NIS2 & DORA COMPLIANCE — CYPRUS

Stay Compliant. Stay Resilient. Stay in Business.

ΙSO 27001 certified · Sophos Platinum Partner · 24×7×365

2026 Is the Year Cyprus Cybersecurity Regulation Got Real

For years, NIS2 and DORA were future problems. Not anymore. DORA has been fully applicable across the EU since 17 January 2025, and NIS2 was transposed into Cypriot law through Law 60(I)/2025 — the Network and Information Systems Security (Amendment) Law — effective April 2025. The Digital Security Authority (DSA) is actively supervising. Penalties are now enforceable.

In parallel, the threat environment has worsened. National survey data shows that 53% of Cypriot businesses suffered a cyberattack or breach in 2025, up from 47% the prior year. The average business is hit every eight days, with phishing driving 44% of successful attacks and average financial losses around €12,000 per incident.

The bottom line: Cybersecurity is no longer an IT line item — it is a board-level legal obligation under EU law, with personal liability for senior management.

NIS2 or DORA or Both?

NIS2 and DORA cover different parts of the economy and apply on different criteria. The quick test below will help you self-identify before you talk to us.

You are likely in scope for NIS2 if you are…	You are likely in scope for DORA if you are…
A medium or large business (50+ employees and €10M+ turnover or balance sheet) operating in: energy, transport, banking, financial market infrastructure, healthcare, drinking or waste water, digital infrastructure (data centres, cloud, DNS), ICT service management (MSPs, MSSPs), public administration, space, postal and courier services, waste management, manufacture of food, chemicals, medical devices or critical products, digital providers (online marketplaces, search engines, social networks) or research organisations.	A regulated financial entity in Cyprus or the EU: banks and credit institutions, investment firms, payment institutions, electronic money institutions, insurance and reinsurance undertakings, intermediaries, crowdfunding service providers, crypto-asset service providers, central securities depositories, central counterparties, trading venues, fund managers, credit rating agencies, account information service providers, and a wider set of financial market participants. Critical ICT third-party providers serving the financial sector also fall in scope.

You are likely in scope for NIS2 if you are…

You are likely in scope for DORA if you are…

A medium or large business (50+ employees and €10M+ turnover or balance sheet) operating in: energy, transport, banking, financial market infrastructure, healthcare, drinking or waste water, digital infrastructure (data centres, cloud, DNS), ICT service management (MSPs, MSSPs), public administration, space, postal and courier services, waste management, manufacture of food, chemicals, medical devices or critical products, digital providers (online marketplaces, search engines, social networks) or research organisations.

A regulated financial entity in Cyprus or the EU: banks and credit institutions, investment firms, payment institutions, electronic money institutions, insurance and reinsurance undertakings, intermediaries, crowdfunding service providers, crypto-asset service providers, central securities depositories, central counterparties, trading venues, fund managers, credit rating agencies, account information service providers, and a wider set of financial market participants. Critical ICT third-party providers serving the financial sector also fall in scope.

Operating across both worlds? If you are a technology firm, MSP or shared-services provider that delivers ICT services into financial clients and into other regulated sectors (e.g. healthcare, energy), you may need to comply with both frameworks for different parts of the business. CDMA helps you map obligations once and execute against both.

NIS2 vs DORA at a Glance

Both frameworks raise the cybersecurity bar — but they are structured differently, supervised differently, and apply to different organisations. Use this table to orient your leadership team.

Feature	NIS2	DORA
Legal type	EU Directive (transposed into national law in each member state)	EU Regulation (directly applicable across all member states)
Sectors covered	18 sectors – energy, transport, healthcare, water, digital infrastructure, managed IT services, public administration and more	Financial sector only – banks, insurers, investment firms, payment institutions, crypto-asset service providers, critical ICT third-party providers
Who is in scope	Generally medium and large entities: 50+ employees and €10M+ turnover or balance sheet (some entities in scope regardless of size)	All regulated financial entities, regardless of size – even a two-person fintech is in scope
Supervisory authority (Cyprus)	Digital Security Authority (DSA)	Sector-specific competent authorities (e.g., CBC, CySEC, ICCS) under coordination of the European Supervisory Authorities
Incident reporting	Early warning within 24 hours (Cyprus requires within 6 hours); incident notification within 72 hours; final report within 1 month	Initial notification of major ICT-related incidents without undue delay, followed by intermediate and final reports under ESA technical standards
Maximum administrative fines	Essential entities: up to €10M or 2% of global annual turnover (whichever is higher). Important entities: up to €7M or 1.4%	Financial entities: up to 2% of total annual worldwide turnover. Critical ICT third-party providers: periodic penalties up to 1% of average daily worldwide turnover
Status in 2026	Transposed in Cyprus via Law 60(I)/2025; enforcement is active	Fully applicable since 17 January 2025; supervisory review phase in 2026
Relationship	General cybersecurity baseline across sectors	Lex specialis – takes precedence for financial entities on overlapping topics

Important nuance: DORA is a lex specialis to NIS2. A financial entity that is fully DORA-compliant is considered to have satisfied the overlapping NIS2 obligations on ICT risk and incident management. The reverse is not true — NIS2 compliance does not get a bank or fintech to DORA.

The Key Dates You Cannot Miss

17 January 2025 — DORA fully applicable across the EU. No grace period for new financial entities.
April 2025 — NIS2 transposed in Cyprus through Law 60(I)/2025; Digital Security Authority is the competent authority.
Within 6 hours of detection — Cypriot entities under NIS2 must submit an early warning to the DSA (one of the strictest timelines in the EU).
Within 24 / 72 hours — Early warning and full incident notification timelines under the wider NIS2 baseline.
March 2026 — Second annual DORA Register of Information submission for financial entities.
Throughout 2026 — Active supervisory enforcement: audits, evidence requests and administrative fines, not just self-assessment.

What Non-Compliance Actually Costs

Administrative fines

NIS2 essential entities: up to €10 million or 2% of global annual turnover, whichever is higher.
NIS2 important entities: up to €7 million or 1.4% of global annual turnover.
DORA financial entities: up to 2% of total annual worldwide turnover.
DORA critical ICT third-party providers: periodic penalties of up to 1% of average daily worldwide turnover.

Beyond the fine

Personal liability and temporary management bans for executives under NIS2.
Mandatory public disclosure of compliance failures.
Loss of customer trust, contractual exits and partner offboarding.
Operational disruption that compounds the cost of the original incident.

Real-world context: With Cypriot businesses being hit on average every eight days, the question is no longer whether a compliance gap will be tested — it is when, and how visible the test will be.

Our 6-Step Compliance Roadmap

We do not sell a checkbox. We deliver an end-to-end programme that turns NIS2 and DORA from a regulatory anxiety into a structured, evidenced, audit-ready capability.

1. Gap Analysis & Scoping

We map your business against the specific articles of NIS2 and/or DORA that apply to you — sectors, size thresholds, ICT footprint, third parties — and produce a prioritised gap report. Most clients receive their initial assessment within two weeks.

2. Risk Management Framework

We design and document an ICT risk management framework aligned to ISO 27001 and the NIST Cybersecurity Framework, covering identification, protection, detection, response and recovery — the same five-pillar lifecycle DORA requires of financial entities.

3. 24×7 Detection & Incident Response

NIS2 demands an early warning within 6 hours in Cyprus. DORA requires reporting of major ICT incidents without undue delay. Our Sophos-powered managed detection and response, NOC and 24×7×365 helpdesk are built to hit those clocks every time.

4. Supply Chain & Third-Party ICT Risk

We build your third-party register, contractual templates and continuous monitoring of ICT vendors — the area where most organisations are weakest, and where both frameworks have sharply increased expectations.

5. Business Continuity, DR & Resilience Testing

We run real disaster recovery and business continuity exercises, not paper drills. For DORA-significant entities we coordinate threat-led penetration testing (TLPT) in line with TIBER-EU-aligned methodologies.

6. Governance, vCISO & Executive Reporting

A vCISO-led governance layer puts cybersecurity on the board agenda with KPIs, risk registers, training programmes and reporting evidence — exactly what supervisory authorities now expect to see.

Why Cyprus Businesses Choose CDMA for NIS2 & DORA

ISO 27001 certified — our own security management system is audited to the same standard we help clients adopt.

Sophos Platinum Partner & Sophos MSP Partner of the Year FY24 — recognised excellence in managed detection, response and endpoint protection.

20+ years in Cyprus regulated sectors — financial services, insurance, fintech, hospitality, professional services, public-facing infrastructure.

24×7×365 NOC, SOC and helpdesk — the operational backbone that makes 6-hour reporting clocks realistic, not theoretical.

Local presence, EU-wide knowledge — Nicosia-based team that speaks the language of the DSA, CBC, CySEC and ICCS.

98.4% customer satisfaction — measured continuously, not stated once.

What You Get with CDMA Compliance Engagements

NIS2/DORA gap analysis and audit-ready evidence packs
Managed Security Services — 24/7 monitoring, MDR, vulnerability management.
vCISO and vCIO services — fractional senior leadership and board reporting.
IT Compliance and policy framework — ISO 27001, GDPR, NIS2, DORA mapped to a single control set.
Business Continuity and Disaster Recovery — tested, documented, evidenced.
Human Risk Management — phishing simulations, awareness, training and reporting.
Cloud security and migration — Microsoft 365, Azure, AWS, Google Cloud.
Third-party / supply-chain risk programme

Frequently Asked Questions

We are a Cyprus SME. Does NIS2 really apply to us?

NIS2 generally applies to medium and large entities in covered sectors (50+ employees and €10M+ turnover or balance sheet). However, some entity types — including DNS providers, trust service providers and certain digital infrastructure providers — are in scope regardless of size, and supply-chain expectations mean that even smaller firms increasingly need to demonstrate basic cyber hygiene to keep contracts with in-scope clients.

We are a regulated financial entity. Is DORA the only thing we need to worry about?

DORA is a lex specialis to NIS2, so full DORA compliance covers the overlapping NIS2 obligations on ICT risk and incident reporting. You should still consider GDPR, sector-specific guidance from CBC/CySEC/ICCS, and any contractual obligations from clients or counterparties.

How fast do we really have to report an incident?

Under NIS2 in Cyprus you must submit an early warning to the Digital Security Authority within 6 hours of detection, followed by a notification within 72 hours and a final report within one month. Under DORA, major ICT-related incidents must be notified to your competent authority without undue delay, with intermediate and final reports as defined by the European Supervisory Authorities.

Can we just buy more tools and be done with it?

No. NIS2 and DORA explicitly require governance, risk management, incident response, third-party oversight, resilience testing and executive accountability — not a single product. Tools matter, but they must sit inside a documented, evidenced management system.

How long does a CDMA compliance engagement take?

A typical journey starts with a two-week gap analysis, followed by 60–90 days of remediation work on critical gaps, and then ongoing managed services for detection, response, vCISO oversight and continuous evidence. We adapt to your size, sector and existing maturity.

Will my existing IT provider be replaced?

Not necessarily. We frequently work alongside in-house IT teams and other providers, taking on the compliance, security operations and vCISO layers while existing teams continue to handle day-to-day IT. Where we do take over IT support, the transition is structured to avoid service disruption.

Don’t Wait for the First Audit Letter

Most organisations only realise where their NIS2 or DORA exposure sits when a regulator, a client or an incident forces the question. The cheapest, fastest, lowest-risk moment to fix it is before any of those happen.

Book a free, no-obligation compliance assessment with a CDMA specialist. We will spend 30 minutes understanding your business, give you an honest read on your exposure under NIS2 and DORA, and tell you exactly what — if anything — you need to do next.

Managed IT

Professional Services

IT Strategy