CYPRUS Trends and Developments Contributed by: Angelina Fitoz, Svetlana Remezova, Darya Averyanova and Sude Dogan, Lawitt Buro
Institutional-grade service standards The transition to MiCA has fundamentally changed the barriers to entry in Cyprus. Authorisation now requires higher capital buffers and robust prudential oversight, reflecting CySEC’s desire to attract serious operators capable of managing complex cross-border risks. Firms are now subject to the same level of prudential supervision as traditional investment firms, including mandatory “own funds” requirements and strict rules on the “right of withdrawal” for retail clients. These changes are truly segmenting the market, improving the quality of the subjects that are on it. In this case, “raising the barrier point” is about a change in quality, about respect for each participant in the market economy. The resilience imperative: DORA enforcement The era of treating cybersecurity as a “back-office” concern has officially ended. As of 17 January 2025, the Digital Operational Resilience Act (DORA) became fully applicable across the EU, and 2026 marks the shift from implementation to active enforcement. Fintechs are no longer merely judged on their finan - cial soundness but on their ability to maintain resilient operations through severe ICT disruptions. Key pillars of the 2026 compliance landscape in Cyprus include the following. • Incident classification and reporting – Firms must report “major” ICT-related incidents within strictly defined timelines, often including an initial notifica - tion within four hours of classification. • ICT third-party risk management – DORA pre - scribes specific clauses that must be included in contracts with ICT service providers, covering service level agreements (SLAs), data locations and termination rights. • Operational resilience testing – All but the small - est financial entities must develop testing pro - grammes, including advanced Threat-Led Penetra - tion Testing (TLPT) for larger institutions, to validate their cyber defences. This creates a double burden on the entity’s compli - ance structure, which ultimately has a positive effect
on the growth of professional market participants and the protection of the end customer. AI Regulation and the rise of “agentic AI” The EU AI Act has introduced a risk-based classifica - tion for fintech tools that takes full effect for high-risk systems in 2026. AI systems used for credit scoring, insurance underwriting and fraud detection are fre - quently classified as “high-risk”, requiring stringent data governance, auditability and human oversight. “Human control” deserves special attention in this case. Within the framework of rule-making, there is a requirement for constant human attention and a sepa - rate mechanical check in the field of fintech. This is due to the fact that such a high-risk object can only be accounted for after a human assessment. Agentic AI in payments A notable trend in 2026 is the rise of Agentic AI, the autonomous systems capable of completing end-to- end workflows such as reconciling transactions or pre-screening loan applications without human inter - vention. While highly efficient, these systems must now demonstrate “explainability”. CySEC has indicated that it will not accept “black box” algorithms; firms must be able to demonstrate exactly why an AI-driven system approved or rejected a specific action. This means that each company first creates internal local acts that are adopted in full com - pliance with the required legislation, and then it trains the AI system on them. Digital identity and the EUDI Wallet By 2026, the roll-out of a national eID system in Cyprus is transforming onboarding processes. This frame - work enables secure digital authentication and elec - tronic signatures, effectively transforming onboard - ing processes for fintechs. European regulations are linking identity and wallets, especially through the EU Digital Identity Wallet (EUDI Wallet), which reduces the reliance on manual document collection and simplifies Know Your Customer (KYC) procedures. For the first time, the simplification of the KYC system does not depend on the loss of verification quality. That is, at this stage, digital technologies have made KYC verification easier for the end customer, but the
193 CHAMBERS.COM
Powered by FlippingBook