Licentium

AI Regulation Hub

Cyprus

Cyprus is regulated by the EU AI Act and adopted its National Strategy for Artificial Intelligence on 27 January 2020 — prepared by the Department of Electronic Communications with an expert AI team, based on the EU Coordinated Plan on AI and informed by stakeholder consultations.

Key provisions

EU AI Act — direct application

In force

Creates binding obligations for AI providers, deployers, importers, distributors and other regulated operators in Cyprus.

Cyprus National AI Strategy (27 January 2020)

In force

Approved by the Council of Ministers, prepared by the Department of Electronic Communications with an expert AI team. Based on the EU Coordinated Plan on AI, stakeholder questionnaires, meetings, consultations and public consultation with the Cypriot digital ecosystem.

High-risk AI compliance

In force

Risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment and post-market monitoring. Use cases: employment, education, public services, credit, insurance, biometric identification, critical infrastructure, law enforcement, migration, justice and healthcare-related systems where the AI Act applies.

GDPR overlay

In force

AI systems involving personal data must also comply with GDPR — particularly for public services, digital identity, healthcare, employment, education, financial services, customer profiling and biometric processing.

Detailed overview

Cyprus is regulated by the EU AI Act and has a national AI strategy. The EU AI Act applies directly in Cyprus and creates binding obligations for AI providers, deployers, importers, distributors and other regulated operators.

The Council of Ministers approved Cyprus's National Strategy for Artificial Intelligence on 27 January 2020. The strategy was prepared by the Department of Electronic Communications with an expert AI team and was based on the EU Coordinated Plan on AI, stakeholder questionnaires, meetings, consultations and public consultation with the Cypriot digital ecosystem, including businesses, academics, startups, research centres and the public sector.

Cyprus's national AI strategy is a strategic policy framework rather than a separate AI Act. Binding AI obligations come mainly from the EU AI Act, GDPR, cybersecurity law, public-sector digital rules, employment law, consumer protection, healthcare regulation, financial regulation and other sector-specific rules.

Under the EU AI Act, prohibited AI practices are banned. High-risk AI systems must comply with requirements such as risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment and post-market monitoring. High-risk use cases may include employment, education, public services, credit, insurance, biometric identification, critical infrastructure, law enforcement, migration, justice and healthcare-related systems where the AI Act applies.

AI systems involving personal data must comply with GDPR. This is particularly relevant for AI used in public services, digital identity, healthcare, employment, education, financial services, customer profiling or biometric processing.

Penalties follow the EU AI Act. Prohibited AI breaches may be fined up to EUR 35 million or 7% of worldwide annual turnover. Other major AI Act breaches may be fined up to EUR 15 million or 3%, and misleading information to authorities may be fined up to EUR 7.5 million or 1%.

Practical requirements & details

Sourced from Regulation (EU) 2024/1689 (the EU AI Act) and Cyprus's National Strategy for Artificial Intelligence (approved 27 January 2020).

EU AI Act direct application

  • Binding obligations for AI providers, deployers, importers, distributors and other regulated operators.

Cyprus National AI Strategy

  • Approved 27 January 2020 by the Council of Ministers.
  • Prepared by the Department of Electronic Communications with an expert AI team.
  • Based on the EU Coordinated Plan on AI, stakeholder questionnaires, meetings, consultations and public consultation with the Cypriot digital ecosystem.

Strategy nature

  • Strategic policy framework, not a separate AI Act.
  • Binding AI obligations come from the EU AI Act, GDPR, cybersecurity law, public-sector digital rules, employment law, consumer protection, healthcare regulation, financial regulation and other sector-specific rules.

High-risk AI compliance

  • Risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment and post-market monitoring.

High-risk use cases

  • Employment, education, public services, credit, insurance, biometric identification, critical infrastructure, law enforcement, migration, justice and healthcare-related systems.

GDPR overlay

  • Particularly relevant for public services, digital identity, healthcare, employment, education, financial services, customer profiling or biometric processing.

Penalties

  • EUR 35 million or 7% of worldwide annual turnover — breaches of prohibited AI rules.
  • EUR 15 million or 3% of worldwide annual turnover — breaches of many other AI Act operator obligations.
  • EUR 7.5 million or 1% of worldwide annual turnover — supplying incorrect, incomplete or misleading information to authorities.

See also the European Union entry, which covers the EU AI Act (Regulation (EU) 2024/1689) — the substantive framework that this jurisdiction implements and supervises domestically.

European Union — EU AI Act

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started