Cyprus CY

Cyprus adopted its national cybersecurity strategy in 2012: Cybersecurity Strategy of the Republic of Cyprus - Network   and   Information   Security   and   Protection   of   Critical Information Infrastructures, https://www.cyberwiser.eu/sites/default/files/ec_doc_stratigikikevernoas....

The national strategy has the following objectives:

  • Obj. 1 - Developing and preserving a safe and secure electronic business environment in Cyprus.
  • Obj. 2 - Supporting the targets of the government that have been identified in the ‘Digital Cyprus’ strategy programme to develop conditions for an Information Society.
  • Obj. 3 - Developing trust, on behalf of citizens and organisations/businesses, in e-government services, including the preservation of information and data in transit, processing and storage.
  • Obj. 4 - Establishing a safe electronic environment in the Republic of Cyprus for all of its citizens, including children,
  • Obj. 5 - Mitigating the effects of threats in cyberspace and the effective response to emergencies,
  • Obj. 6 - Supporting a future coordinated national response plan for the protection of critical infrastructures (beyond ICT) in the Republic of Cyprus.

 

 

NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

 

Year of adoption 2012 CYBERSECURITY STRATEGY OF THE REPUBLIC OF CYPRUS
Updates and revisions

In 2006, the Ministry of Communications and Works (MCW) approved a policy document3, through which a number of specific actions in the area of network and information security are promoted, via OCECPR: the formation of Computer Emergency Response Teams (CERTs / CSIRTs), the creating of an institutional framework for the security and integrity of information infrastructures, and the raising of awareness of all stakeholders and Cypriot society about relevant security matters.
In 2010, upon recommendations by OCECPR which were received favourably by ENISA, MCW also approved a detailed policy document4 regarding the operation of a governmental and an academic CERT. The Cypriot CERTs are being formed with the extension potential to cover the private business sector at a later stage. The founding of the CERTs has been formalised via secondary legislation P.I.358/2010.


Within 2012, new provisions are being introduced into The Regulation of Electronic Communications and Postal Services Law of 2004 (112 - 2004), which stem from the new Regulatory Framework for Electronic Communications5 and which cover matters related to network and information security. These new provisions have been applied, on a European level, since 25th May 2011.
The Republic of Cyprus, in cooperation with the relevant stakeholders, has committed, via the Telecommunications Ministerial Council, to contribute to European and international collaboration for responding to threats and challenges in cyberspace.

In 2017, at the Conference titled "How S@fe is your Business?", George Michaelides, Commissioner of Electronic Communications & Postal Regulation (OCECPR), spoke about the new Network and Information Security (NIS) directive which applies to operators of "essential services” in "critical sectors” .
The Commissioner that the vision of the Cybersecurity Strategy of the Cyprus Government is the protection of all critical information infrastructures of the state and the operation of information and communication technologies with the necessary levels of security, for the benefit of every citizen, the economy and the country itself.
The Commissioner also stated that building awareness for SMEs is very important as well because if these companies are attacked, the whole economy of the state is affected.

Implementation and monitoring

The competent/related authorities that are involved at this stage are the following:

  •  Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR)
  •  Department of Information Technology Services (DITS)
  •  Cyprus Police
  •  National Guard General Staff
  •  National Security Authority
  •  Central Intelligence Service
  •  Office of the Commissioner for Personal Data Protection
  •  Ministry of Communications and Works (MCW)
  •  Department of Electronic Communications (DEC)
  •  Civil Defence Force
  •  Cyprus Fire Service
  •  Unit for Combating Money Laundering

The following authorities of the Republic of Cyprus are to be kept informed of the activities described herein and are observers at this stage:

  •  Law Office of the Republic of Cyprus
  •  Auditor General
  •  Internal Audit Service
  •  Central Bank of Cyprus.

It is noted that the competent authority of the Republic of Cyprus that has responsibilities relating to Classified Information (CI) and European Union Classified Information (EU CI) is the National Security Authority.

Operational capacity building

The Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR) is an independent regulatory authority of the Republic of Cyprus in matters of electronic communications and postal services, with additional responsibilities in the areas of terminal equipment, network and information security and protection of critical information infrastructures. It has been designated as the body responsible for coordinating the implementation of the National Cybersecurity Strategy of the Republic of Cyprus, which concerns the pillars of network and information security (cybersecurity), cybercrime, cyberdefence and related external affairs.

OCECPR is responsible for the creation and coordination of a body or bodies for response to incidents related to Network and Information Security (CSIRTs - Computer Security Incident Response Teams or CERTs - Computer Emergency Response Teams) in Cyprus. It also supervises and regulates the activity of the above CSIRT / CERT entities.

OCECPR, with secondary legislation, sets minimum standards for the security of public networks and networks that offer electronic communications services to third parties, and monitors the level of implementation of relevant organisational, procedural and technical measures. It is also responsible for receiving security breach notifications, related to the networks and personal data of the consumers, and disseminating them as deemed necessary for national level cooperation, but also to other Member States of the European Union, ENISA and the European Commission.

Legal conditions

The main laws in the field of cybercrime in Cyprus are:
1. The Law ratifying the Convention on Cybercrime (Budapest Convention), L.22(III)/2004. This legislation covers hacking, child pornography and fraud committed via electronic communication and the Internet.
2. The Law that revises the legal framework on the prevention and combating the sexual abuse and sexual exploitation of children and child pornography, L 91(I)/2014. This legislation ratifies the EU Directive 2011/93/ΕΕ and covers child pornography, grooming and notice and takedown.
3. The Law ratifying the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Racist and Xenophobic acts, L.26(III)/2004. This legislation covers racism and xenophobia via computer systems and the Internet.
4. The Law on the Processing of Personal Data, L.138(I)/2001.
5. The Law on the Retention of Telecommunication data for the investigation of serious offences, L. 183(I)/2007. This legislation transposed Directive 2006/24/JHA. Although the Directive was invalidated by the Court of Justice of the EU, the national law is still valid. The national law is founded on a constitutional provision and it includes specific safeguards for the protection of privacy; for example, communication data are released only following a court order. A case was recently filed with the Supreme Court on the impact of the annulment of the EU Directive on Law 183(I)/2007 and the Supreme Court found that it complied with the European Convention of Human Rights.
6. Law 112(I)/2004 Regulating Electronic Communication and Postal Services.
7. Law implementing Directive 2013/40/EU on attacks against information system, 147(i)/2015.

Business and Public private partnerships

At the moment, there is public-private cooperation in the fields of awareness for cybersecurity and in the creation of a cybercrime centre of excellence. A biennial CYpBER conference is providing a liason between Cyprus government and private sector representatives dealing with cybersecurity concerns (mostly related to oil and gas industry). 

Other capacity-building measures: research and education

The strategy includes a dedicated chapter on training and capacity development, including:

  • Identification of appropriate (and available) training programmes and certifications.
  • Promote the uptake of such programmes within the government.
  • Creation of a suitable workforce with the necessary specialised knowledge.
  • Inclusion of relevant certifications and experience into job descriptions that relate to electronic security.
  • Support activities in Cypriot higher education institutions in the area of network and information security, through the inclusion of electronic security topics in their curricula and the institution of related research programmes.

The Cyprus Cybercrime Center of Excellence (3CE), http://www.3ce.cy/en/, provides short-term, highly focused and specialised training seminars on cybercrime-related issues for public and private sector participants. Courses facilitate the exchange and diffusion of tacit knowledge and expertise and familiarise participants with new technologies and tools, and improve their day-to-day activities related to the Cybercrime area. University courses on Cybercrime developed and delivered to stakeholders will provide better understanding of the legal and technical elements of cybercrime for new generation scientists. Courses will be made available under creative commons licensing terms for LEAs worldwide. 3CE aspires to become an exemplary Centre of Excellence in the area of Cybercrime by conducting research in relevant fields, focusing particularly on areas dealing with forensic analysis, intrusion detection systems of critical information infrastructures, and legal aspects of cybercrime.

Date of last analysis

July 2017

 

 

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

There is not a clear incident reporting platform for the collection of cybersecurity incident data in Cyprus. The lack of a CERT or similar authority means cybersecurity incident data is not centrally logged.

Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR): http://www.ocecpr.org.cy/

Department of Information Technology Services (DITS)

National Security Authority

Central Intelligence Service

Department of Electronic Communications (DEC)

Cyprus Research and Academic CSIRT
General Contact Information

Email: secretariat@cynet.ac.cy
Tel. +357 22 895254
Fax. +357 22 895494


Network Operations Centre
For technical support during working hours (8.00-14.30 – M-F)
Email: noc@cynet.ac.cy
Τel : +357 22 895252, +357 22 895253, +357 22 894444
For technical support during off-working hours (only for URGENT calls and connection problems) (14.30 – 07.59 – M-F, Full-Day on Weekends)
Email: noc@cynet.ac.cy
Tel: +357 99 536858


Complaint Submission
Email: secretariat@cynet.ac.cy
Tel. +357 22 895254
Fax. +357 22 895494

Best practices

The mission of the KIOS Research and Innovation Centre of Excellence (KIOS CoE) http://www.kios.ucy.ac.cy/ is to conduct multidisciplinary research and innovation in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control, Security and Management of Critical Infrastructures.

KIOS CoE strives to create a regional research and innovation ecosystem in the area of ICT, resulting in major economic and societal benefits for Cyprus and Europe as a whole, by cultivating a vibrant research and innovation cluster in high technology areas linking universities, technology companies and end users, government agencies, as well as enterprise support companies.

Languages

English

Last WISER update July 2017

 

Contact us for more info