12 March 2026 Update - The transposition of NIS 2 in Cyprus
Cyprus initially planned to transpose the directive by the EU deadline of October 2024. However, the legislative process took longer than expected. Cyprus missed the EU transposition deadline, placing it among the Member States that had not completed the implementation of the directive by October 2024. The European Commission subsequently launched enforcement action against several countries that had not fully notified their transposition measures. According to the Commission’s official status page, Cyprus received a reasoned opinion on 7 May 2025 for failure to notify full transposition.
The key legislative milestone occurred in April 2025, when the Cypriot Parliament adopted the Law on the Security of Networks and Information Systems (Amendment) of 2025. This law amended the existing cybersecurity statute and incorporated the requirements of the NIS 2 Directive into the Cypriot legal framework.
The amendment modernized the earlier cybersecurity law and significantly expanded its scope. It introduced the core structural concepts of the NIS 2 regime, including the classification of organizations as essential entities and important entities and the introduction of stronger governance, risk management, and incident-reporting obligations.
The amended law extends cybersecurity obligations to organizations operating in sectors corresponding to the directive’s annexes, including energy, transport, banking, healthcare, digital infrastructure, public administration, and space-related services, as well as additional sectors such as postal services, waste management, manufacturing industries, and food production.
Cyprus has now transposed the NIS 2 Directive into national law, and the legislative phase of the process is complete. As in many other Member States, the practical implementation of the framework continues beyond the adoption of the legislation. Authorities must still complete the identification and classification of entities across multiple sectors, establish supervisory procedures, and ensure that organizations implement the required cybersecurity governance and risk-management measures.
The most significant remaining step concerns the full identification of essential and important entities under the national framework. This process is carried out centrally by the Digital Security Authority, which evaluates organizations according to sectoral criticality, economic significance, and size thresholds.
Another ongoing element is the development of practical supervisory procedures, including compliance audits, inspections, and enforcement mechanisms. Essential entities are subject to both proactive and reactive supervision, while important entities are typically supervised reactively, particularly after incidents or indications of non-compliance.
Organizations that fall within the scope of the new regime must develop internal cybersecurity governance frameworks that satisfy the directive’s requirements. This includes establishing cybersecurity risk management systems, implementing supply chain security controls, maintaining incident response capabilities, and ensuring that senior management is directly responsible for cybersecurity oversight.
EU - Transposition, Member States