12 March 2026 Update - The transposition of the CER Directive in Cyprus
Under the Directive (EU) 2022/2557, all Member States were required to adopt and publish national transposition measures by 17 October 2024, with the national provisions applying from 18 October 2024. Cyprus did not meet the transposition deadline, and the legislative process continued after the initiation of infringement proceedings.
By 2025 and early 2026, the national legislative framework intended to implement the Directive had advanced significantly within the Cypriot legal system. The draft legislation prepared by the government demonstrates a clear intention to align national law with the substantive and institutional requirements established by Directive (EU) 2022/2557. In particular, the proposed framework incorporates the Directive’s central concepts of resilience planning, risk assessment, incident reporting, and supervisory oversight.
Within the legal order of Cyprus, the implementation of the Directive has been approached through the development of a dedicated legislative framework. Cyprus had previously adopted legal instruments and administrative mechanisms addressing the protection of critical infrastructure, including structures associated with civil defence, national security coordination, and crisis management. However, these mechanisms were primarily oriented toward traditional infrastructure protection and emergency response. The adoption of Directive (EU) 2022/2557 required Cyprus to expand and restructure its legal and institutional framework in order to accommodate the Directive’s broader concept of systemic resilience.
In response to this requirement, the Cypriot government prepared and introduced draft legislation intended to transpose the Directive into national law. The proposed legislative instrument establishes a comprehensive framework governing the identification, supervision, and resilience obligations of entities considered critical for the provision of essential services. The legislation also creates mechanisms for coordination among competent national authorities responsible for infrastructure protection, security policy, and sectoral regulation. In this respect, the Cypriot approach reflects the Directive’s emphasis on integrated governance structures capable of addressing complex and interdependent risks affecting critical sectors.
The legislative framework proposed for Cyprus is structured around several key elements corresponding to the requirements of the Directive. It establishes a national policy framework for enhancing the resilience of critical entities. This policy framework is expected to be implemented through a national strategy designed to identify priority risks and outline measures aimed at strengthening the resilience of essential services. The strategy is intended to serve as a central instrument guiding the activities of public authorities and private operators responsible for infrastructure systems whose disruption could have significant societal consequences.
The Cypriot transposition framework provides for the conduct of national risk assessments addressing threats and vulnerabilities affecting essential services. These assessments are intended to evaluate both natural and human induced hazards, including natural disasters, technological failures, cyber incidents, sabotage, and other hybrid threats. The results of the national risk assessments are expected to inform both governmental policy decisions and the resilience planning obligations imposed on critical entities themselves.
The legislation introduces procedures for the identification and designation of critical entities operating within the sectors covered by the Directive. These sectors include energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. Once designated as critical entities, the relevant organizations become subject to a series of statutory obligations intended to enhance their operational resilience. These obligations include the performance of internal risk assessments, the adoption of appropriate technical and organizational measures to mitigate identified risks, and the reporting of incidents that significantly disrupt the provision of essential services.
The Cypriot framework establishes supervisory mechanisms designed to ensure effective compliance with resilience obligations. Competent national authorities are empowered to monitor the implementation of resilience measures by critical entities, conduct inspections, and require corrective actions where deficiencies are identified. The legislation also provides for administrative sanctions in cases where entities fail to comply with their legal obligations. These supervisory powers reflect the Directive’s requirement that Member States establish enforcement mechanisms capable of ensuring that resilience measures are implemented effectively rather than remaining merely declaratory.
Another important feature of the Cypriot implementation is the integration of resilience policy with the broader national cybersecurity framework. Directive (EU) 2022/2557 forms part of a legislative package that also includes Directive (EU) 2022/2555, commonly known as the NIS2 Directive. The NIS2 Directive focuses primarily on cybersecurity risks affecting essential and important entities, while the CER Directive addresses the physical and operational resilience of those entities. In Cyprus, the implementation of these two instruments has been approached in a coordinated manner in order to ensure that physical infrastructure protection and cybersecurity governance are aligned within a coherent regulatory framework.
The Cypriot transposition illustrates the broader transformation occurring within European infrastructure governance. The earlier model of critical infrastructure protection was primarily concerned with the physical security of specific installations. The CER Directive, and the legislation implementing it in Cyprus, instead focus on ensuring the continuity of essential services and managing the systemic interdependencies that characterize modern infrastructure systems. This resilience oriented approach reflects the recognition that disruptions affecting one sector may rapidly propagate across other sectors, particularly in highly interconnected digital and energy systems.
As of March 2026, the Republic of Cyprus has moved significantly toward aligning its national legal order with the requirements of Directive (EU) 2022/2557. Nevertheless, the fact that the legislative process extended beyond the original transposition deadline means that Cyprus cannot be considered to have implemented the Directive within the timeframe mandated by Union law. The Cypriot transposition must therefore be characterized as a delayed but progressing implementation process aimed at integrating the Directive’s resilience framework into the national legal system.