CYPRUS Law and Practice Contributed by: Ioanna Solomou, Stephanos Ayiomamitis, Andria Kouloumi and Lefteris Eleftheriou, Michael Kyprianou & Co LLC
8. Artificial Intelligence 8.1 Board Oversight of AI
national level, Cyprus has adopted a National Artificial Intelligence Strategy (2020), and ongoing efforts are focused on aligning governance practices with evolv - ing EU standards and international best practices. AI governance developments in Cyprus are expected to revolve around the implementation phase of the AI Act, including the designation of competent super - visory authorities, the development of secondary guidance and technical standards, and the potential establishment of regulatory sandboxes to support innovation while ensuring compliance. From a governance perspective, responsibility for AI strategy, risk management and assurance in Cyprus typically follows existing corporate governance lines. The board of directors retains ultimate responsibility for oversight of AI-related risks as part of its broader fiduciary and risk governance duties. The legal, com - pliance and risk management functions of a company will be expected to play a key role in implementing policies and ensuring adherence to legal require - ments, while technology or IT functions will be respon - sible for the operational deployment and monitoring of AI systems. 8.3 Liability Exposures Arising From AI Use From a liability perspective, boards and officers in Cyprus may face exposure arising from AI use under several existing legal regimes rather than AI-specific laws. These include potential liability for failures in oversight or disclosure, breaches of data protec - tion laws (notably under the General Data Protec - tion Regulation), unfair or misleading practices, and risks associated with defective or unsafe AI systems. Additional exposure may arise in relation to intellectual property infringements, cybersecurity incidents and reputational harm. Enforcement may be undertaken by multiple authori - ties depending on the nature of the breach, includ - ing the Office of the Commissioner for Personal Data Protection, CySEC, the Central Bank and consumer protection authorities, as well as through civil claims by affected individuals or counterparties. In this con - text, boards are expected to exercise active over - sight, ensure adequate risk assessment and internal controls, and maintain transparency in relation to AI
The Companies Law does not provide for any specific safeguards and/or requirements in relation to board oversight of AI. However, despite the fact that the use of AI in companies’ affairs is not directly regulated by any national legislation, the EU AI Act (EU Regula - tion 2024/1689) applies directly in Cyprus. In addition, other relevant legislation which may act as indirect safeguards in relation to the board’s oversight over AI consists of the General Data Protection Regulation (EU Regulation 2016/679) which is complemented by the Cyprus Data Protection Law (Law 125 (I)2018). In the absence of AI-specific legal provisions that expressly regulate board oversight of AI, directors remain subject to their general duties under the Com - panies Law, including duties of care, skill and fiduci - ary responsibility, which require them to adequately understand and oversee material risks affecting the company, including those arising from the use of AI. Boards are expected to ensure that appropriate policies, procedures and controls are in place, often through risk, audit or compliance committees, even though no specific board composition or dedicated At the time of writing, there is no comprehensive AI governance framework at national level in Cyprus. However, AI-related risks – including reputational risks – can be addressed through a combination of EU leg - islation and existing corporate governance and risk management structures. The most significant devel - opment is the Artificial Intelligence Act, which entered into force in 2024 and will apply on a phased basis, introducing a risk-based framework that requires organisations to identify, assess and mitigate risks associated with AI systems, particularly those clas - sified as “high-risk”. AI committee is mandated. 8.2 AI Use-Related Risks In parallel, existing frameworks such as the General Data Protection Regulation, cybersecurity require - ments, and general corporate governance obligations can play a central role in managing AI-related risks, including issues relating to data protection, transpar - ency, accountability and reputational exposure. At a
213 CHAMBERS.COM
Powered by FlippingBook