What is AI regulation in Cyprus?
AI regulation: countries and regions
Cyprus has no dedicated national AI statute. As an EU member state, the AI rules that bind organisations in Cyprus are the EU AI Act (Regulation 2024/1689), which is directly applicable, and the GDPR as supplemented by national Law 125(I)/2018. In January 2025 Cyprus designated its AI Act authorities: the Commissioner of Communications is the notifying and main market surveillance authority and single point of contact, while the Deputy Ministry of Research, Innovation and Digital Policy coordinates nationally.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no standalone "Cyprus AI law". Instead, AI in Cyprus is governed by directly applicable EU law plus existing national rules on data protection, consumer protection, product safety and civil liability. The centrepiece is the EU AI Act, a regulation that applies in Cyprus automatically without needing a national transposing statute. Cyprus has also had a National Artificial Intelligence Strategy since January 2020, when the Council of Ministers approved it, but that is policy rather than binding law.
What Cyprus does have to do nationally is name the authorities that supervise and enforce the AI Act, and provide for penalties and procedures. It did the first part in January 2025. The second part, national implementing measures setting out the penalty regime and procedural detail, is still being prepared as of mid-2026.
For day-to-day governance, the most mature and actively enforced rules in Cyprus remain data protection: the GDPR and Law 125(I)/2018, supervised by the Commissioner for Personal Data Protection. Because almost every AI system processes personal data, that regime already shapes how AI can be built and deployed on the island.
Why it matters
For founders, operators and governance leads, the practical point is that AI compliance in Cyprus is mostly EU compliance. If you place an AI system on the market or put it into service in Cyprus, or your system's output is used in Cyprus, the EU AI Act's risk tiers and the GDPR apply to you regardless of whether Cyprus passes its own AI law. The penalties are significant: up to 35 million euros or 7 percent of worldwide annual turnover for breaching the AI Act's prohibitions, and up to 20 million euros or 4 percent of turnover for serious GDPR breaches. Knowing which Cyprus authority supervises which type of system tells you who can inspect you, who receives complaints about you, and who can order a system withdrawn from the market.
How it works
The EU AI Act is the operative law
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and applies in Cyprus as directly applicable EU law. Because it is a regulation, not a directive, it binds in its entirety without a national transposing statute. It takes a risk-based approach, sorting AI systems into unacceptable risk (banned), high risk (strict obligations such as risk management, data governance, human oversight, technical documentation and post-market monitoring), limited risk (transparency duties, for example telling users they are dealing with a chatbot or labelling AI-generated content), and minimal risk (no mandatory obligations). Its duties phase in: prohibitions and AI literacy duties applied from 2 February 2025; general-purpose AI model rules, governance and penalties from 2 August 2025; and the bulk of the high-risk obligations from 2 August 2026, though the EU has proposed (through its Digital Omnibus package) deferring some high-risk obligations beyond that date, so the exact timing is not settled.
Cyprus designated its competent authorities in January 2025
By a Council of Ministers decision dated 22 January 2025, Cyprus designated its national competent authorities under Article 70 of the AI Act. The Deputy Ministry of Research, Innovation and Digital Policy is responsible for overall coordination of AI Act implementation and represents Cyprus on the European Artificial Intelligence Board. The Commissioner of Communications, that is the Office of the Commissioner of Electronic Communications and Postal Regulation, was designated as the notifying authority and a market surveillance authority, and acts as the national single point of contact. Cyprus has opted for a broadly centralised governance model built around that office.
The data protection regulator shares market surveillance
The Commissioner for Personal Data Protection is also designated as a market surveillance authority, for high-risk systems in Annex III point 1 in so far as those systems are used for law-enforcement purposes, points 6, 7 and 8 of Annex III, and for prohibited systems under Article 5 within her areas of competence. This split reflects Article 74(8) of the AI Act, which requires the data protection supervisory authority to act as the market surveillance authority for sensitive areas such as law enforcement, migration, justice and biometrics.
Fundamental rights authorities under Article 77
Cyprus has notified the European Commission of three public authorities responsible for protecting fundamental rights in relation to high-risk AI under Article 77: the Commissioner for Personal Data Protection, the Commissioner for Administration and the Protection of Human Rights (the Ombudsman), and the Attorney-General of the Republic. These bodies can request documentation needed to protect fundamental rights.
GDPR and Law 125(I)/2018
The GDPR has applied in Cyprus since 25 May 2018, and national Law 125(I)/2018 (the Law Providing for the Protection of Natural Persons with regard to the Processing of Personal Data) entered into force on 31 July 2018, exercising national options the GDPR leaves to member states. For example, it sets the age of digital consent for information society services at 14, and prohibits processing genetic and biometric data for health and life insurance unless the data subject consents. The Commissioner for Personal Data Protection is the independent supervisory authority, with investigative, corrective and fining powers under Article 58 of the GDPR. This regime is actively enforced: the Commissioner reported total fines of about 1.7 million euros over the first seven years of the GDPR.
Conformity assessment and accreditation
The notifying authority oversees the bodies that carry out third-party conformity assessment for high-risk AI. The Cyprus Organisation for the Promotion of Quality acts as the national accreditation body for assessment bodies under the AI Act.
Examples
A recruitment software vendor selling a CV-ranking tool to Cyprus employers is operating a high-risk system under the AI Act. From the point the high-risk obligations apply (originally 2 August 2026, though the EU has proposed deferring some of them, so the date may move) it must meet the provider obligations: risk management, data governance, technical documentation, logging, human oversight and a conformity assessment before placing the system on the market. Because the tool processes candidate data, the GDPR and Law 125(I)/2018 also apply. The Commissioner has shown it will act against unlawful automated processing of staff data: in the "Bradford Factor" case it fined LGS Handling Ltd 70,000 euros for using that automated sick-leave scoring tool, which it found to be a disproportionate and unlawful form of profiling, with related fines bringing the total above 82,000 euros.
A bank in Cyprus deploying an AI credit-scoring or anti-money-laundering model is both an AI Act deployer and a GDPR controller. It must run the system lawfully, keep records, and be ready for inspection. The Commissioner of Communications is the general market surveillance authority that can demand technical documentation and order corrective measures, while data protection aspects sit with the Commissioner for Personal Data Protection.
The Cypriot government itself deploys AI: the gov.cy "Digital Assistant", launched on 18 December 2024, is described as the first generative AI application in the Cypriot public sector. Initially a pilot limited to Social Insurance Services queries, it was built on Microsoft Azure OpenAI technology and implemented in accordance with Microsoft's Responsible AI Standard, and is positioned as informational only. It illustrates the kind of public-sector deployment that the AI Act's transparency duties touch.
Common misunderstandings
"Cyprus has its own AI law." It does not. AI is governed by the directly applicable EU AI Act plus existing national laws (data protection, consumer, product safety, civil and criminal liability). The 2020 National AI Strategy is policy, not binding law.
"Nothing applies until 2026." Wrong. The AI Act's prohibitions and AI literacy duties have applied since February 2025, and general-purpose AI model and governance rules since August 2025. Most high-risk obligations were set to apply from August 2026, though a proposed EU deferral may push some later.
"There is no AI regulator in Cyprus." Cyprus designated its authorities in January 2025. The Commissioner of Communications is the main market surveillance authority and single point of contact, with the Commissioner for Personal Data Protection sharing market surveillance for sensitive areas.
"The AI Act needs to be passed by the Cyprus parliament to take effect." No. As an EU regulation it applies automatically. National measures are needed only to set the penalty regime and procedural detail, not to give the Act legal force.
"Data protection and AI rules are separate worlds." In practice they overlap heavily, because most AI systems process personal data, so GDPR and Law 125(I)/2018 obligations run alongside AI Act duties.
Risks and boundaries
Several things are still uncertain or pending and should be stated plainly. Cyprus has not yet enacted national implementing measures setting out the detailed AI Act penalty regime and administrative procedures; these are expected through further legislation. The exact scope of national market surveillance practice will become clearer as the high-risk obligations take effect (set for August 2026, though a proposed EU deferral may move some of them), and a national AI regulatory sandbox is expected. The National AI Strategy dates from January 2020 and Cyprus is planning to revise it, with a National AI Taskforce formed in January 2025 to help shape the new strategy. Cyprus has not separately signed the Council of Europe Framework Convention on Artificial Intelligence; for matters within EU competence, the EU signed on behalf of member states. This article explains the framework and is not legal advice; for a specific system, classification under the AI Act and the GDPR should be assessed case by case.
What to do next
Treat AI compliance in Cyprus as EU compliance. First, inventory your AI systems and classify each under the AI Act risk tiers; confirm whether you are a provider, deployer, importer or distributor. Second, check the prohibitions, which are already in force, and confirm you run nothing banned. Third, map the personal data your AI processes and align with the GDPR and Law 125(I)/2018, including lawful basis, transparency and any data protection impact assessment. Fourth, identify your supervisor: the Commissioner of Communications for general market surveillance and as single point of contact, the Commissioner for Personal Data Protection for data protection and the sensitive Annex III areas. Fifth, build the high-risk evidence pack (risk management, data governance, documentation, human oversight, post-market monitoring) ahead of the high-risk application date (set for August 2026, subject to a proposed EU deferral). Watch for Cyprus national implementing measures on penalties and for the national AI regulatory sandbox.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Cyprus have a dedicated AI law?
No. There is no standalone Cyprus AI statute. AI is governed by the directly applicable EU AI Act plus national laws on data protection, consumer protection, product safety and liability, and a 2020 National AI Strategy that is policy rather than law.
Who regulates AI in Cyprus?
The Commissioner of Communications is the notifying authority, a market surveillance authority and the national single point of contact. The Commissioner for Personal Data Protection shares market surveillance for sensitive areas. The Deputy Ministry of Research, Innovation and Digital Policy coordinates nationally.
When did Cyprus designate its AI Act authorities?
By a Council of Ministers decision dated 22 January 2025, fulfilling Article 70 of the AI Act, which required member states to designate competent authorities by 2 August 2025.
Is the EU AI Act already in force in Cyprus?
Yes. It entered into force on 1 August 2024 and applies directly. Prohibitions applied from February 2025, general-purpose AI and governance rules from August 2025, and most high-risk obligations from August 2026, subject to a proposed EU deferral of some of them.
What national data protection law applies to AI in Cyprus?
The GDPR, supplemented by Law 125(I)/2018, supervised by the Commissioner for Personal Data Protection. Because AI systems process personal data, this regime applies alongside the AI Act.
What are the penalties for breaching the AI Act?
Up to 35 million euros or 7 percent of worldwide annual turnover for prohibited practices; up to 15 million euros or 3 percent for many high-risk breaches; and up to 7.5 million euros or 1 percent for supplying incorrect information, with lower caps for SMEs.
Has Cyprus signed the Council of Europe AI Convention?
Cyprus has not separately signed the Council of Europe Framework Convention on Artificial Intelligence. For matters within EU competence, the European Union signed on behalf of member states.