CYPRUS Law and Practice Contributed by: Angelina Fitoz, Svetlana Remezova, Darya Averyanova and Sude Dogan, Lawitt Buro
2.6 Jurisdiction of Regulators Cyprus follows a functional model: regulation depends on the service or asset, not the technology. Supervi - sion is divided mainly between CySEC and the Central Bank of Cyprus (CBC). Jurisdiction of CySEC (Securities and Crypto- Assets) CySEC supervises investment services involving financial instruments and most crypto-asset activities under MiFID II and MiCA. It also regulates crowdfund - ing platforms. Jurisdiction of the CBC (Payments and E-Money) The CBC supervises payment institutions and elec - tronic money institutions under the PSD2 and e-mon - ey framework. Electronic money tokens are treated as e-money and fall under CBC supervision. Overlap and Other Authorities Where firms combine services, licensing structures allocate responsibilities. Data protection is supervised by the Commissioner for Personal Data Protection, and from 2026 the Tax Department has expanded reporting powers under the EU’s Eighth Directive on Administrative Cooperation (DAC8). 2.7 No-Action Letters Status of Formal No-Action Letters Cyprus does not issue formal “no-action letters” granting immunity from enforcement. Regulators do not provide binding assurances in advance. Practical Equivalents Firms instead seek clarity through: • informal guidance via the CySEC and CBC Innova - tion Hubs; • legal opinions on regulatory classification; • feedback within the regulatory sandbox; and • pre-authorisation discussions with the regulator. These mechanisms are not binding but provide practi - cal direction.
2.8 Outsourcing of Regulated Functions Permissibility and Scope Regulated firms (Cyprus Investment Firms (CIFs), Electronic Money Institutions (EMIs), Payment Insti - tutions (PIs) and Crypto-Asset Service Providers (CASPs)) may outsource functions provided this does not create a “letterbox entity” or impair supervisory access. Critical functions (eg, portfolio management, safeguarding or core ICT) are subject to stricter gov - ernance and, in some cases, prior notification. Vendor Requirements The regulated firm remains fully responsible. Vendors must have adequate capacity, grant audit and regu - latory access rights, and comply with DORA require - Outsourcing must be governed by a written agree - ment compliant with the EBA Guidelines and Article 30 of DORA, including: • clear scope; • exit rights; ments where ICT services are involved. Mandatory Contractual Requirements Vendors need not be regulated, but unregulated pro - viders require enhanced due diligence. Firms must maintain and submit registers of ICT outsourcing arrangements to support supervisory oversight. 2.9 Gatekeeper Liability Legal Definition of Fintechs as “Gatekeepers” Fintech firms in Cyprus (including CIFs, EMIs, PIs and CASPs) are classified as “obliged entities” under the Prevention and Suppression of Money Laundering and Terrorist Financing Law. They have a positive duty to prevent misuse of the financial system. Core Responsibilities Gatekeeping duties include: • compliance with the Travel Rule under Regulation (EU) 2023/1113, requiring verified originator and beneficiary data for crypto transfers; • data protection safeguards; • sub-outsourcing controls; and • data location transparency. Vendor Status and Reporting
172 CHAMBERS.COM
Powered by FlippingBook