CYPRUS Law and Practice Contributed by: Angelina Fitoz, Svetlana Remezova, Darya Averyanova and Sude Dogan, Lawitt Buro
AI Scrutiny (2026) Where “agentic” AI tools triage alerts, regulators require meaningful human validation of high-risk deci - sions, particularly in sanctions and AML contexts. 9.2 Contractual Terms to Ensure Performance and Accuracy In Cyprus, contracts between financial institutions and technology providers are now largely driven by regula - tion, not just commercial practice. Mandatory Terms (DORA) Under the Digital Operational Resilience Act, ICT con - tracts must include clear service levels, data security obligations, incident reporting, and audit/access rights for the firm and supervisors. These are mandatory. Critical Functions Where services are critical, contracts must also address exit plans, limits on sub-outsourcing, and business continuity to reduce dependency risk. Market Practice Common additional clauses include service credits, step-in rights and source code escrow. Liability caps are negotiated but increasingly reflect potential regu - latory exposure, especially for data breaches. Force Majeure Cyber-attacks are generally not accepted as excuses for non-performance; providers are expected to meet DORA resilience standards. 10. Blockchain 10.1 Use of Blockchain in the Financial Services Industry Traditional banks and insurers in Cyprus have moved from pilots to selective, business-case adoption of Distributed Ledger Technology (DLT), mostly where it reduces friction (settlement, reconciliation, data integ - rity) or enables tokenised issuance. They are also pre -
work. Premiums remain tax-deductible within statu - tory limits. Non-Life Insurance Property and casualty lines (eg, motor and liability) are supervised with emphasis on claims management, technical provisions and reinsurance. Certain lines are compulsory. Premiums are generally not tax-deduct - ible for individuals but are deductible for businesses. Conduct Rules While prudential regimes differ, conduct standards are harmonised: non-life products require an Insurance Product Information Document, and life-based invest - ment products require a Key Information Document. Regtech providers in Cyprus are not licensed simply for supplying compliance technology, but their expo - sure depends on what they do and how critical their services are. Indirect Regulation Most are regulated indirectly through their clients. Financial institutions remain fully responsible for out - sourced compliance under sectoral rules and DORA, so regtech providers must meet GDPR, AML/sanc - tions and record-keeping standards. Contracts must allow regulatory access to systems and data. Direct Oversight Under DORA If designated a “critical” ICT third-party provider, a regtech firm may fall under direct EU-level supervi - sion, including inspections and resilience reviews. Most providers are not designated but must still meet ICT risk standards via client obligations. Activity-Based Licensing Authorisation may be required if services cross into regulated activity (eg, initiating payments or providing personalised investment advice). 9. Regtech 9.1 Regulation of Regtech Providers
paring for digital euro interoperability. Areas of implementation are as follows.
182 CHAMBERS.COM
Powered by FlippingBook