Cyprus has transposed the Directive on Security of Network and Information Systems (the "NIS Directive") into national law, in the form of the Security of Network and Information Systems Law of 2017 (the "NIS Law").

Risk management and incident reporting obligations are imposed on operators of essential services and digital service providers by the NIS Law.

Under the NIS Law, operators of essential services will have to take appropriate security measures and to notify serious incidents to the competent authority. Such incidents are any events which have an actual adverse effect on the security of network and information systems in Cyprus.

Operators of essential services are private businesses or public entities with an important role in society and for the economy. Essential services are defined under the NIS Law as being the physical or virtual assets, systems, networks located within Cyprus and which are necessary for the maintenance of substantive functions and services in society, health, security, economic and social welfare of citizens, and the disruption or destruction of which would have a significant impact.

Operators of essential services are identified by drawing from Annex II to the Directive and applying these criteria:
(i) the entity provides a service which is essential for the maintenance of critical societal/economic activities;
(ii) the provision of that service depends on network and information systems; and
(iii) a security incident would have significant disruptive effects on the provision of the essential service.

The relevant Annex to the NIS Directive, incorporated in the Cypriot national order through the NIS Law, identifies operators of essential services in the following sectors:

  • Energy: electricity, oil and gas
  • Transport: air, rail, water and road
  • Banking: credit institutions
  • Financial market infrastructures: trading venues, central counterparties
  • Health: healthcare settings
  • Water: drinking water supply and distribution
  • Digital infrastructure: internet exchange points, domain name system service providers, top-level domain name registries

Our expertise

The Digital & Data Practice of Antoniou McCollum & Co. advises on legal issues in the establishment and operation of virtual and physical network infrastructure, cybersecurity and data processing and supports clients on regulatory compliance and administrative proceedings relating to network security.

April 10, 2018

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.