Over the past year, Cyprus has strengthened its position as a regional fintech hub, primarily due to EU harmonisation rather than domestic reform. The transition to the directly applicable Markets in Crypto-Assets Regulation (MiCA) has increased governance, capital and operational substance requirements.

The sector has professionalised: lightly structured platforms have exited, while established investment firms and electronic money institutions have expanded into digital assets within a clearer supervisory perimeter. Regulatory tolerance for informal models has narrowed, with emphasis on operational presence and compliance capability.

Key Issues Impacting the Next 12 Months

Three main developments will shape the market.

• Crypto firms must move from simple registration to full EU licensing, with stronger governance, capital and compliance standards.
• Fintech companies must ensure their IT systems are secure, well-managed and resilient, with clear reporting and oversight of outsourced providers.
• Rising regulatory and capital requirements are increasing operating costs, pushing smaller firms to restructure, merge or exit the market.

Artificial Intelligence in Fintech

AI is increasingly embedded in AML monitoring, onboarding and robo-advisory tools. Regulators remain technology-neutral but require explainability, auditability and human oversight. The focus is on governance rather than innovation.

Cyprus functions as a regional fintech hub serving cross-border clients through EU passporting. The principal verticals are as follows.

• Investment services and WealthTech (Cyprus Investment Firms), historically focused on retail foreign exchange and contracts for difference, now offering broader multi-asset and app-based trading models.
• Payments and electronic money, supporting e-commerce and cross-border business flows, with growth in B2B services such as virtual IBANs.
• Crypto-asset services, mainly exchange and custody models transitioning to full EU authorisation.
• Regtech, providing onboarding, screening and compliance tools to regulated firms.

Legacy Versus New Players

Legacy institutions increasingly partner with fintech providers, while newer entrants focus on specialised services rather than full-service banking models.

Supervisory Architecture

Cyprus regulates fintech based on what the firm does, not what it calls itself. There is no single fintech law. The main regulators are:

• CySEC, which supervises investment services, market conduct and most crypto-asset services; and
• the Central Bank of Cyprus, which supervises payment services, electronic money and banks.

The regulatory framework is as follows.

• Investment firms operate under the EU Markets in Financial Instruments Directive (MiFID II), which sets rules on conduct, governance and best execution.
• Payment and electronic money institutions operate under PSD2 and the electronic money regime, including safeguarding of client funds and security requirements.
• Crypto-asset services are governed by the Markets in Crypto-Assets Regulation, which introduced a formal authorisation regime with capital, governance and disclosure standards.
• Anti-money laundering rules apply across all sectors, including “Travel Rule” obligations for crypto transfers.
• Digital resilience is governed by the Digital Operational Resilience Act, which sets common ICT and outsourcing standards.

Supranational Versus National Context

Where EU law applies directly (such as MiCA and the Digital Operational Resilience Act – DORA), Cyprus cannot change the core rules. Local regulators focus on supervision and enforcement rather than rewriting the framework.

Permissible Compensation Models

Fee structures in Cyprus depend on the firm’s licence and EU rules. Common models include:

• transaction fees (per trade, transfer or volume);
• spread-based pricing (especially in FX and CFDs), with transparency requirements;
• subscription models for premium services;
• asset-based portfolio fees, sometimes with performance elements, subject to conflict controls; and
• merchant and interchange income for payment institutions, within EU limits.

Mandatory Disclosures

Firms must clearly explain all costs, including indirect or third-party charges. Before providing services:

• investment firms must give a “Costs and Charges” breakdown showing the impact on returns; and
• crypto firms must publish their fee policy clearly.

For ongoing services, clients must receive at least annual statements showing the actual costs paid.

The difference between fintech firms and legacy institutions in Cyprus is based on activity, not label.

• Banks may take deposits and lend, and are subject to full capital and liquidity rules.
• Payment and electronic money institutions cannot lend client funds and must safeguard them instead.
• Governance and digital resilience standards now apply across all sectors.
• Bank deposits are covered by a guarantee scheme, while payment and e-money client funds rely on safeguarding, not deposit insurance.

Establishment and Scope

Cyprus launched its Regulatory Sandbox in June 2024 under CySEC, building on the earlier Innovation Hub and providing a formal testing framework. It is open to all types of financial innovation, with recent projects focusing on tokenisation, DeFi and AI-driven compliance.

Eligibility and Participants

Both licensed firms and start-ups may apply. Unauthorised entities must usually partner with a regulated firm or be close to authorisation, as the sandbox is not a licence-free space. Applicants must show genuine innovation, readiness for testing, consumer or market benefit and a clear regulatory uncertainty.

Testing Process

The process includes application, preparation of a testing plan, controlled live testing (typically up to six months) and a final evaluation with regulatory feedback.

Regulatory Approach

The sandbox offers supervised flexibility, not exemption from EU law. Core rules, including MiFID II, MiCA and AML requirements, continue to apply, and firms must maintain risk controls and exit plans.

Cyprus follows a functional model: regulation depends on the service or asset, not the technology. Supervision is divided mainly between CySEC and the Central Bank of Cyprus (CBC).

Jurisdiction of CySEC (Securities and Crypto-Assets)

CySEC supervises investment services involving financial instruments and most crypto-asset activities under MiFID II and MiCA. It also regulates crowdfunding platforms.

Jurisdiction of the CBC (Payments and E-Money)

The CBC supervises payment institutions and electronic money institutions under the PSD2 and e-money framework. Electronic money tokens are treated as e-money and fall under CBC supervision.

Overlap and Other Authorities

Where firms combine services, licensing structures allocate responsibilities. Data protection is supervised by the Commissioner for Personal Data Protection, and from 2026 the Tax Department has expanded reporting powers under the EU’s Eighth Directive on Administrative Cooperation (DAC8).

Status of Formal No-Action Letters

Cyprus does not issue formal “no-action letters” granting immunity from enforcement. Regulators do not provide binding assurances in advance.

Practical Equivalents

Firms instead seek clarity through:

• informal guidance via the CySEC and CBC Innovation Hubs;
• legal opinions on regulatory classification;
• feedback within the regulatory sandbox; and
• pre-authorisation discussions with the regulator.

These mechanisms are not binding but provide practical direction.

Permissibility and Scope

Regulated firms (Cyprus Investment Firms (CIFs), Electronic Money Institutions (EMIs), Payment Institutions (PIs) and Crypto-Asset Service Providers (CASPs)) may outsource functions provided this does not create a “letterbox entity” or impair supervisory access. Critical functions (eg, portfolio management, safeguarding or core ICT) are subject to stricter governance and, in some cases, prior notification.

Vendor Requirements

The regulated firm remains fully responsible. Vendors must have adequate capacity, grant audit and regulatory access rights, and comply with DORA requirements where ICT services are involved.

Mandatory Contractual Requirements

Outsourcing must be governed by a written agreement compliant with the EBA Guidelines and Article 30 of DORA, including:

• clear scope;
• exit rights;
• data protection safeguards;
• sub-outsourcing controls; and
• data location transparency.

Vendor Status and Reporting

Vendors need not be regulated, but unregulated providers require enhanced due diligence. Firms must maintain and submit registers of ICT outsourcing arrangements to support supervisory oversight.

Legal Definition of Fintechs as “Gatekeepers”

Fintech firms in Cyprus (including CIFs, EMIs, PIs and CASPs) are classified as “obliged entities” under the Prevention and Suppression of Money Laundering and Terrorist Financing Law. They have a positive duty to prevent misuse of the financial system.

Core Responsibilities

Gatekeeping duties include:

• compliance with the Travel Rule under Regulation (EU) 2023/1113, requiring verified originator and beneficiary data for crypto transfers;
• sanctions screening against EU restrictive measures; and
• risk-based monitoring and submission of suspicious activity reports where concerns arise.

Responsibility extends to situations the firm should reasonably have detected.

Senior Management Accountability

Boards and senior management are directly responsible for AML oversight. The AML compliance officer must report to the Board and have authority to block transactions independently.

Gatekeeping Versus De-Risking

Regulators discourage blanket de-risking and expect proportionate, technology-supported risk assessment rather than broad exclusion of client categories.

Over the past 12 months, enforcement in Cyprus has shifted from supervisory guidance to active intervention. CySEC and the Central Bank of Cyprus increasingly use administrative fines, settlements and, where necessary, licence revocations to enforce EU frameworks such as MiFID II, the Digital Operational Resilience Act and anti-money laundering rules.

Thematic Inspections and Fines

In 2025 and early 2026, CySEC carried out thematic inspections in retail FX/CFD and crypto-asset sectors. Deficiencies in sanctions screening and prudential reporting led to administrative fines, particularly where firms failed to update systems or accurately classify liquid assets.

Sanctions and Criminalisation

Following the Criminalisation of the Violation of Restrictive Measures Law (2025), the National Sanctions Implementation Unit may impose fines of up to EUR5 million or 10% of annual turnover. Capital markets supervision has also tightened, with trading suspensions imposed for failures in financial reporting and disclosure.

Beyond financial legislation, fintech firms in Cyprus are heavily shaped by horizontal EU digital rules, often with greater practical impact than on legacy institutions due to their data-driven and outsourced models.

Data Protection (GDPR)

Fintechs rely extensively on automated onboarding and scoring, making transparency, profiling controls and human review requirements central, while legacy banks often face lower exposure due to more hybrid processes.

Cybersecurity and Resilience

Cloud-based and outsourced infrastructures place fintechs under heightened third-party risk and operational resilience scrutiny compared to more internally integrated legacy systems.

Digital Platform Rules (DSA)

Fintech platforms offering social trading or user content must comply with moderation and advertising transparency duties, obligations less relevant to traditional banks.

AI Regulation

Fintechs developing proprietary scoring or advisory tools may fall within higher-risk AI categories, triggering documentation, oversight and governance duties; reliance on vendors shifts some burden for legacy players.

Electronic Identification

The 2025 national eID scheme has strengthened remote onboarding, with fintechs generally adopting high-assurance digital identification faster than traditional institutions.

Beyond CySEC and the Central Bank of Cyprus, fintech firms operate within a wider assurance ecosystem that increasingly complements regulatory supervision, particularly in governance, AML and digital resilience.

Key Reviewers

External auditors, ICT security testers and specialist consultants regularly assess financial controls, safeguarding, resilience and compliance environments.

Professional Bodies

The Institute of Certified Public Accountants of Cyprus influences outsourced accounting and AML standards; the Cyprus Bar Association oversees legal professionals acting as gatekeepers; and the Digital Security Authority reviews cybersecurity posture of designated digital service providers.

Industry Standards

Voluntary standards materially shape practice: the Cyprus Fintech Association promotes sector codes, and ISO/IEC 27001 and ISO 22301 certifications are commonly required by institutional counterparties.

Tax Oversight

Since 1 January 2026, the Cyprus Tax Department actively monitors crypto-asset and e-money reporting under DAC8.

Market Expectations

In practice, market expectations often drive compliance standards beyond formal statutory requirements.

Hybrid Models

Cyprus fintechs often combine regulated and unregulated services within a single ecosystem, such as brokerage with education tools, crypto exchanges with NFTs or loyalty tokens, and e-money issuance with merchant analytics.

Structural Approach

Regulators allow mixed models within one entity if unregulated activities are ancillary, do not affect financial stability or safeguarding, and are clearly separated operationally and in accounting. Higher-risk activities are often ring-fenced in separate group entities.

Regulatory Focus

Supervisors concentrate on:

• clear distinction between regulated and unregulated products;
• resilience of shared ICT infrastructure under DORA; and
• continuous AML obligations across the full client relationship.

MiCA Impact

The 2025–26 MiCA roll-out has reduced the scope of previously unregulated crypto activities, making early classification analysis essential before launch.

AML and sanctions compliance is a central operational driver for fintech firms in Cyprus and increasingly affects hybrid and adjacent digital businesses.

Regulated Firms

Investment firms, payment institutions, EMIs and CASPs must apply risk-based due diligence, ongoing monitoring, sanctions screening and suspicious activity reporting.

In crypto, the Travel Rule requires originator and beneficiary data to accompany transfers, increasing operational and technological demands. Sanctions screening now extends to ownership and control structures, with boards expected to demonstrate active oversight.

Unregulated and Hybrid Firms

Even where not directly licensed, technology providers and digital platforms are indirectly captured through regulated partners. Enhanced due diligence, contractual AML clauses and audit rights are common.

In hybrid models, AML obligations apply to the full client relationship and cannot be limited to regulated product lines.

Sanctions and De-Risking

Firms must document geographic, politically exposed person (PEP) and sectoral risk assessments. While blanket de-risking is discouraged, regulators expect proportionate, defensible onboarding decisions supported by effective screening and escalation frameworks.       

Cyprus maintains a high level of technical compliance with FATF standards and is assessed by MONEYVAL under the FATF 40 Recommendations.

Current Status (2025–26)

In June 2025, MONEYVAL upgraded Cyprus’s rating for Recommendation 13 (Correspondent Banking) to “Largely Compliant”. Cyprus is no longer under enhanced follow-up, is not on the FATF grey list, and its next full evaluation is scheduled for October 2028.       

Under reverse solicitation, a third-country firm may serve a Cyprus client without local authorisation only where the service is provided at the client’s exclusive initiative. The exemption exists under MiFID II, PSD2 and MiCA but is interpreted strictly. It applies only to the specific service requested; any cross-selling, ongoing marketing or indirect targeting (including white-labelling or EU intermediaries) removes protection.

CySEC and the Central Bank presume solicitation where firms have an accessible digital presence, unless clear evidence of an unsolicited, client-initiated request is maintained.

In practice, reverse solicitation is not considered a viable long-term strategy. Most firms either obtain local authorisation or implement strict geo-blocking and onboarding controls.

In Cyprus, the regulatory model for a robo-adviser depends on the legal classification of the assets involved. The distinction is asset-based, not technology-driven.

Security Tokens (MiFID II Model)

If the robo-adviser provides advice or portfolio management for assets that qualify as financial instruments (eg, tokenised shares or bonds), it must be authorised as a Cyprus Investment Firm under MiFID II. Full prudential, governance and investor protection rules apply. Tokenisation does not change classification.

Non-Security Crypto-Assets (MiCA Model)

If services relate to crypto-assets that are not financial instruments, the firm must be authorised as a Crypto-Asset Service Provider under MiCA. Requirements differ from MiFID II, particularly regarding capital and investor compensation, but governance and disclosure duties remain significant.

Hybrid Structures and EMTs

Platforms offering both asset types typically use dual licensing or group structures, with clear segregation and disclosure. Where electronic money tokens are involved, supervision shifts to the Central Bank under the electronic money regime.

Legacy institutions in Cyprus have mostly integrated robo technology into existing banking and wealth platforms rather than launching standalone robo-advisers.

Hybrid Advisory Model

Algorithms support portfolio construction and risk profiling, but human advisers retain final oversight to meet suitability and governance requirements.

Digital Integration

Automated investment tools are embedded within mobile banking apps, offering investment, payment and lending services through a single interface.

Operational Use

Robo-style systems are also used internally for analytics, compliance checks and risk monitoring, enhancing efficiency rather than replacing human decision-making.

Best execution in Cyprus is governed by MiFID II for financial instruments and, in adapted form, by MiCA for certain crypto-asset services.

For robo-advisers, execution decisions are built into algorithms, so the main risks relate to system design and governance rather than human trader discretion.

Key points include the following.

• Execution policy – Firms must maintain and regularly review a clear policy explaining how they achieve the best possible result for clients.
• Algorithm design – Systems must consistently prioritise price, cost, speed and likelihood of execution in a defensible way.
• Conflicts of interest – Revenue models or venue incentives must not influence routing decisions in a way that undermines best execution.
• Execution monitoring – Firms must review slippage and overall execution quality, including both positive and negative price movements.
• Technology risk – Latency, outages and ICT failures must be monitored within the firm’s operational resilience framework.
• Crypto liquidity – In crypto markets, firms must justify venue selection given fragmented liquidity and price differences.

In Cyprus, the regulation of fiat lending depends on the type of borrower. Core banking and consumer credit laws apply, but protection levels differ for individuals, SMEs and large corporates.

Individuals (Consumer Credit)

Consumer loans are heavily regulated. Lenders must provide clear pre-contractual information, carry out a mandatory creditworthiness assessment and grant statutory withdrawal and early repayment rights. Affordability must be sustainable, and pricing is subject to safeguards against abusive terms.

Small and Medium-Sized Enterprises (SMEs)

SMEs receive less protection than consumers, but lenders are expected to apply transparent terms and structured arrears management. Supervisory focus is on responsible lending and proportionate restructuring before enforcement.

Large Corporates

Corporate lending is largely based on contractual negotiation, subject to prudential standards. Recent reforms have facilitated loan transfers and secondary market participation by non-bank lenders.

AML Requirements

All lenders must comply with Central Bank Directive R.A.A. 120/2025, applying risk-based KYC, remote onboarding where appropriate and enhanced monitoring for higher-risk clients.

Underwriting in Cyprus is increasingly data-driven but tightly regulated. Core methods include traditional credit bureau data (ARTEMIS), open banking cash-flow analysis under PSD2, and limited use of alternative data for thin-file borrowers, subject to fairness and data protection rules. Regulatory limits under Directive (EU) 2023/2225 require lenders to ensure repayment is sustainable and to consult relevant credit databases, with documented evidence.

AI use in credit scoring is treated as high-risk under the EU AI Act, requiring transparency, bias monitoring and, where applicable, human review.

AML integration under CBC Directive R.A.A. 120/2025 requires robust identification, including high-assurance electronic identification, and supports ongoing rather than one-off credit assessment for certain products.

Credit assessment is increasingly continuous rather than one-off, particularly for revolving facilities supported by digital data feeds.

In Cyprus, how a lender funds loans depends on its licence.

Deposits

Only authorised credit institutions may take deposits, triggering full supervision by the Central Bank of Cyprus and, where relevant, the European Central Bank, including capital and liquidity rules. Non-bank fintechs cannot accept deposits.

Peer-to-Peer and Crowdfunding

P2P platforms must be authorised by CySEC under the law implementing Regulation (EU) 2020/1503 and act as intermediaries between investors and borrowers.

Own Capital

Many online lenders use equity, private funding or bond issuances under Companies Law and prospectus rules where applicable.

Securitisation

Banks and larger lenders may transfer loan portfolios to special purpose vehicles under the Securitisation Law and EU framework.

Credit Acquisition

Non-bank buyers of loan portfolios must appoint a Central Bank-authorised Credit Servicer to manage borrowers and ensure compliance with consumer and AML rules.

Structure of Syndication

Syndicated loans are common for large real estate and project finance deals. A lead arranger structures the transaction, participating lenders share the risk, and an agent manages administration and security. Foreign law may govern the finance documents, but security over Cypriot assets must follow local law.

Regulatory Framework

Syndications follow the same rules as bilateral loans, with added responsibilities:

• each lender must perform its own credit assessment;
• each lender remains individually responsible for AML/KYC compliance; and
• if crypto-assets or fintech payment channels are used, Travel Rule obligations apply where relevant.

In Cyprus, payment processors are not limited to existing rails. The regime is technology-neutral, provided compliance with the Payment Services Law of 2018 is ensured.

Existing Rails in Practice

Most processors use Single Euro Payments Area (SEPA) credit transfers, instant payments and card networks, which provide settlement certainty and regulatory clarity.

Alternative and Proprietary Rails

Processors may develop account-to-account, closed-loop or DLT-based systems. If a structure qualifies as a payment system, additional oversight applies. The focus is on integrity, fair access and stability.

Regulatory Requirements

New rails must:

• ensure objective and non-discriminatory access;
• comply with DORA ICT resilience and incident reporting rules; and
• align with CBC expectations on interoperability, particularly with SEPA Instant.

Cross-border payments in Cyprus are governed by EU law (PSD2 framework and directly applicable Regulations) and focus on speed, transparency and financial crime prevention.

Core Framework

Payment institutions and EMIs operate under the Payment Services Law. EU rules require equal fees for domestic and cross-border euro transfers, and instant payment regulation has made near real-time settlement standard across the Eurozone.

AML and Sanctions

Providers must comply with the AML Law and CBC directives. For crypto transfers, the EU Travel Rule requires originator and beneficiary data to accompany transactions. EU sanctions rules apply directly and must function effectively even in instant-payment settings.

Consumer Transparency

Firms must clearly disclose fees and currency conversion mark-ups before execution. Adoption of ISO 20022 improves data quality, supporting AML checks and reducing processing errors.

Defensive Tax Measures (2026)

From 1 January 2026, certain cross-border payments may trigger withholding tax or non-deductibility where paid to low-tax or EU blacklisted jurisdictions, increasing tax-residency verification requirements.

Cyprus recognises multiple trading venue types, with regulation based on the instrument traded and platform structure, aligned with MiFID II/MiFIR and MiCA.

Regulated Markets (RM)

The Cyprus Stock Exchange is the only regulated market and operates under MiFID II rules, with strict listing, transparency and market abuse requirements.

Multilateral Trading Facilities (MTF)

MTFs also fall under MiFID II but have more flexible admission standards. The Emerging Companies Market operates as an MTF for smaller issuers.

Organised Trading Facilities (OTF)

OTFs mainly cover non-equity instruments (eg, bonds, derivatives) and allow limited operator discretion, subject to transparency and conflict rules.

Crypto-Asset Platforms

Platforms trading non-security crypto-assets must be authorised as CASPs under MiCA and comply with governance, safeguarding and market integrity standards.

Crowdfunding Platforms

Equity and debt crowdfunding platforms are regulated under EU Regulation 2020/1503 and supervised by CySEC, with tailored investor protection requirements.

In Cyprus, regulation is asset-based, not technology-based, distinguishing financial instruments, crypto-assets and electronic money tokens.

Financial Instruments (Including Security Tokens)

If a digital asset qualifies as a financial instrument, MiFID II applies. Trading must occur on authorised venues, and providers must comply with prospectus, best execution, market abuse and investor protection rules. Classification follows substance over form.

Crypto-Assets (MiCA Regime)

Crypto-assets that are not financial instruments fall under the Markets in Crypto-Assets Regulation, which distinguishes asset-referenced tokens, electronic money tokens and other crypto-assets. Issuers must publish a White Paper, and platforms must meet governance and safeguarding standards.

Electronic Money Tokens

Stablecoins qualifying as electronic money tokens are supervised by the Central Bank of Cyprus under the Electronic Money Law, alongside MiCA requirements.

Tax Treatment (From 1 January 2026)

Disposal of crypto-assets is subject to a flat 8% tax, while security tokens remain subject to 15% corporate tax or capital gains rules, depending on structure.

The growth of crypto exchanges has brought crypto markets firmly within the Cypriot regulatory perimeter.

Centralised Exchanges (CEXs)

Initially registered with CySEC, CEXs are now fully licensed under MiCA. They must meet governance, capital and market abuse standards similar in intensity to traditional investment firms.

Decentralised Exchanges (DEXs)

Purely decentralised platforms without an identifiable operator may fall outside licensing. However, where a controlling entity exists, regulators apply a substance-over-form approach and may require authorisation. Supervisory tools increasingly include blockchain analytics and monitoring of on/off-ramp activity.

Tax and Reporting (From 2026)

Gains from crypto disposals are taxed at a flat 8%. Exchanges are treated as financial intermediaries for AML and EU tax transparency purposes, with enhanced reporting and transfer traceability duties.

In Cyprus, listing standards differ between traditional securities and crypto-assets.

Traditional Securities (CSE)

Admission to the Cyprus Stock Exchange is governed by Regulatory Administrative Act 326/2009 and the MiFID II framework. Issuers must meet requirements on legal form, financial history, free float and ongoing disclosure, with continuing obligations under transparency and market abuse rules.

Crypto-Assets (MiCA)

Under MiCA (Title V), platforms must apply clear admission rules. Most assets require a compliant White Paper, and platforms must assess transparency, structural risk and market abuse exposure. Opaque or highly anonymous structures face closer scrutiny.

Market Practice

Beyond formal law, platforms commonly require proof-of-reserves for stablecoins, independent smart-contract audits for DeFi tokens and sustainability disclosures on consensus mechanisms.

In Cyprus, order handling duties apply to both investment firms and crypto-asset service providers. The core principle is prompt, fair and expeditious execution, with client interests prevailing over the firm’s own.

General Principles

Under MiFID II and MiCA, firms must follow documented order-handling procedures and, as a rule, execute orders in the sequence received unless objective market conditions justify otherwise. Front-running and unfair prioritisation are prohibited.

Aggregation and Allocation

Orders may be aggregated only where this is unlikely to disadvantage clients. In partial executions, allocation must follow a pre-defined, fair methodology, with client positions taking priority over proprietary trades.

Crypto-Specific Rules

Under Title V of MiCA, trading platforms must provide non-discriminatory access to order books and avoid undisclosed preferential treatment. They must define order finality clearly and retain order records for at least five years to support market abuse oversight.

Payment for Order Flow

Payment for order flow is prohibited as it creates a conflict with best execution duties.

Peer-to-peer platforms in Cyprus have widened market access while reducing reliance on traditional intermediaries.

Impact on Market Participants

Banks face stronger competition in SME and consumer lending and have responded through partnerships and platform-based models. Licensed fintech brokers are also adapting, developing hybrid models that combine regulated infrastructure with peer-driven or social features. Retail users can now act as lenders or liquidity providers, increasing participation but also raising investor protection concerns.

Regulatory Challenges

The key issue is identifying accountability. Where a platform has identifiable management or control, it may fall under the MiCA or crowdfunding regimes. Fully decentralised models create enforcement challenges, particularly in relation to AML, consumer protection and supervisory oversight.

Payment for order flow (PFOF) is prohibited for retail clients under MiFID II, as it is viewed as incompatible with best execution.

Formal Prohibition

Law 183(I)/2025 implemented the EU-wide ban in Cyprus. Firms may not receive benefits for routing retail orders, except transparent rebates passed directly to clients.

Regulatory Rationale

CySEC and the Central Bank treat PFOF as a structural conflict of interest. Firms must strengthen execution monitoring and disclose material changes to clients.

Market Impact

Zero-commission models funded by routing incentives have largely shifted to explicit fees or subscriptions, with higher compliance oversight costs.       

Market integrity in Cyprus is governed by the Market Abuse Regulation for financial instruments and equivalent rules under MiCA for crypto-assets.

Core Prohibitions

Across all markets, insider dealing, unlawful disclosure of inside information and market manipulation are prohibited.

Extension to Crypto

Since 2025, MiCA applies market abuse rules to crypto-assets admitted to trading, aligning crypto platforms with securities standards.

Compliance and Enforcement

CIFs and CASPs must operate surveillance systems and report suspicious activity. Issuers must meet disclosure and insider list requirements. CySEC may impose significant fines, and serious cases can lead to criminal liability.

Algorithmic and high-frequency trading in Cyprus are regulated under MiFID II (for financial instruments) and MiCA (for crypto-assets), with emphasis on risk controls and market integrity rather than the technology itself.

Algorithmic Trading (MiFID II)

CIFs using automated trading systems must notify CySEC and implement pre-trade controls, testing and continuous monitoring. Under DORA, such systems also fall within ICT risk, resilience and incident-reporting frameworks.

High-Frequency Trading

HFT is treated as higher risk and requires circuit breakers, kill-switch mechanisms and detailed time-stamped records to prevent market disruption.

Asset-Based Distinction

MiFID II governs financial instruments (including security tokens), while MiCA imposes parallel surveillance standards for crypto-assets, though prudential requirements differ.

In Cyprus, firms trading as principal (dealing on own account or acting as counterparty) must be properly authorised.

Investment Firms (MiFID II)

Firms dealing on own account must be licensed as Cyprus Investment Firms and comply with IFR/IFD capital rules, together with enhanced risk management and conflict controls.

Crypto Context (MiCA)

CASPs trading on own account require specific MiCA authorisation. While capital thresholds differ, governance and conduct standards remain substantial.

Limited Exemption

A narrow exemption applies to pure proprietary traders with no third-party services, but not to market makers, HFT firms or entities with direct market access. In practice, most professional actors require authorisation.

In Cyprus, investment funds and dealers may use similar trading technology, but their regulatory treatment differs.

Investment Funds (UCITS/AIFs)

Funds may use algorithmic strategies within their mandate without a Cyprus investment firm licence, provided they do not serve third parties. Supervision focuses on risk management, liquidity and adherence to the disclosed strategy, under the responsibility of the UCITS management company or alternative investment fund manager.

Dealers (CIFs Under MiFID II)

Cyprus investment firms using algorithmic trading or HFT are directly regulated under Law 87(I)/2017. They must notify CySEC, implement trading controls and meet capital requirements proportionate to risk. Principal trading triggers stricter conflict controls.

Common Framework

Both are subject to the Digital Operational Resilience Act, including ICT governance, testing and incident reporting obligations.

Programmers who build trading algorithms in Cyprus are not licensed by regulators, but they are controlled indirectly through the rules that apply to the authorised firm.

• Firm accountability (MiFID II) – The licensed firm must ensure developers are competent, keep governance/testing in place, and the board remains responsible for the trading system.
• EU AI Act – If the tool is in-scope (especially high-risk), the firm must ensure documentation, data governance, explainability and human oversight.
• DORA – Firms must manage ICT risk and, if development is outsourced, monitor the vendor’s security and resilience.
• Contracts/IP – Developers are governed through contract liability; firms must secure IP ownership, confidentiality and access/control rights.

Underwriting in Cyprus is governed by the Insurance and Reinsurance Services Law implementing Solvency II. Insurtech firms increasingly use automation, but core prudential principles remain unchanged.

Automated Models

Digital insurers use algorithmic risk scoring, usage-based pricing and straight-through processing, with human review for complex cases. Automation improves efficiency but does not reduce regulatory responsibility.

Regulatory and AI Constraints

Underwriting remains subject to insurance law, data protection rules and, where applicable, EU AI requirements (including documentation, transparency and human oversight for higher-risk systems).

Prudential Governance

Insurers must comply with the prudent person principle, ensuring sound risk measurement, adequate reserving and alignment with the solvency capital requirement. Automated models form part of the overall risk management framework and are subject to supervision.

DORA

Underwriting platforms are treated as critical ICT systems and must meet resilience, incident reporting and business continuity standards.

Cyprus law separates life and non-life insurance, although both are supervised under the Insurance and Reinsurance Services Law. The distinction reflects different risk and capital profiles.

Separation of Business

Composite insurers are generally prohibited. Life and non-life activities require separate authorisation and capital, given the long-term nature of life liabilities versus short-term general insurance risks.

Life Insurance

Life, annuities and investment-linked products are treated as long-term savings and protection business. Regulation focuses on actuarial reserving, asset-liability matching and enhanced disclosure under the Insurance Distribution Directive and PRIIPs framework. Premiums remain tax-deductible within statutory limits.

Non-Life Insurance

Property and casualty lines (eg, motor and liability) are supervised with emphasis on claims management, technical provisions and reinsurance. Certain lines are compulsory. Premiums are generally not tax-deductible for individuals but are deductible for businesses.

Conduct Rules

While prudential regimes differ, conduct standards are harmonised: non-life products require an Insurance Product Information Document, and life-based investment products require a Key Information Document.

Regtech providers in Cyprus are not licensed simply for supplying compliance technology, but their exposure depends on what they do and how critical their services are.

Indirect Regulation

Most are regulated indirectly through their clients. Financial institutions remain fully responsible for outsourced compliance under sectoral rules and DORA, so regtech providers must meet GDPR, AML/sanctions and record-keeping standards. Contracts must allow regulatory access to systems and data.

Direct Oversight Under DORA

If designated a “critical” ICT third-party provider, a regtech firm may fall under direct EU-level supervision, including inspections and resilience reviews. Most providers are not designated but must still meet ICT risk standards via client obligations.

Activity-Based Licensing

Authorisation may be required if services cross into regulated activity (eg, initiating payments or providing personalised investment advice).

AI Scrutiny (2026)

Where “agentic” AI tools triage alerts, regulators require meaningful human validation of high-risk decisions, particularly in sanctions and AML contexts.

In Cyprus, contracts between financial institutions and technology providers are now largely driven by regulation, not just commercial practice.

Mandatory Terms (DORA)

Under the Digital Operational Resilience Act, ICT contracts must include clear service levels, data security obligations, incident reporting, and audit/access rights for the firm and supervisors. These are mandatory.

Critical Functions

Where services are critical, contracts must also address exit plans, limits on sub-outsourcing, and business continuity to reduce dependency risk.

Market Practice

Common additional clauses include service credits, step-in rights and source code escrow. Liability caps are negotiated but increasingly reflect potential regulatory exposure, especially for data breaches.

Force Majeure

Cyber-attacks are generally not accepted as excuses for non-performance; providers are expected to meet DORA resilience standards.

Traditional banks and insurers in Cyprus have moved from pilots to selective, business-case adoption of Distributed Ledger Technology (DLT), mostly where it reduces friction (settlement, reconciliation, data integrity) or enables tokenised issuance. They are also preparing for digital euro interoperability.

Areas of implementation are as follows.

• Payments/settlement – exploring DLT rails for cross-border corporate flows and faster internal settlement; stablecoins are considered mainly via regulated partnerships rather than direct issuance.
• Tokenisation (RWA) – interest in tokenised bonds/fund units and fractional participation models, often through EU frameworks (DLT Pilot where instruments qualify as securities).
• Compliance/identity – “reusable KYC” and provenance-style audit trails are explored as efficiency tools, but constrained by GDPR, outsourcing controls and operational resilience expectations.
• Digital euro readiness – investment in back-end upgrades to support future CBDC distribution and conditional-payment use cases.

Cyprus regulators treat blockchain as regulated infrastructure, not a separate system, following an EU-first approach (MiCA, DLT Pilot, DORA) supported by local supervision on governance, substance and reporting.

Key developments include the following.

• DLT Pilot perimeter – CySEC guidance/directives enable DLT market infrastructures for tokenised financial instruments under the EU Pilot framework.
• MiCA transition – CySEC messaging prioritises orderly authorisation and supervision of CASPs, with focus on governance substance and market integrity.
• Stablecoin/EMT boundary – CBC involvement increases where EMTs and payment functionality touch the e-money/payment perimeter.
• Reporting and transparency – increasing use of standardised reporting expectations (tax/AML transparency frameworks referenced where relevant).
• Innovation Hub – remains the entry point for interpretative discussions (RWA tokenisation, regtech/AI and smart contracts).

In Cyprus, blockchain assets are classified based on the rights they grant, not the technology used. The system is tiered and applies a strict “substance over form” test.

Financial Instruments (Security Tokens)

If a token gives rights equivalent to shares or bonds (eg, profit participation or voting), it is treated as a financial instrument under MiFID II. It falls outside MiCA and must comply with prospectus, venue and investor protection rules. Tokenised equity requires a legally enforceable link between the token and the shareholder register.

Crypto-Assets (MiCA)

Tokens that are not financial instruments are regulated under MiCA. Utility tokens require White Paper disclosure but are not treated as securities unless they embed financial return features.

Stablecoins (ARTs and EMTs)

Stablecoins are split into:

• EMTs (single fiat reference), supervised by the Central Bank under e-money rules; and
• ARTs (multi-asset reference), subject to stricter capital and reserve safeguards.

NFTs

Genuinely unique NFTs are generally outside MiCA. However, large-scale or fractionalised NFT structures may be reclassified as regulated crypto-assets or financial instruments.

Tax Treatment (2026)

From 1 January 2026, disposal gains on crypto-assets are taxed at a flat 8%. Mining income is taxed under ordinary income rules.

In Cyprus, issuers of crypto-assets are regulated under MiCA. Unregulated ICO-style offerings have been replaced by a disclosure and authorisation regime.

Categories of Issuers

Requirements depend on the type of asset.

• Utility tokens (“other crypto-assets”) – no prior authorisation required, but the issuer must be a legal entity and notify CySEC of a MiCA-compliant White Paper at least 20 days before the offer.
• Asset-referenced tokens (ARTs) – require CySEC authorisation and are subject to capital and reserve requirements.
• E-money tokens (EMTs) – may be issued only by authorised credit institutions or electronic money institutions, supervised by the Central Bank.

Initial Offers

Public offers must comply with MiCA disclosure rules:

• publication of a compliant White Paper, including risk disclosure and retail withdrawal rights;
• marketing must be fair, clear and consistent with the White Paper; and
• limited exemptions apply (eg, small offers or offers to fewer than 150 persons per member state).

Tokenisation of Real-World Assets

RWA projects face structural challenges.

• A legally enforceable link is required between the on-chain token and off-chain ownership (often via SPVs or trusts).
• Fractional profit rights may trigger MiFID II rather than MiCA.
• National registries are not fully blockchain-integrated, so off-chain formalities remain necessary.
• Secondary market liquidity remains limited due to the absence of dedicated DLT trading venues.

In Cyprus, blockchain trading platforms are fully integrated into the regulatory framework. The regime distinguishes between MiCA-authorised Crypto-Asset Service Providers (CASPs) and DLT market infrastructures for tokenised financial instruments.

MiCA Regime (CASPs)

All crypto trading platforms operating in or from Cyprus must be authorised as CASPs under MiCA.

• Legacy CASPs had to apply for MiCA authorisation by 27 February 2026 to benefit from transitional operation.
• Core requirements include governance substance, safeguarding and segregation of client assets, detailed record-keeping and DORA-compliant ICT resilience.
• Firms failing to apply must implement an orderly wind-down.

Tokenised Financial Instruments (DLT Pilot)

Where tokens qualify as financial instruments, MiFID II applies.

• CySEC permits DLT MTFs and DLT trading and settlement systems under the EU DLT Pilot.
• This enables secondary trading of tokenised shares, bonds and fund units.
• Atomic settlement is permitted, reducing counterparty risk.

P2P and Decentralised Trading

Travel Rule obligations apply to qualifying transfers, limiting anonymous on-ramp activity.

• Platforms matching orders, even if non-custodial, require CASP authorisation.
• Fully decentralised systems without an identifiable operator may fall outside licensing, but any central interface or controlling entity triggers regulation.

In Cyprus, crypto staking is regulated based on how the service is structured. It now falls clearly within the MiCA framework rather than informal AML interpretation.

Regulatory Trigger

Staking becomes regulated where a third party safeguards or administers client crypto-assets. Providers offering custodial staking must be authorised as CASPs under MiCA. Where staking is bundled with custody or exchange services, full MiCA operational requirements apply.

Core Regulatory Requirements

Staking providers must:

• segregate client assets from their own estate;
• clearly disclose risks, including slashing, lock-up periods and variable rewards; and
• transparently explain fee-sharing arrangements and reward calculation.

Reclassification Risk (Collective Investment)

If assets are pooled and actively managed with an expectation of return, staking arrangements may be reclassified as an alternative investment fund, triggering AIFMD requirements.

Tax Distinction

Staking rewards are treated as ordinary income. Subsequent disposal of rewarded tokens falls under the crypto disposal tax regime.

Crypto-lending in Cyprus is no longer treated as a purely contractual activity. In 2025–26 it is regulated according to its economic substance, particularly where it resembles custody, investment pooling or credit provision.

MiCA Perimeter

Lending is not a standalone MiCA service, but most providers fall within the CASP regime because they hold or administer client assets. This triggers segregation, prudential and conduct obligations, and restrictions on marketing “interest” in a way that could create conflicts of interest.

Credit and Consumer Law Crossover

Where lending involves EMTs or fiat credit backed by crypto-collateral, payment or banking rules may apply. Retail lending additionally triggers consumer credit requirements, including clear pre-contractual disclosures and fair margin and liquidation terms.

Yield and Pooling Risk

If client assets are pooled and deployed for a shared return (eg, DeFi yield strategies), the structure may be reclassified as an alternative investment fund, bringing it within the AIFMD framework.

Tax Treatment (2026)

Lending yield is generally taxed as ordinary income, while liquidation of collateral is treated as a taxable disposal under the separate crypto gains regime.

Disclosure Expectations

CASPs offering “earn” or lending programmes must ensure clear risk disclosure, transparent liquidation mechanics and credible asset-reserve practices to prevent hidden rehypothecation.

Cryptocurrency derivatives in Cyprus are treated as financial instruments, not as ordinary crypto-assets. They fall under MiFID II (Law 87(I)/2017), not MiCA.

Licensing

Any firm offering crypto-CFDs, futures or options must be authorised as a Cyprus investment firm (CIF). A MiCA CASP licence alone is insufficient. Providers are subject to full prudential supervision under the IFR/IFD framework, including capital and risk-management requirements.

Retail Protections

CySEC applies strict safeguards to retail clients: leverage is capped at 2:1, margin close-out rules are standardised, negative balance protection is mandatory, and trading incentives are prohibited.

Reporting and Market Abuse

Crypto-derivatives fall under the Market Abuse Regulation and MiFIR reporting regime. Firms must report transactions and operate surveillance systems to detect manipulation affecting either the derivative or its underlying crypto-asset.

Tax Treatment (2026)

Unlike spot crypto gains taxed under the separate 8% regime, profits from crypto-derivatives are generally treated as trading income and taxed at ordinary corporate or personal income tax rates.

As of February 2026, DeFi in Cyprus is regulated using a strict “substance over form” approach. Purely technical decentralisation does not remove regulatory obligations if control or economic benefit can be identified.

Regulatory Status Under MiCA

MiCA excludes services provided in a fully decentralised manner with no intermediary. In practice, this exemption is interpreted narrowly. If an identifiable person, foundation or company exercises control (eg, holds admin keys, upgrades contracts, earns fees), the activity is treated as intermediated and requires CASP authorisation.

Centralisation Markers

Providing a front-end interface, retaining governance powers or receiving protocol fees may bring the operator within the licensing perimeter. DeFi cannot be used to avoid regulation where functional control exists.

SecurityTokens in DeFi

If a platform enables trading of security tokens, MiFID II applies regardless of structure. Such activity requires authorisation as a Cyprus operation under the EU DLT Pilot Regime.

AML and Tax Overlay

Even where a protocol itself falls outside MiCA, Cyprus-based on-ramps must comply with Travel Rule obligations. Gains realised through DeFi activity remain taxable under the general crypto tax framework.

In Cyprus, crypto-focused funds operate under the collective investment regime supervised by CySEC together with the new statutory crypto tax framework.

Regulatory Structure

Most vehicles are AIFs or RAIFs aimed at professional or well-informed investors. Retail access remains limited. The RAIF is widely used because it is supervised via its external AIFM rather than directly authorised. AIFMD II now requires stronger liquidity tools for volatile digital assets – eg, redemption gates or side pockets.

Custody and Valuation

Funds must appoint an independent depositary, which may delegate technical custody to a MiCA-authorised CASP. Robust valuation policies are required, including clear NAV methodology and treatment of forks or airdrops.

Tax Treatment

From 1 January 2026, gains from crypto disposals are taxed at a flat 8% instead of the standard corporate rate. Losses are ring-fenced to crypto gains within the same year.

AML and Reporting

Crypto funds are obliged entities under AML law and must comply with Travel Rule and DAC8 reporting requirements, including automatic exchange of investor and transaction data.

In Cyprus, the terms “virtual currency” and “blockchain asset” were historically used interchangeably, but the legal terminology has now aligned with the EU framework. As of 2026, “crypto-asset” is the standard term under MiCA and the updated tax regime.

Evolution of Terminology

Under AMLD5, the term “virtual currency” focused mainly on digital means of exchange. With MiCA and the 2026 tax reform, this has been replaced by the broader concept of “crypto-asset”, defined as a transferable digital representation of value or rights using DLT.

Scope of Crypto-Assets

The crypto-asset category includes utility tokens, asset-referenced tokens (ARTs), electronic money tokens (EMTs) and security tokens. Security tokens fall under MiFID II, while other categories are governed by MiCA and, where relevant, the e-money regime.

Tax Alignment

From 1 January 2026, most non-security crypto-asset disposals are taxed at a flat 8%. Crypto-assets are not treated as fiat currency and do not benefit from foreign exchange tax exemptions.

Regulatory Convergence

CySEC now uses MiCA terminology in all registers and reporting. The term “virtual currency” remains relevant only in legacy AML documentation created before the transition.

In Cyprus, NFTs are assessed using a fungibility and financial use test. Their regulatory status depends on whether they function as unique digital collectibles or as financial products.

General Exclusion

Pure NFTs that are unique and not used for investment or exchange purposes fall outside MiCA. Platforms trading only such collectibles generally do not require a CASP licence, but remain subject to consumer protection law and GDPR.

When NFTs Become Regulated

NFTs enter the fintech perimeter where they resemble financial products. Fractionalised NFTs or large, uniform series may be treated as crypto-assets under MiCA. If they grant profit or revenue rights, they are reclassified as security tokens under MiFID II.

AML Overlay

Even where MiCA does not apply, NFT platforms may qualify as obliged entities under AML law. Transfers above EUR1,000 trigger Travel Rule obligations, bringing marketplaces within supervisory oversight.

Tax Treatment (2026)

From 1 January 2026, gains from NFT disposals are generally taxed at 8% under the crypto regime. Only in rare cases where an NFT is treated as traditional art would different capital gains rules apply.       

In Cyprus, stablecoins are regulated under MiCA and divided into two categories with different supervisory treatment.

EMTs Versus ARTs

Electronic money tokens reference a single fiat currency and are treated as digital e-money. Asset-referenced tokens reference baskets of currencies, commodities or crypto-assets and face stricter prudential scrutiny due to systemic risk.

Core Requirements

Issuers must ensure redemption at par at any time and maintain fully segregated, high-quality liquid reserves. MiCA prohibits paying interest or rewards on stablecoins to prevent them functioning as bank deposits.

Supervisory Split and Deadline

EMTs fall under the Central Bank of Cyprus and may be issued only by licensed credit institutions or EMIs. ARTs and related CASP services are supervised by CySEC. By 2 March 2026, CASPs using EMTs for payments must obtain or partner with a licensed EMI or bank.

Usage Limits and Tax

Large-scale use of non-euro stablecoins may trigger transaction caps to protect monetary stability. From 1 January 2026, gains on stablecoin disposals, including crypto-to-stablecoin swaps, are taxed at 8%.

Open banking in Cyprus is based on the Payment Services Law implementing PSD2 and is now evolving towards broader Open Finance. The focus in 2026 is less on access rights and more on performance, transparency and expansion beyond payments.

PSD2 Foundation

Banks must provide secure Application Programming Interface (API) access to licensed Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) with customer consent. Early fragmentation due to non-standardised APIs slowed fintech growth, prompting the Central Bank to push EU standards such as Berlin Group for interoperability.

PSD3 and PSR Upgrades

Under PSD3 and the Payment Services Regulation, banks must publish API uptime data and may remove screen-scraping fallbacks if dedicated interfaces meet performance thresholds. Permission dashboards allowing customers to manage consents have strengthened trust and adoption.

Practical Inhibitors

Strong customer authentication and periodic re-authentication create user friction, while smaller institutions face cost pressures in maintaining high-performance APIs.

Next Phase: Open Finance

Regulators are preparing for the Financial Data Access framework, which will extend data-sharing principles to investments, insurance and pensions, positioning Cyprus within a broader EU Open Data model.

Open banking risks in Cyprus such as privacy, cybersecurity and fraud are addressed through a security-by-design model under GDPR, PSD2/PSD3 and DORA. Institutions now treat data protection as a core compliance and trust feature rather than a technical add-on.

Data Privacy and Consent

Banks use granular consent dashboards allowing customers to control which TPP accesses which data and for how long. Regulators apply a “reasonably necessary” standard, limiting data collection to what is required for the specific service.

Operational Resilience Under DORA

Banks must maintain ICT third-party registers and assess vendor resilience before API integration. Systemic institutions conduct threat-led penetration testing to ensure open banking interfaces do not create systemic vulnerabilities.

Technical Safeguards

Screen scraping is being phased out in favour of secure APIs. Strong Customer Authentication increasingly relies on biometrics, and payment initiation is monitored through real-time transaction risk analysis.

Liability and Co-Ordination

Contracts shift liability to TPPs where breaches arise from their failures, and industry participants share threat intelligence to reduce ecosystem-wide risk.

In Cyprus, fraud is addressed through civil law, criminal law and financial market legislation rather than a single statute. In fintech, the analysis usually falls into four categories.

Civil Fraud (Tort of Deceit)

To prove civil fraud, a claimant must show a false statement of fact made knowingly or recklessly, reliance on that statement, and resulting financial loss. All elements must be established cumulatively.

Criminal Fraud (Criminal Code Cap 154)

Criminal offences include obtaining property or credit by false pretences, falsification of company accounts by directors or officers, and broader “cheating” provisions covering fraudulent tricks used to obtain money or goods.

Market Abuse and Financial Services Fraud

In regulated markets, fraud overlaps with market abuse rules under MAR and related laws. This includes market manipulation, dissemination of false information and use of deceptive devices to influence prices, including crypto-assets.

Technology-Related Fraud (2026 Focus)

Regulators now treat AI-based deepfakes, spoofed communications and algorithmic wash trading as clear indicators of fraudulent intent. Where trading systems are designed to manipulate markets, liability arises regardless of whether a human directly triggered the transaction.

Cyprus regulators have intensified action against tech-enabled fraud, aiming to close gaps created by instant payments and AI-driven scams. The focus is shifting from reactive investigation to preventative controls and liability allocation.

Authorised Push-Payment (APP) Fraud

APP scams are a priority for the Central Bank of Cyprus. Under updated PSD2/PSD3 and PSR practice, banks face increased liability, especially in impersonation cases – eg, deepfake “bank employee” calls. Failure to implement tools such as confirmation of payee may result in full reimbursement obligations.

AI-Powered Scams and Deepfakes

Following CySEC Circular C751, regulators treat AI-generated investment promotions and highly personalised phishing as high-risk threats. Firms are expected to upgrade transaction risk analysis systems to detect social-engineering patterns in real time.

Crypto Market Abuse Under MiCA

With full MiCA implementation, CySEC is targeting wash trading, spoofing and misleading token disclosures. On-chain analytics are used to detect fictitious volume inflation and “rug pull” structures.

DORA and ICT Incidents

Under DORA, firms must promptly report major ICT incidents, including breaches that could enable fraud. Supervisory focus also includes third-party and supply-chain vulnerabilities.

Money Mule Networks and Synthetic Identity

Authorities are strengthening inbound payment monitoring to detect mule accounts and synthetic identities. Banks are expected to freeze suspicious flows showing rapid inflows followed by immediate withdrawals.

In Cyprus, liability for fintech losses follows a consumer-first model shaped by EU law. Since 2025–26, providers are usually responsible unless they can prove customer fraud or gross negligence, which courts interpret narrowly.

Unauthorised Transactions (PSR/PSD3)

Customer liability for unauthorised payments is capped at EUR50, and providers must refund by the next business day unless fraud is reasonably suspected. Full exemption applies only if the provider proves fraudulent or grossly negligent conduct by the customer.

Authorised Push-Payment Fraud (APP)

Liability has expanded to scams where customers are tricked into authorising payments. Failure to implement safeguards – eg, confirmation of payee or cases of bank impersonation – generally triggers full reimbursement duties.

Operational Failures (DORA)

Under DORA, firms are liable for losses caused by major ICT incidents, outages or cyber failures they failed to prevent or contain. Responsibility cannot be shifted to outsourced technology providers.

Misleading Conduct and Execution Failures

Investment firms and CASPs are liable for losses caused by misleading disclosures – eg, defective White Papers or unreasonable order execution delays.

Insurance Coverage

Most fintechs must maintain professional indemnity insurance covering technology errors, cyber incidents and compliance failures to ensure capacity to meet customer claims.