NIS2 and DORA:What Cyprus Companies Need to Know

Two major pieces of EU legislation, NIS2 and DORA, are changing the way several organisations in Cyprus must approach cybersecurity and digital resilience. Both are designed to protect Europe’s economy and society from cyber threats and ICT disruptions.

NIS and NIS2 in Simple Terms

• NIS (2016): The EU’s first law on cybersecurity. It required essential service providers and certain digital companies to take basic security measures and report serious incidents.
• NIS2 (2023): The updated Directive. It expands the scope to cover more sectors and more companies. It also sets stricter security requirements, faster reporting deadlines, and heavier fines for non-compliance.

Who is Affected in Cyprus under NIS2?

Companies considered “essential” or “important” in critical sectors.

Examples include:

• Energy, transport, health, water, digital infrastructure, and public administration.
• Financial services (although DORA will act as a more specific rule here).
• Food production and distribution (e.g., major local logistics and supply chains), chemicals, postal and courier services, waste management and manufacturing.

If your company is a medium or large enterprise (over 50 employees OR €10 million turnover) operating in these sectors, NIS2 likely applies to you.

Key Obligations under NIS2

• Put in place risk management measures covering IT, supply chain, data, and resilience.
• Report significant cybersecurity incidents within 24 hours (early warning) and 72 hours (incident notification) and provide follow-up reports.
• Ensure board-level accountability; management is directly responsible for compliance.
• Face possible fines up to €10 million or 2% of annual global turnover for non-compliance. In Cyprus, compliance is overseen by the Digital Security Authority (DSA).

DORA in Simple Terms

• DORA (Digital Operational Resilience Act): A Regulation that applies specifically to the financial sector and critical ICT providers. It became fully effective in January 2025.
• Its goal is to make sure banks, investment firms, insurance companies, payment institutions, crypto providers, and others can resist, respond, and recover from ICT-related disruptions and cyberattacks.

Who is Affected in Cyprus under DORA?

• Banks, investment firms, payment and e-money institutions, insurers, funds, crypto-asset providers.
• Critical ICT service providers working with these entities, such as cloud, data centre, and software providers.

Key Obligations under DORA

• Strong ICT risk management frameworks.
• Regular resilience testing of critical systems.
• Mandatory incident reporting to financial supervisors.
• Oversight of critical ICT third-party providers.

Why This Matters for Cyprus Companies

For the first time, many businesses in Cyprus, including food producers, logistics providers, and financial firms, must comply with detailed EU cybersecurity laws.

These rules are not only about avoiding fines, but they are also about:

• Protecting your company against downtime and data breaches.
• Building trust with clients, partners, and regulators.
• Ensuring continuity of operations even during cyberattacks or ICT disruptions.

Next Steps for Companies

If your business falls under NIS2 or DORA, the following actions should be prioritised:

• Identify if you are in scope by reviewing your sector, size, and role as an ICT provider or critical service operator.
• Appoint internal responsibility for cybersecurity at the management level.
• Develop or update a risk management framework, covering ICT systems, supply chain, and incident response.
• Prepare reporting processes to ensure incidents can be notified within the required timeframes.
• Review your third-party providers, including cloud, data centre, and software suppliers, for compliance readiness.
• Invest in business continuity and disaster recovery measures such as backups and recovery sites.
• Train staff regularly on cybersecurity awareness and incident handling.

How CL8 Can Help

As the first and only independent Tier III-certified data centre in Cyprus, CL8 provides secure, compliant, and high-availability infrastructure that supports companies in meeting their NIS2 and DORA obligations. CL8 helps simplify compliance by offering solutions that directly address key requirements such as risk management, resilience testing, and third-party oversight obligations mandated by these new regulations.

Key services include:

• Secure Cloud & Hosting: Locally based, high-availability infrastructure with ISO 27001, PCI-DSS and ISO 9001 certifications.
• Disaster Recovery as a Service (DRaaS) & Backup as a Service (BaaS): Ensures business continuity and compliance with NIS2 requirements for resilience and recovery.
• 24/7 Monitoring & Security Services: Continuous oversight and rapid incident response, critical for both NIS2 and DORA compliance.

Clear Next Step

NIS2 and DORA are not optional; they are the new legal baseline for digital risk management in Cyprus. Now is the critical time to assess your readiness. Whether you are a financial institution, a logistics provider, or a manufacturer, CL8 offers the secure, high-availability, and locally certified infrastructure to ensure your compliance, strengthen your resilience, and protect your operations. Contact CL8 today to find out how we can support your efforts to meet NIS2/DORA compliance requirements.