National Cyber Security Strategy

Cyprus has adopted the national cyber security strategy in 2012.

The national strategy has the following aims and objectives:

  • the development and preservation of a safe and secure electronic business environment in Cyprus,
  • support of the targets of the government that have been identified in the ‘Digital Cyprus’ strategy programme to develop conditions for an Information Society,
  •  the development of trust, on behalf of citizens and organisations/businesses, in e-government services, including the preservation of information and data in transit, processing and storage,
  • the establishment of a safe electronic environment in the Republic of Cyprus for all of its citizens, including children,
  • the mitigation of the effects of threats in cyberspace and the effective response to emergencies,
  • the support of a future coordinated national response plan for the protection of critical infrastructures (beyond ICT) in the Republic of Cyprus.



Current status: National Cyber Security Strategy



Updates and revisions

In 2006, the Ministry of Communications and Works (MCW) approved a policy document3, through which a number of specific actions in the area of network and information security are promoted, via OCECPR: the formation of Computer Emergency Response Teams (CERTs / CSIRTs), the creating of an institutional framework for the security and integrity of information infrastructures, and the raising of awareness of all stakeholders and Cypriot society about relevant security matters.
In 2010, upon recommendations by OCECPR which were received favourably by ENISA, MCW also approved a detailed policy document4 regarding the operation of a governmental and an academic CERT. The Cypriot CERTs are being formed with the extension potential to cover the private business sector at a later stage. The founding of the CERTs has been formalised via secondary legislation P.I.358/2010.

Within 2012, new provisions are being introduced into The Regulation of Electronic Communications and Postal Services Law of 2004 (112 - 2004), which stem from the new Regulatory Framework for Electronic Communications5 and which cover matters related to network and information security. These new provisions have been applied, on a European level, since 25th May 2011.
The Republic of Cyprus, in cooperation with the relevant stakeholders, has committed, via the Telecommunications Ministerial Council, to contribute to European and international collaboration for responding to threats and challenges in cyberspace.

The National Cybersecurity Strategy adopted in 2012 adopts and complements the actions discussed above.

Implementation and monitoring

The competent/related authorities that are involved at this stage are the following:

  •  Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR)
  •  Department of Information Technology Services (DITS)
  •  Cyprus Police
  •  National Guard General Staff
  •  National Security Authority
  •  Central Intelligence Service
  •  Office of the Commissioner for Personal Data Protection
  •  Ministry of Communications and Works (MCW)
  •  Department of Electronic Communications (DEC)
  •  Civil Defence Force
  •  Cyprus Fire Service
  •  Unit for Combating Money Laundering

The following authorities of the Republic of Cyprus are to be kept informed of the activities described herein and are observers at this stage:

  •  Law Office of the Republic of Cyprus
  •  Auditor General
  •  Internal Audit Service
  •  Central Bank of Cyprus.

It is noted that the competent authority of the Republic of Cyprus that has responsibilities relating to Classified Information (CI) and European Union Classified Information (EU CI) is the National Security Authority.

Legal conditions

The main laws in the field of cybercrime in Cyprus are:
1. The Law ratifying the Convention on Cybercrime (Budapest Convention), L.22(III)/2004. This legislation covers hacking, child pornography and fraud committed via electronic communication and the Internet.
2. The Law that revises the legal framework on the prevention and combating the sexual abuse and sexual exploitation of children and child pornography, L 91(I)/2014. This legislation ratifies the EU Directive 2011/93/ΕΕ and covers child pornography, grooming and notice and takedown.
3. The Law ratifying the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Racist and Xenophobic acts, L.26(III)/2004. This legislation covers racism and xenophobia via computer systems and the Internet.
4. The Law on the Processing of Personal Data, L.138(I)/2001.
5. The Law on the Retention of Telecommunication data for the investigation of serious offences, L. 183(I)/2007. This legislation transposed Directive 2006/24/JHA. Although the Directive was invalidated by the Court of Justice of the EU, the national law is still valid. The national law is founded on a constitutional provision and it includes specific safeguards for the protection of privacy; for example, communication data are released only following a court order. A case was recently filed with the Supreme Court on the impact of the annulment of the EU Directive on Law 183(I)/2007 and the Supreme Court found that it complied with the European Convention of Human Rights.
6. Law 112(I)/2004 Regulating Electronic Communication and Postal Services.
7. Law implementing Directive 2013/40/EU on attacks against information system, 147(i)/2015.

Operational capabilities

The Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR) is an independent regulatory authority of the Republic of Cyprus in matters of electronic communications and postal services, with additional responsibilities in the areas of terminal equipment, network and information security and protection of critical information infrastructures. It has been designated as the body responsible for coordinating the implementation of the National Cybersecurity Strategy of the Republic of Cyprus, which concerns the pillars of network and information security (cybersecurity), cybercrime, cyberdefence and related external affairs.

OCECPR is responsible for the creation and coordination of a body or bodies for response to incidents related to Network and Information Security (CSIRTs - Computer Security Incident Response Teams or CERTs - Computer Emergency Response Teams) in Cyprus. It also supervises and regulates the activity of the above CSIRT / CERT entities.

OCECPR, with secondary legislation, sets minimum standards for the security of public networks and networks that offer electronic communications services to third parties, and monitors the level of implementation of relevant organisational, procedural and technical measures. It is also responsible for receiving security breach notifications, related to the networks and personal data of the consumers, and disseminating them as deemed necessary for national level cooperation, but also to other Member States of the European Union, ENISA and the European Commission.


Public private partnerships

At the moment, there is public-private cooperation in the fields of awareness for cybersecurity and in the creation of a cybercrime centre of excellence. A biennial CYpBER conferece is providing a liason between Cyprus government and private sector representatives dealing with cybersecurity concerns (mostly related to oil and gas industry). 

Sector specific cyber security plans There is no legislation or policy in place in Cyprus that requires the establishment of a written information security plan.
Risk assessment plan No information provided. 
Progress measures

No information currently available.

Date of last analysis

March 2013




Current status: NIS Directive and national CERTs/CSIRTs

Computer security incident response teams (CSIRTs)

There is not a clear incident reporting platform for the collection of cybersecurity incident data in Cyprus. The lack of a CERT or similar authority means cybersecurity incident data is not centrally logged.

Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR):

Department of Information Technology Services (DITS)

National Security Authority

Central Intelligence Service

Department of Electronic Communications (DEC)

Monitoring system

No information currently available.

Report an incident

Cyprus Research and Academic CSIRT



Date inserted October 2016


Contact us for more info