NIS2 — Cyprus

Who must comply here

NIS2's scope is set at EU level and applies in every Member State. You are generally covered if you operate in an Annex I sector of high criticality (energy, transport, banking, health, drinking/waste water, digital infrastructure, ICT management, public administration, space) or an Annex II critical sector (postal, waste, chemicals, food, manufacturing, digital providers, research) and reach the size threshold — at least 50 employees, or annual turnover or balance-sheet total above €10 million. Some entities (DNS/TLD, trust services, public electronic communications, the sole provider of an essential service) are covered regardless of size, and even if you are not designated, your in-scope customers extend the duties to you by contract.

Reporting an incident & registering

If a significant incident affects your services, NIS2 requires an early warning within 24 hours, a notification within 72 hours and a final report within one month (Art. 23) — and a supplier-caused incident can start your clock too. Most in-scope entities must also register with the national authority. Use the authority and CSIRT above for the national reporting and registration channel.

Penalties

NIS2 sets EU-wide maximum fines — up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for essential entities, and up to €7 million or 1.4% for important entities (Art. 34). The management body must approve and oversee the measures and can be held liable (Art. 20). National transposition may add specifics — confirm with the authority.

Go deeper

How norppa.io helps here

norppa.io monitors your suppliers' cyber risk continuously and maps every finding to the NIS2 articles — in this country's language and seven others. The same evidence supports your supplier file and a supervisory authority's questions, wherever in the EU you operate.