, in line with the directive's harmonised approach (a 24 hour early warning, a 72 hour incident notification, and a one month final report). Personal data breaches under the GDPR remain a separate notification stream to the Office of the Commissioner for Personal Data Protection. The two regimes overlap in many real incidents, and getting the dual notification right is a planning exercise that is best done before the incident, not during it.

The strategic frame for all of this is the Cybersecurity Strategy of the Republic of Cyprus 2020, the public version of which is hosted by ENISA. The strategy is structured around six operational pillars: Protect (risk based protection of infrastructure, services, and information), Detect (detection of incidents and attempted attacks), Respond (incident management across technical, operational, and strategic levels), Recover (return to normal operating levels after a successful attack), Evaluate (measurement of the strategy's actions and their impact on national cybersecurity levels), and Improve (continuous refinement of actions and recommendations).

Anyone reading this who recognises the structure as a near match for the NIST Cybersecurity Framework's five functions (Identify, Protect, Detect, Respond, Recover) is reading correctly. Cyprus extended the NIST model with explicit Evaluate and Improve pillars to embed feedback loops at the strategic level. In practice this means the DSA is empowered to ask not only whether you have controls in place but whether you can demonstrate that those controls are tested, measured, and improved over time. That expectation maps directly onto how NIS2 management body accountability will be assessed.

A 2025 government allocation of 8.5 million euro for national cybersecurity has been reported in Cypriot press as part of the operational follow through on this strategy. Whether that figure is sufficient is debatable. What is not debatable is that the strategy creates a written measuring stick that auditors, regulators, and litigation counterparties will reach for when assessing whether a Cypriot organisation took cybersecurity seriously.

In October 2024 a coordinated wave of cyberattacks targeted Cyprus's critical infrastructure and government online presence. Targets reported by SecurityWeek, The Record, and Industrial Cyber included the Hermes Airport website, the Bank of Cyprus, the Cyprus Electricity Authority, the Cyprus Telecommunications Authority, EKO Cyprus, and the gov.cy main portal. Several pro Palestine groups, among them an actor calling itself LulzSec Black, claimed the campaign as retaliation for the country's stated policy positions. The Ministry of Research, Innovation, and Digital Policy reported that most attacks were thwarted, with only brief disruption to gov.cy, no other state services affected, and no documented data exfiltration. The incident still demonstrated something useful for policy purposes: a politically motivated actor was willing to coordinate a multi target campaign against Cyprus and could reach the front door of named utilities.

In 2025 a breach of the Cyprus Post platform, reported in local cybersecurity coverage, illustrated a different failure mode. Centralised aggregation of citizen and business data in a national logistics provider creates supply chain ripple effects: when one platform is compromised, the blast radius extends across every entity that interacts with it. This is exactly the scenario that NIS2 was drafted to address through its expanded coverage of digital infrastructure and ICT service management.

The annual macro view comes from ENISA. The ENISA Threat Landscape 2025, covering 1 July 2024 to 30 June 2025, analysed 4,875 incidents EU wide and identified threats to availability (notably DDoS), ransomware, and threats against data as dominant. The 2024 edition identified seven prime threat categories with availability and ransomware at the top. The Cyprus specific texture in those numbers is not always called out individually, but the categories that matter for Cypriot critical infrastructure (banking, telecommunications, transport, postal) and for the Cypriot economy more broadly (shipping, professional services, gambling, fintech) all sit squarely inside ENISA's top tier of risk.

Cybersecurity and data protection are governed in parallel in Cyprus, and the data protection regulator has the longer enforcement track record. The Office of the Commissioner for Personal Data Protection is the national supervisory authority for the GDPR. As of May 2024, as reported in the Cyprus Mail and confirmed in the Commissioner's public communications, the Office had handled more than 2,500 complaints, conducted 506 audits, and issued 299 decisions, with cumulative administrative fines of approximately 1.561 million euro since the GDPR took effect in May 2018. These are modest figures relative to peer regulators, but they have been steadily climbing and the underlying decisions have been unusually well reasoned.

Recent enforcement gives a sense of the regulator's posture. A medical data breach attracted a 1,500 euro fine. A December 2024 Health Insurance Organization case produced a double penalty: 1,500 euro for an incomplete response to a data subject access request, and 3,000 euro for non cooperation with the Authority. Two Google Analytics complaints in February 2024 ended in compliance orders without fines, but the orders themselves required changes to international data transfer architecture. The pattern is clear. The Commissioner is willing to combine procedural fines (for failing to respond, failing to cooperate) with substantive findings on transfer mechanics and breach handling.

For organisations holding Cypriot personal data, the GDPR ceiling remains the headline: 10 million euro or 2 percent of worldwide annual turnover, whichever is higher, for security infringements; 20 million euro or 4 percent for the most serious categories. What is more operationally useful is that the Commissioner accepts well documented breach notifications and effectively rewards entities that demonstrate proactive remediation. The Cypriot enforcement playbook favours organisations that detect quickly, notify properly, and remediate visibly.

Cyprus operates one of the largest shipping registries in the European Union and one of the top eleven globally. That makes International Maritime Organization (IMO) cybersecurity rules a Cypriot business issue in a way it is not for many comparable Member States. The IMO published an updated Guidelines on Maritime Cyber Risk Management as MSC FAL.1 Circular 3 Revision 3 on 4 April 2025, replacing the previous Revision 2. The IMO cybersecurity rules embedded in the IMO Goal Based Standards regime entered into force on 1 July 2024 and apply to all newbuild contracts signed from that date forward.

Underneath the IMO guidelines, the International Association of Classification Societies (IACS) Unified Requirements UR E26 (system integration) and UR E27 (essential onboard systems) define the technical baseline. These are based on IEC 62443 and govern the secure integration of operational technology and information technology equipment across the design, construction, commissioning, and operational life of a vessel. For Cypriot owners, managers, and the Cyprus flag administration, this means that cyber risk is now a class society survey item, not an optional security exercise.

The combined picture for Cypriot maritime is sobering: a doubled global threat volume in 2025 (828 maritime cyber incidents versus 408 in 2024 according to industry reporting cited by the Cyprus Mail), a tightened class regime with mandatory IMO requirements for newbuilds, and updated operational guidelines as of April 2025. Shore based commercial systems, including fleet management software, port community systems, shipping company ERP, and banking integrations, are equally in scope under the NIS2 transport and digital infrastructure provisions. The gap between maritime IT security and maritime OT security has historically been wide. 2026 is the year that gap closes by force of regulation.

The 2026 compliance and resilience baseline for an organisation with operations in Cyprus is substantially higher than it was 18 months ago. NIS2 has expanded the population of regulated entities and tightened reporting timelines. The DSA has supervisory authority, registration powers, audit powers, and a fine ceiling measured in millions of euro. The Commissioner for Personal Data Protection continues to issue reasoned decisions on access requests, breach handling, and international transfers. The threat landscape across critical infrastructure, maritime, and the citizen and business population has measurably worsened.

The practical work that needs to be done now is unglamorous but specific. Map your services against the NIS2 sectoral lists and confirm whether you are an essential entity, an important entity, or out of scope. Build the dual notification capability (DSA and Commissioner) before you need it. Adopt the six pillar Cyprus strategy structure as your internal control map. Run incident response exercises that exercise the legal notification clock as well as the technical containment clock. Document the management body's role in cybersecurity governance, because the directive explicitly extends accountability to that level.

For sectors where Cyprus has strategic depth (shipping, financial services, fintech, gambling, professional services), the regulatory and threat posture is especially worth taking seriously. The country's own Presidency platform names cybersecurity as a priority, the Commission has signalled it will not accept partial NIS2 transpositions quietly, and the local enforcement infrastructure has the legal authority to act. The work to do is not new in kind, only in volume and in pace. The organisations that get ahead of it in 2026 will spend the rest of the decade competing on engineering and on commercial outcomes rather than firefighting a problem that was foreseeable from the strategy and the ENISA reports.