Corporate Governance 2026 Comparisons

LTD and PLC

The most common form that companies may take in Cyprus is that of a private limited liability company (LTD) or public limited liability company (PLC). The key characteristics and differences between an LTD and a PLC are as outlined below.

LTD

The LTD is the most common type of entity and enjoys the benefits of all relevant legal and fiscal regulations, as applicable. For example, it does not have any minimum or maximum share capital requirements. An LTD is best for small to medium-sized businesses, start-ups and subsidiaries. It is considered a separate legal entity, and the shareholders have limited liability.

• An LTD requires at least one director and one shareholder (can be the same person).
• Minimum share capital: there are no minimum requirements.
• LTD companies also enjoy a 15% corporate tax rate.
• Can be 100% foreign owned: there are no requirements for shareholders being Cyprus nationals. However, there is a limit of a maximum of 50 shareholders.
• Must file annual financial statements and audited accounts within 18 months as of the company’s incorporation and thereafter every year, but in no case exceeding 15 months as of the previous submission.

PLC

PLCs are more suitable for large enterprises and companies seeking to raise capital through public offerings.

• A PLC requires at least two directors and seven shareholders.
• There is a minimum share capital of EUR25,629.
• Its shares can be listed on a stock exchange (eg, Cyprus Stock Exchange).
• It is subject to stricter reporting and transparency requirements.

The principal sources of corporate governance requirements for companies in Cyprus are as follows.

• Companies Law CAP 113, which serves as the primary legislation governing the incorporation, management, duties of directors, shareholder rights, and general operation of companies in Cyprus.
• Common law principles: Cyprus company law is heavily influenced by English common law, particularly in relation to directors’ fiduciary duties, duties of care, and equitable principles.
• Cyprus Corporate Governance Code: this Code applies primarily to listed companies and sets out best practice principles on board structure, accountability, remuneration and internal controls.

For public companies listed on the Cyprus Stock Exchange (CSE), corporate governance requirements are significantly more extensive than for private companies. In addition to the Companies Law Cap 113, the Cyprus Corporate Governance Code – overseen by the Cyprus Securities and Exchange Commission (CySEC) – introduces soft-law principles focused on transparency, board composition and shareholder protection. 

Listed companies are expected to maintain a balanced board with independent non-executive directors, establish key committees such as audit, remuneration and nomination committees, and implement robust internal control and risk management systems. They are also subject to enhanced disclosure obligations, including periodic financial reporting and the publication of price-sensitive information. In parallel, EU legislation – particularly the Shareholder Rights Directive II (SRD II) and the Accounting and Transparency Directives – further strengthens governance standards by reinforcing shareholder engagement, accountability and disclosure requirements.

The most notable changes to listing requirements in Cyprus affecting corporate governance is the 2024 update of the Cyprus Corporate Governance Code and the continued alignment with EU regulatory frameworks. These changes have reinforced expectations around board structure, with greater emphasis on independence, diversity and the effective functioning of boards, including a stronger role for independent non-executive directors. At the same time, disclosure and transparency obligations have become more stringent, requiring listed companies to enhance corporate governance reporting, ensure timely financial disclosures, and maintain robust internal control systems. Overall, the direction in Cyprus reflects a gradual move towards stricter governance standards and closer alignment with broader European practices.

In Cyprus, under the Companies Law, the board of directors is vested with the primary responsibility for the management of the company’s business and everyday affairs. In performing their role, directors are required to act in good faith and in the best interests of the company as a whole, rather than in the interests of individual shareholders, management or themselves.

Their core legal obligations include a duty of care, skill and diligence, meaning they must act with the level of care reasonably expected given their position, knowledge and experience. They are also subject to fiduciary duties, requiring them to act honestly and loyally, avoid conflicts of interest, and refrain from deriving personal benefit from company transactions. In addition, directors must act within the scope of their authority, ensuring that they do not exceed the powers granted to them under the company’s memorandum and articles of association.

In addition to directors, the shareholders – especially in private companies – have an important role in corporate governance. Although the day-to-day management of the company is entrusted to the directors, shareholders retain strategic oversight through their voting rights and statutory powers.

Key rights afforded to shareholders under the Companies Law Cap 113 and typically reflected in a company’s articles of association include:

• the right to vote on resolutions at general meetings (such as the appointment or removal of directors and changes to the capital structure);
• the right – subject to certain conditions – to access company records and financial information; and
• pre-emption rights, which allow existing shareholders to be offered new shares first in proportion to their current holdings.

Under Cyprus law, certain key decisions are reserved for shareholders and cannot be taken solely by the board of directors. Under the Companies Law Cap 113 and subject to the company’s articles of association, these “reserved matters” typically require approval by an ordinary or special resolution of shareholders. Such matters commonly include:

• amendments to the memorandum and articles of association;
• approval of dividends;
• appointment and removal of directors;
• approval of annual financial statements;
• changes to share capital (such as issuances or reductions); and
• mergers, restructurings and voluntary winding-up of the company.

In addition, reserved matters may be contractually agreed in shareholders’ agreements, giving shareholders enhanced control over strategic decisions and safeguarding minority interests.

Board of Directors

The board makes decisions collectively, typically at duly convened board meetings in accordance with the company’s articles of association and after giving sufficient notice for a board of directors’ meeting to be convened. Decisions are usually taken by a simple majority of directors present, provided that quorum requirements are met. In practice, resolutions may also be passed in writing (circular resolutions), if permitted by the articles. Directors must exercise independent judgement and comply with their duties when participating in decision-making.

Shareholders

Shareholders make decisions through general meetings (annual or extraordinary), where resolutions are passed by voting. The type of resolution required depends on the matter: ordinary resolutions (simple majority) are used for routine decisions such as appointing directors, while special resolutions (typically at least 75% majority) are required for more significant matters, such as amending the company’s articles or approving major structural changes. Shareholder decisions may also be taken through written resolutions, if allowed by the articles, particularly in private companies.

As so provided by law, every Cyprus registered company must have:

• at least one director in the case of a private company; or
• at least two directors for a public company.

All directors and the company secretary must be at least 18 years old.

It is important to note that a single director in a private company cannot also serve as company secretary, except in the case of a single-member private company, where one person may hold both roles. The company secretary is appointed by the board of directors, which also sets the terms of appointment, including duration and remuneration.

The law in Cyprus does not provide for specific roles between the different members of the board of directors, nor there is a single uniform standard governing the conduct of a company’s directors. This matter can therefore be regulated under the articles of association, which occasionally set responsibilities and the degree of each director’s involvement with the company’s affairs.

The directors owe fiduciary duties to the company both collectively, as members of the board, and individually in their capacity as directors.

The composition of the board of directors in terms of number is set by law, so that every Cyprus company must have at least one director in the case of a private company or at least two directors for a public company.

The board should act collectively in exercising its powers. The law does not provide for a specific supervisory board. However, the board at its own discretion may form committees, and specific responsibilities can also be vested with specific directors either by board resolution or through a power of attorney granted by the company.

It is recommended that the board includes both executive and non-executive directors (taking into account the size of the company and its operational needs) so that there is sufficient independence and oversight over the board’s operations. 

Directors are appointed by an ordinary resolution of the members or by a resolution of the board. 

The members of a company may proceed with an ordinary resolution for the removal of a director from their office at any time. The members can proceed with the stated removal regardless of any provision in the articles of association of the company or any agreement between the director and the company. The removal of a director before expiry of their directorship period requires a special notice of 28 days.

It is important to note that the law does not restrict the right of the director who is removed from their position to receive compensation or damages in respect of the termination of their appointment as a director.

In Cyprus, directors’ independence and conflicts of interest are primarily governed by the Cyprus Companies Law, supplemented (for listed companies) by the Cyprus Corporate Governance Code. Directors owe fiduciary duties to act in good faith and in the best interests of the company, and must exercise independent judgement – free from external influence or personal bias. Where a director has a direct or indirect interest in a transaction, they are required to disclose the nature and extent of that interest to the board, and typically must abstain from voting on the relevant matter (subject to the company’s articles). Public companies are also expected to have a sufficient number of independent non-executive directors, with independence assessed based on criteria such as absence of material business relationships or close ties with management.

Directors are subject to a range of statutory duties imposed not only by the Companies Law but also by other applicable legislation, including laws relating to income tax, VAT, customs and excise, health and safety, and environmental protection. Under the Companies Law, directors have specific statutory obligations towards the company, its shareholders and the public. These include duties relating to:

• the maintenance of the register of directors and secretary;
• the register of directors’ interests; and
• the disclosure of payments for loss of office made in connection with the transfer of shares in the company.

Directors are also required to disclose interests in contracts, comply with restrictions on loans to directors, and adhere to provisions governing prospectus offers and pre-emption rights in relation to the transfer of shares. Further obligations arise in relation to fraudulent trading, the preparation and filing of profit and loss accounts and balance sheets, and the prohibition of falsification of books or destruction of company documents.

Additional duties apply in the context of winding-up, including those arising before or during liquidation proceedings. Directors must also ensure compliance with requirements relating to directors’ reports and annual returns, as well as the preparation and availability of financial statements for review and investigation.

Directors owe their duties to the company and its members. Directors must:

• act honestly and at all times in the best interests of the company;
• not make secret profits;
• not exceed or abuse their powers; and
• use skill and care when exercising all duties.

The duties of directors fall under two main categories:

• duties of care and skill; and
• duties of loyalty and good faith

Duties of Care and Skill

The law typically defines these duties based on the following principles:

• standard of care – directors are expected to exercise reasonable care that an ordinary person would take on their own behalf;
• standard of skill – directors are not required to demonstrate greater skill than can be reasonably expected based on their knowledge and experience; and
• attention to business – directors are not required to be continuously involved in the company’s affairs but must attend meetings when reasonably possible.

Duties of Loyalty and Good Faith

Company directors owe fiduciary duties, which require them to act in the best interests of the company. These fiduciary obligations include the following.

• Acting in good faith: directors must act in what they genuinely believe to be in the company’s best interests.
• Use of power for proper purposes: directors must use their powers for the reasons they were given.
• Avoidance of conflicts of interest: directors must avoid placing themselves in situations where their interests conflict with those of the company. For instance, if a director profits from using the company’s resources or opportunities, they may be liable to the company.

As a separate legal personality, a company in Cyprus can sue and take legal action against individuals or other legal entities, including its directors if they are found in breach of their duties.

Breach of any of the statutory duties under the Companies Law can result in a criminal offence, with penalties ranging from the payment of a fine to imprisonment. In addition, the directors are liable to personally compensate the company in respect of any loss that was a result of the breach of their duties.

A company cannot grant directors a blanket exemption in advance from liability to the company. Any clause in a contract or in the company’s articles of association that seeks to release a director from liability, or to indemnify them for breaches of their duty of care and skill, is considered void.

Beyond specific statutory breaches, directors in Cyprus may face claims and enforcement actions on several additional bases arising from corporate governance failures. Most notably, liability may arise from breaches of fiduciary duties – such as the duty to act in good faith, avoid conflicts of interest, and exercise powers for proper purposes – as well as the duty of care, skill and diligence under common law principles. Directors may also be exposed to claims for negligence or breach of trust, particularly in insolvency scenarios. Shareholders may bring derivative actions on behalf of the company in cases of wrongdoing, while creditors may have standing in circumstances where the company is insolvent or nearing insolvency. Criminal liability may also arise in cases involving fraud, false statements or other statutory offences.

Regarding limitation of liability, Cyprus law does not permit a company to exempt a director from liability for negligence, default, breach of duty or breach of trust in relation to the company. Any such provision in the company’s constitutional documents would generally be void. However, companies may, subject to certain conditions, indemnify directors against liabilities incurred in the proper performance of their duties, except in cases involving fraud, wilful default or bad faith. Additionally, courts in Cyprus have discretion to grant relief to directors who have acted honestly and reasonably and who, having regard to all the circumstances, ought fairly to be excused. Overall, while liability cannot be fully excluded, it may be mitigated through indemnities, insurance and judicial relief mechanisms.

For private companies registered in Cyprus, there is generally no statutory requirement for shareholder approval of directors’ remuneration unless the company’s articles of association provide otherwise. Remuneration is typically determined by the board. In contrast, for public listed companies, remuneration policies and, in certain cases, individual remuneration arrangements are subject to enhanced governance requirements under EU shareholder rights rules as transposed into Cyprus law and the Cyprus Stock Exchange Governance Code (hereinafter the “Code”). Directors’ remuneration for public listed companies’ directors’ remuneration shall follow the following principle:

“Companies should establish a formal and transparent procedure for developing a policy on executive director’s remuneration and for fixing the remuneration packages of individual directors. No director should be involved in deciding his/her remuneration.” 

This generally requires shareholder approval of the remuneration policy and a binding or advisory vote on remuneration reports, depending on the structure adopted by the company. Additionally, there are extensive disclosure obligations for public listed companies, including detailed reporting of directors’ remuneration in annual reports and remuneration reports, which must be made publicly available to shareholders and filed with the relevant authorities.

Failure to comply with the above requirements may result in a range of consequences, including civil liability for breach of fiduciary duty, restitution of improperly paid remuneration, shareholder claims and, in certain cases, regulatory sanctions for directors of regulated entities.

In Cyprus, the relationship between a company and its shareholders is primarily contractual in nature, arising from the Companies Law and the company’s memorandum and articles of association, which bind the company and its members as if each had signed them. Shareholders are the owners of the company but do not manage its day-to-day affairs. The shareholders exercise their rights through general meetings, voting, and the appointment or removal of directors. Their rights typically include receiving dividends (if declared), attending and voting at meetings, and sharing in surplus assets on a winding-up.

This relationship is governed by statute, the company’s constitutional documents and, where applicable, shareholders’ agreements, as well as general principles of company law such as minority protection (eg, remedies for unfair prejudice) and directors’ fiduciary duties owed to the company.

As for transparency, Cyprus companies are required to maintain a register of members (shareholders). Basic shareholder information is filed with the Registrar of Companies and is publicly accessible (subject to payment of a fee), meaning that the names of registered shareholders can generally be obtained from official records. However, additional beneficial ownership information may also be recorded in the separate ultimate beneficial ownership (UBO) register in accordance with anti-money laundering (AML) regulations.

Shareholders do not typically participate in the day-to-day management of the business, since the management of the company is generally vested in the board of directors in accordance with the Companies Law. Their role is mainly limited to exercising control through general meetings, such as appointing and removing directors, approving certain reserved matters, and voting on key corporate decisions (eg, amendments to the articles or major transactions).

As a general rule, shareholders cannot directly instruct or bind the board in the exercise of its management powers, unless the articles of association expressly provide otherwise. However, shareholders may influence management indirectly by passing resolutions (particularly where specific matters are reserved for shareholder approval) or by changing the composition of the board. In closely held companies, shareholders’ agreements may also regulate decision-making and effectively require directors to act in a certain way, although directors must still comply with their fiduciary duties to act in the best interests of the company.

Shareholder meetings are required under the Companies Law. Every company must hold an annual general meeting (AGM) each year (with the first AGM held within 18 months of incorporation and thereafter no more than 15 months apart), unless it is a single-member private company, which may dispense with AGMs by written resolution. In addition to AGMs, extraordinary general meetings (EGMs) may be convened when needed by the board or, in certain cases, by shareholders holding a prescribed percentage of voting rights.

The conduct of meetings is governed by statutory provisions and the company’s articles of association. Key rules include that:

• proper notice must be given (typically at least 21 days for AGMs, unless shorter notice is agreed), specifying the agenda;
• a quorum must be present for the meeting to proceed; and
• a chairperson presides over the meeting.

Shareholders may attend in person or by proxy, and resolutions are passed either by a show of hands or by poll, depending on the circumstances. Minutes must be kept as an official record by the secretary. Decisions are generally made by ordinary resolution (simple majority) or special resolution (usually 75% majority) depending on the matter.

There are several bases of claim against the company or its directors under the Companies Law and general principles of equity and common law, by which shareholders can enforce their rights and interests.

First, shareholders may bring a derivative action on behalf of the company against directors for breaches of fiduciary duties (such as acting in bad faith, for improper purposes, or in conflict of interest), where the company itself fails to act. Second, shareholders – particularly minorities – may seek relief for unfair prejudice or oppression, where the company’s affairs are conducted in a manner that is unfairly detrimental to their interests (often leading to remedies such as buyouts or regulation of the company’s affairs).

Additionally, shareholders may have personal claims where their individual rights are infringed – for example, breach of the articles of association (which form a statutory contract), denial of voting rights, or failure to pay declared dividends. Claims may also arise in cases of misrepresentation (eg, in relation to share subscriptions) or where directors have breached duties causing loss to shareholders directly, although such claims are more limited compared to derivative actions.

There are certain disclosure obligations for shareholders in publicly traded companies in Cyprus, which primarily derive from the Companies Law as it has implemented EU legislation transparency frameworks. Under the transparency framework (as transposed into Cyprus law), shareholders may be required to notify the issuer and the regulator when their voting rights reach, exceed or fall below certain thresholds (typically 5%, 10%, 15%, 20%, 25%, 30%, 50% and 75%). These notifications must be made promptly and include details of the shareholder’s holdings and voting rights. The regime applies not only to direct shareholdings but also to indirect holdings and certain financial instruments that confer economic exposure or voting rights. Oversight and enforcement of these obligations are carried out by the Cyprus Securities and Exchange Commission.

In addition, disclosure obligations relating to UBO exist in Cyprus under AML legislation, which requires companies to maintain and submit information on their beneficial owners to a central register. However, for publicly listed companies admitted to trading on a regulated market, there is generally an exemption from identifying beneficial owners in the same way as private companies. As a result, while UBO disclosure obligations exist in principle, they are typically disapplied or limited for listed companies, with transparency instead achieved through the major shareholding notification regime and ongoing market disclosures.

When it comes to financial reporting, companies in Cyprus are required by law to file audited financial statements. The financial statements must be in line with the International Financial Reporting Standards (IFRS) and provide a clear and accurate representation of the company’s financial position. They are usually prepared by the companies’ auditors, as appointed by the board of directors. Failure to file the audited financial statements can result in penalties and administrative fines.

‍

In addition to the annual financial statements, all companies in Cyprus are required to submit annual tax returns. In most cases this is done electronically through the Tax Department’s online portal.

Late submission of tax returns may result in penalties or interest charges. To avoid unnecessary fines, ensure that tax compliance obligations are planned well in advance and supported by proper record-keeping.

‍

Where a company is also registered for value-added tax (VAT), it is required to file quarterly VAT returns.

In Cyprus, there is no general, standalone obligation applicable to all companies to disclose their corporate governance arrangements in annual reports or other public filings. Such disclosure requirements arise only in specific contexts, primarily for publicly listed companies or entities subject to sector-specific regulation.

Outside these cases, private companies are not subject to mandatory corporate governance disclosure requirements, beyond general obligations relating to financial reporting and statutory filings with the Registrar of Companies. As such, any disclosure of governance arrangements by non-listed entities is generally voluntary or driven by internal policy or best practice considerations, rather than a strict legal requirement.

In Cyprus, companies are incorporated and registered with the Department of Registrar of Companies and Intellectual Property, which operates under the Ministry of Energy, Commerce and Industry. This authority is responsible for maintaining the official register of companies and overseeing corporate filings and compliance with the Companies Law Cap 113.

Cyprus companies are subject to a number of ongoing filing obligations. These include, most notably:

• the annual return (HE32), which must be filed together with financial statements;
• updates relating to changes in directors, secretary or registered office;
• allotments and transfers of shares;
• charges and mortgages; and
• where applicable, special resolutions and amendments to the company’s constitutional documents.

Most of these filings are publicly available through the Registrar’s records and can be accessed upon payment of a nominal fee, forming part of the public register and ensuring corporate transparency.

Failure to comply with filing obligations may result in financial penalties and late filing fees, and in more serious or persistent cases the company and its officers may be subject to criminal liability.

The Registrar has supervisory and administrative powers, including the authority to:

• impose penalties;
• maintain and update the register;
• refuse or reject filings that do not comply with statutory requirements; and
• initiate strike-off procedures for companies that fail to meet their obligations.

While the Registrar does not function as a prudential regulator, it plays a key role in ensuring compliance with corporate formalities and maintaining the integrity and transparency of the corporate registry system in Cyprus.

In Cyprus, AML obligations for companies are primarily governed by the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (as amended) (the “AML Law”), which transposes relevant EU AML directives. Importantly, these obligations do not apply to all companies, but only to entities classified as “obliged entities” under Article 2A of the AML Law. These include, inter alia, credit and financial institutions, auditors, external accountants and tax advisers, independent legal professionals (in specific circumstances), corporate service providers, real estate agents, gambling service providers, and certain other professionals engaged in financial or transactional activities.

Obliged entities are required to implement comprehensive AML frameworks, including customer due diligence (CDD), ongoing monitoring of transactions, record-keeping, and the reporting of suspicious transactions to the Unit for Combating Money Laundering, known as MOKAS. Companies that fall within the scope of the Law must also establish and maintain internal policies and procedures that are proportionate to their risk profile, conduct regular risk assessments, and ensure appropriate staff training. Depending on the sector, additional regulatory requirements may be imposed by competent supervisory authorities such as the Cyprus Securities and Exchange Commission and the Central Bank of Cyprus.

From a governance perspective, where a company qualifies as an obliged entity, the board of directors bears ultimate responsibility for ensuring the existence and effectiveness of the AML compliance framework. This includes approving AML policies, appointing a compliance officer and, where required, a money laundering compliance officer (MLCO), and ensuring adequate reporting lines and escalation mechanisms. Boards are expected to receive regular updates on AML risks, suspicious activity reporting, and the effectiveness of internal controls, often through audit or risk committees. While day-to-day implementation is delegated to management, ultimate accountability remains with the board.

Directors of obliged entities may face significant personal liability in cases of AML non-compliance. Under the applicable AML Law, directors and officers can incur criminal liability where offences are committed with their consent, connivance, or due to their neglect. Enforcement authorities, including MOKAS, and the relevant sectoral regulators, have broad investigatory and enforcement powers, including the imposition of administrative fines and other sanctions. As a result, directors are expected to exercise active and demonstrable oversight over AML systems, rather than relying solely on delegation.

The Companies Law requires that all companies registered in Cyprus have their financial statements audited annually by a licensed auditor. The law does not provide for any exceptions to this requirement, and it applies to all companies registered in Cyprus irrespective of size.

The auditors are appointed by the board of directors during the company’s first minutes upon incorporation, and can then be renewed or changed at each AGM thereafter.

The relationship of the company with its auditors is mainly contractual. This means that the responsibility under the law for a company to have a complete set of financial statements prepared and audited in accordance with the IFRS and the provisions of the law remains with the company and the directors.

In Cyprus, there is no specific legal requirement that explicitly defines or regulates “geopolitical risk” as a standalone category; however, such risks are indirectly addressed within broader regulatory and corporate governance frameworks, particularly for entities supervised by the Cyprus Securities and Exchange Commission and the Central Bank of Cyprus.

In practice, geopolitical risk is treated as a part of wider risk categories, including economic, operational and compliance risk, and can be managed through enterprise risk management systems, internal controls and business continuity frameworks. The board of directors retains ultimate responsibility for overseeing these risks under the direction of the shareholders where any such risks may affect any matter that is reserved to the shareholders. Such risks are typically supported by risk, compliance and internal audit functions and, where established, dedicated board committees.

At the same time, compliance with international sanctions constitutes a key regulatory expectation in Cyprus, particularly in light of the country’s obligations as a member state of the EU, whose sanctions regimes are directly applicable. Regulated entities are expected to implement robust sanctions compliance frameworks, including effective screening mechanisms, internal controls and escalation procedures. Board-level oversight is essential in this context, with directors responsible for approving and periodically reviewing sanctions policies, ensuring that appropriate due diligence and monitoring systems are in place, and receiving regular reporting on compliance. Overall, while geopolitical risk is not expressly regulated, it is embedded within existing governance structures, whereas sanctions compliance is subject to clear expectations and direct board accountability.

The key requirements for companies in relation to reporting on environment, social and governance (ESG) matters derive from the EU regulatory frameworks on sustainability and transparency, which require companies to address (ESG) considerations in their operations and disclosures. The EU initially introduced non-financial reporting obligations through the Non-Financial Reporting Directive (NFRD), which has been transposed into Cyprus law via amendments to the Companies Law, imposing obligations on large undertakings and groups (as defined under the Law) to prepare and publish reports on environmental and social matters. This framework has been further strengthened by the Sustainable Finance Disclosure Regulation, which requires financial market participants and advisers to disclose how sustainability risks are integrated into their decision-making processes.

At a supervisory level, for regulated entities, while non-financial reporting is not directly enforced by the Cyprus Securities and Exchange Commission, it is monitored in alignment with EU-level oversight co-ordinated by the European Securities and Markets Authority. Looking ahead, the proposed Corporate Sustainability Reporting Directive (CSRD) is expected to significantly expand the scope and depth of reporting obligations by introducing mandatory EU sustainability standards, audit requirements and digital reporting formats. ESG requirements are evolving into a key framework through which companies assess and disclose risks, opportunities and ethical practices, and Cyprus companies are increasingly integrating these principles into their corporate culture and business strategies.

In Cyprus, while there have been no fundamental departures from the EU-driven ESG regulatory framework, as a result of the current global geopolitical climate – particularly developments such as sanctions regimes, energy security concerns, and supply chain disruptions – ESG is increasingly treated not merely as a compliance exercise but as a strategic tool for resilience, risk management and long-term value creation.

In terms of the specific ESG pillars, the “E” (environmental) component has gained further importance due to heightened focus on climate risk, energy transition and sustainability strategies, particularly in light of geopolitical instability affecting energy markets. The “G” (governance) pillar has also become more prominent, especially in relation to compliance, transparency and sanctions-related obligations, as Cyprus – given its role as an international business and financial hub – has faced increased scrutiny following global sanctions developments. At the same time, the “S” (social) component is evolving towards greater emphasis on stakeholder engagement, diversity and corporate accountability, with businesses increasingly expected to take positions on broader societal issues and demonstrate tangible social impact.

These developments are complemented by the growing role of the Cyprus Network of Corporate Social Responsibility, which has been instrumental in promoting ESG awareness and embedding corporate social responsibility (CSR) into business culture. Established as a network of ESG-conscious organisations, it supports companies in adopting sustainable practices and fostering a culture of responsibility through initiatives, training and collaboration. More broadly, Cyprus companies have increasingly embraced ESG principles in practice, through activities such as environmental initiatives, community engagement and employee-focused policies, demonstrating a shift from voluntary CSR actions to more structured and measurable ESG strategies.

The Companies Law does not provide for any specific safeguards and/or requirements in relation to board oversight of AI. However, despite the fact that the use of AI in companies’ affairs is not directly regulated by any national legislation, the EU AI Act (EU Regulation 2024/1689) applies directly in Cyprus. In addition, other relevant legislation which may act as indirect safeguards in relation to the board’s oversight over AI consists of the General Data Protection Regulation (EU Regulation 2016/679) which is complemented by the Cyprus Data Protection Law (Law 125(I)2018).

In the absence of AI-specific legal provisions that expressly regulate board oversight of AI, directors remain subject to their general duties under the Companies Law, including duties of care, skill and fiduciary responsibility, which require them to adequately understand and oversee material risks affecting the company, including those arising from the use of AI. Boards are expected to ensure that appropriate policies, procedures and controls are in place, often through risk, audit or compliance committees, even though no specific board composition or dedicated AI committee is mandated.

At the time of writing, there is no comprehensive AI governance framework at national level in Cyprus. However, AI-related risks – including reputational risks – can be addressed through a combination of EU legislation and existing corporate governance and risk management structures. The most significant development is the Artificial Intelligence Act, which entered into force in 2024 and will apply on a phased basis, introducing a risk-based framework that requires organisations to identify, assess and mitigate risks associated with AI systems, particularly those classified as “high-risk”.

In parallel, existing frameworks such as the General Data Protection Regulation, cybersecurity requirements, and general corporate governance obligations can play a central role in managing AI-related risks, including issues relating to data protection, transparency, accountability and reputational exposure. At a national level, Cyprus has adopted a National Artificial Intelligence Strategy (2020), and ongoing efforts are focused on aligning governance practices with evolving EU standards and international best practices.

AI governance developments in Cyprus are expected to revolve around the implementation phase of the AI Act, including the designation of competent supervisory authorities, the development of secondary guidance and technical standards, and the potential establishment of regulatory sandboxes to support innovation while ensuring compliance.

From a governance perspective, responsibility for AI strategy, risk management and assurance in Cyprus typically follows existing corporate governance lines. The board of directors retains ultimate responsibility for oversight of AI-related risks as part of its broader fiduciary and risk governance duties. The legal, compliance and risk management functions of a company will be expected to play a key role in implementing policies and ensuring adherence to legal requirements, while technology or IT functions will be responsible for the operational deployment and monitoring of AI systems.

From a liability perspective, boards and officers in Cyprus may face exposure arising from AI use under several existing legal regimes rather than AI-specific laws. These include potential liability for failures in oversight or disclosure, breaches of data protection laws (notably under the General Data Protection Regulation), unfair or misleading practices, and risks associated with defective or unsafe AI systems. Additional exposure may arise in relation to intellectual property infringements, cybersecurity incidents and reputational harm.

Enforcement may be undertaken by multiple authorities depending on the nature of the breach, including the Office of the Commissioner for Personal Data Protection, CySEC, the Central Bank and consumer protection authorities, as well as through civil claims by affected individuals or counterparties. In this context, boards are expected to exercise active oversight, ensure adequate risk assessment and internal controls, and maintain transparency in relation to AI deployment, as failure to do so may result in regulatory sanctions, financial penalties and potential personal liability.

In Cyprus, there are currently no standalone, AI-specific disclosure requirements mandating companies to report on AI use, strategy, governance, risks or incidents in annual reports, sustainability reports or prospectuses. However, such disclosures may arise indirectly under existing EU and national legal frameworks. In particular, the Artificial Intelligence Act, which entered into force in 2024 and will apply on a phased basis, introduces transparency and documentation obligations for certain categories of AI systems (notably high-risk and limited-risk systems), including requirements relating to risk management, human oversight and incident reporting. While these obligations are primarily operational rather than disclosure-based, they are expected to influence corporate reporting practices over time, especially for companies deploying or developing AI at scale.

In the absence of dedicated AI disclosure rules, Cyprus companies must rely on existing regimes. For example, under the General Data Protection Regulation, organisations are required to disclose certain information where AI involves the processing of personal data, including transparency obligations towards data subjects and, in some cases, data protection impact assessments.

At a national level, Cyprus has adopted a National Artificial Intelligence Strategy (2020), and ongoing initiatives aim to align the country with EU developments in AI governance and oversight. However, as detailed standards and guidance under the AI Act are still evolving, companies in Cyprus will be expected to address any AI-related disclosures through existing legal principles, including transparency, risk management and good corporate governance, rather than through a dedicated AI reporting framework.