Cybersecurity in Cyprus – Safe and Sound

We live in a hyper-connected world and, whether we like it or not, we are all part of it. Given the rise of artificial intelligence, quantum computing and robotics, cybersecurity is no longer just an industry buzzword but a critical necessity.

Gone are the days when digital security was an afterthought or a concern only for the largest enterprises. The landscape has dramatically shifted, making cybersecurity a paramount issue for everyone, from individuals to multinational corporations. We now live in an era where the digital and physical worlds are intertwined. Cyber threats have evolved – becoming more sophisticated and pervasive, targeting anyone with valuable data and/or critical infrastructure – and are increasingly leading to cyber-physical impacts. We have grown used to hearing stories on the news about new breaches, sophisticated ransomware attacks and data leaks that compromise an individual’s right to privacy, corporate financial stability secrets and national security. As we reflect on the past year, it is clear that the stakes have never been higher.

Established in April 2018, under the Commissioner of Communications, the Digital Security Authority (DSA) is an independent government agency that plays a pivotal role in national cybersecurity. Beyond our current responsibilities for the implementation of the NIS (Network and Information Security) Directive in Cyprus, the DSA is also responsible for the implementation of the new NIS2 Directive, with a significantly expanded scope (from 7 to 18 sectors and dozens of entity types), stronger cybersecurity requirements and accountability straight to the highest level of each supervised entity.

Keeping to our ideal of “Think Big, Start Small, Scale Fast,” our efforts to maintain and upgrade the cybersecurity levels of all essential operators and critical infrastructures in the country have been fruitful. A few months ago, for example, we published a toolkit of policies/methodologies that act as guidelines and assist critical entities in meeting their legal obligations and responsibilities for the implementation of the National Cybersecurity Framework. This toolkit is not exclusively for use by critical entities but is open to the public and can be used by any organisation to enhance its cybersecurity. To further our aims, we have also developed a “Capability Maturity Assessment and Audit Framework” that will assess the cybersecurity readiness level of all supervised entities via a network of certified cybersecurity auditors. The first maturity audits are expected to take place within the current year.

We anticipate several challenges to the successful implementation of our targets and, beyond the massively enlarged scope of the NIS2 Directive, we must be in a position to understand the specificities of the different sectors involved, as well as develop methods to handle the wide diversity in the cybersecurity maturity levels of critical entities within them. Capacity building will also prove to be a major challenge, not only for critical entities but also for other significant businesses and SMEs, especially given the limited resources that we are all facing. Finally, and perhaps most significantly, a powerful culture shift is needed in Cyprus as there is still a lack of cybersecurity understanding and appreciation at the highest levels of management.

The NIS2 Directive incorporates a holistic approach to cybersecurity. It emphasises continuous education and awareness at all levels of the workforce, recognising that human vulnerability is often the most critical risk factor. To this end, we significantly invest in the development of human resources, focusing on the reinforcement of cybersecurity skills. With our brand-new ICT Academy, covering an area of 600 sq. metres, including conference rooms, meeting rooms, labs and common areas, we are paving the way for Cyprus to become a regional hub for cybersecurity education and services. All our spaces are equipped with cutting-edge audio-visual technology and are fully accessible. Since December 2023, we have successfully hosted 104 events, attracting 3,010 participants from the EU and beyond. While still a new Academy, we have already managed to host and organise numerous prestigious events, such as our Stakeholders Meetings, and co-organise conferences with distinguished partners such as ENISA (European Union Agency for Cybersecurity) and the Deputy Ministry of Research, Innovation and Digital Policy, European meetings on Artificial Intelligence, upskilling and reskilling programmes and more. We plan to enhance our Academy with VR and/or Mixed Reality equipment, ensuring that our professionals are adept at the latest advancements, while making our training more interactive. Among other functions, our Academy will be privileged to host European Cyber Security Competence Centre Governing Board events in 2025 and EU Presidency events in 2026. Looking ahead, we aim to host up to 150 events per year, broadening our reach and impact, as well as developing an online Academy platform. Our mission is to continually support the upskilling and professional development of ICT professionals, ensuring that our sector remains robust and innovative.

One of the aims of the ICT Academy is to provide access to awareness and training to the whole of society to increase the number of cybersecurity-aware citizens. It is in line with the scope and mission of our National Coordination Centre (NCC-CY), which was launched by the DSA in mid-June. The NCC-CY, among others, will create and establish the National Cybersecurity Community, promote, assist and encourage local stakeholders to participate in new DEP (Digital Europe Programmes) and HEP (Horizon Europe Programme) calls, provide funding to SMEs to invest in cybersecurity, develop (where applicable) certification schemes, organise bilateral initiatives and take initiatives for awareness and training. Since 2023, when the NCC-CY announced its 1st funding scheme with a €1 million budget, it has registered more than 60 members of its National Community and has taken numerous initiatives towards spreading cybersecurity awareness in Cyprus.

Moreover, to contribute to strengthening systems, products and services and ensuring that they meet certain assurance levels, the DSA has set up the National Cybersecurity Certification Authority (NCCA) in alignment with the EU Cybersecurity Act. The NCCA is tasked with implementing and overseeing new cybersecurity certification schemes for products and services, including cloud services and 5G technologies. Any company in the world can use the NCCA to certify its products and services, obtaining a certification, which is recognised across the EU. The outcome of these efforts is the promotion of Cyprus as a regional hub for cybersecurity services.

Regarding the protection of systems and infrastructure in critical entities against cyber-attacks, our CSIRT (Computer Security Incident Response Team) has been in operation since 2018, offering a range of reactive and proactive services to its constituents, complementing well the capacity-building and legislative efforts that the DSA is engaged in. As of 2024, it operates on a 24/7 basis, incorporating the National Security Operations Centre (SOC) in newly built state-of-the-art facilities. Both SOC and CSIRT support critical entities through a sophisticated network of 35 sensors, in both the public and private sectors, with many more to be added in the near future.

We are constantly building and evolving but we recognise that we still have a long way to go as the cyber-threat landscape is ever-evolving. In light of this, by the end of Q1 2025, we will have recruited 24 more permanent staff to fortify the Republic against the ever-increasing tide of sophisticated cyber threats. However, we understand that we are only one of the cogs in the machine – cybersecurity is a shared responsibility and we will never stop emphasising that we are only stronger together. By staying informed and vigilant, we can build a more secure digital future for everyone.

By George Michaelides, Commissioner of Communications

(This article first appeared in the July issue of GOLD magazine. Click here to view it)

Read More

Navigating Logistics Challenges: Why Choosing the Right Partner is a Key to Success.
Curiosity and Diversity: The Pillars of Workplace Innovation
Navigating the Final Phase of NIS2 Directive Compliance
The far-reaching impact of the New EU's Corporate Sustainability Due Diligence Directive (CSDDD)
Cyprus Tax Stimuli for Relocating Persons and High Net-Worth Individuals
Navigating the Future of Telecommunications: Key Trends and Strategies
Wills: When Should They be Drawn Up and What Are Some Potential Complications?
Tax Reform for a Prosperous and Equitable Future
ICT Providers in the Time of DORA
Tax Planning for High Net Worth Individuals: The Case for Cyprus