Technology companies registered or operating in Cyprus faced a material shift in their compliance obligations when Cyprus fully transposed the EU Digital Services Act into national law. The implementing legislation entered into force on 17 February 2025, placing new duties on a range of digital service providers – from online marketplaces and app stores to hosting platforms and search engines. Companies that have not yet mapped these obligations against their operations are already at risk of regulatory action by the Επίτροπος Επικοινωνιών (Commissioner of Electronic Communications and Postal Regulations). The designated national Digital Services Coordinator for Cyprus.
Cyprus has implemented the EU Digital Services Act through national transposition legislation that took effect on 17 February 2025. The rules apply to all intermediary service providers offering digital services to users located in Cyprus, with stricter obligations for larger platforms. Companies operating without updated terms, content moderation procedures, and algorithmic accountability mechanisms face enforcement referrals and administrative fines under Cyprus technology legislation.
This alert explains which business categories are caught, the applicable thresholds, the key compliance deadline, and the immediate steps that international companies should take now.
What changed and when it took effect
The EU Digital Services Act is directly applicable EU regulation. However, Cyprus adopted supplementary national measures in early 2025 to designate enforcement bodies, establish national complaint-handling channels, and set local procedural rules. These measures became operative on 17 February 2025.
The core change is the introduction of a layered obligation system for digital services. All intermediary service providers must now maintain transparent terms of service, cooperate with court orders and administrative requests within defined timeframes, and publish basic transparency reports. Hosting providers face additional duties around notice-and-action procedures. Online platforms must provide users with clear internal complaint mechanisms. The largest platforms – those exceeding the very large online platform threshold set by EU digital services rules – face the most demanding requirements, including independent audits and algorithmic accountability disclosures.
A parallel development affects AI Act compliance for companies deploying AI systems within their digital services. The first AI Act obligations for providers of prohibited-use AI systems took effect in February 2025 across all EU member states, including Cyprus. This means technology companies operating in Cyprus must now assess their AI-powered features against both the digital services rules and the EU AI regulation simultaneously. Failure to do so creates compound exposure under two distinct legislative regimes.
Software liability under Cyprus technology legislation has also shifted. Providers can no longer rely solely on neutral-conduit defences if they have actual knowledge of illegal content and fail to act promptly. The window for acting on valid takedown notices has been shortened under the national implementing measures.
For companies holding or applying for technology licensing in Cyprus. including those operating under the Cyprus Securities and Exchange Commission's fintech licensing regime or the electronic communications licensing system. the new digital services rules interact directly with licence conditions. Regulators have signalled that licence reviews will incorporate digital services compliance assessments from mid-2025 onward.
To understand how these obligations interact with intellectual property protection obligations for technology companies in Cyprus, see our analysis of intellectual property law in Cyprus.
Who is affected: thresholds and business categories
The rules apply to any intermediary service provider that offers services to recipients located in Cyprus, regardless of where the company is established. This creates broad reach for international businesses.
The affected categories include:
- Hosting service providers storing and serving user-generated content
- Online marketplaces connecting buyers and sellers of goods or services
- App stores distributing third-party software applications
- Search engines indexing and returning results to Cyprus-based users
- Social media and content-sharing platforms with Cyprus user bases
The intensity of obligations depends on scale. Providers with fewer than 50 employees and an annual turnover below EUR 10 million qualify as micro or small enterprises and benefit from lighter-touch requirements under EU digital services legislation. They are exempt from several procedural obligations but must still maintain basic terms transparency and comply with takedown procedures.
Medium and large providers face the full suite of obligations. Very large online platforms – those with more than 45 million average monthly active users in the EU – are subject to the most demanding layer. This includes mandatory risk assessments. Independent audits, and enhanced algorithmic accountability reporting. The European Commission has direct enforcement powers over very large platforms, but the Cypriot coordinator retains jurisdiction over compliance by smaller providers.
The critical compliance deadline for medium and large providers to complete their internal audits, update their terms of service, and implement complaint-handling systems was 31 March 2025. Companies that missed this date should treat remediation as an immediate priority.
For a detailed overview of how digital services law intersects with AI regulation for companies active in Cyprus, our team's full analysis is available at AI and technology law services in Cyprus.
To receive an expert assessment of your company's digital services compliance position in Cyprus, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Companies operating digital services accessible to users in Cyprus should take the following steps without delay.
1. Map your service category and threshold status. Identify whether your services fall within the scope of Cyprus's implementing measures. Determine whether you qualify as a micro, small, medium, or large provider. The threshold calculation uses EU-wide employee headcount and turnover figures – not Cyprus-specific numbers.
2. Audit your terms of service and transparency documents. Your terms must now disclose content moderation policies, the use of algorithmic recommendation systems, and user complaint procedures in plain language. Terms that pre-date February 2025 are almost certainly non-compliant.
3. Implement a notice-and-action procedure. Hosting providers must have a documented process for receiving, assessing, and acting on notices of illegal content. The procedure must include an internal appeals mechanism. Providers without this system in place face the highest near-term enforcement risk.
4. Assess AI-powered features for AI Act compliance. If your digital service incorporates recommendation algorithms, automated moderation, chatbots, or other AI-driven features, a separate AI Act compliance assessment is now required. Cyprus authorities are expected to begin coordinated enforcement of AI Act obligations alongside digital services rules from the second half of 2025.
5. Designate a legal representative in Cyprus if not established here. Providers without an EU establishment must designate a legal representative in a member state where they offer services. Cyprus is a valid designation point and can serve this function for providers active in Eastern Mediterranean markets.
A parallel alert covering how similar digital services obligations apply in Portugal is available for reference at digital services regulation in Portugal.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising technology companies, investors, and institutional clients across 46 jurisdictions. Our AI and technology law practice covers digital services regulation, AI Act compliance, algorithmic accountability, software liability, and technology licensing across EU and non-EU markets. We advise clients on regulatory strategy, compliance programme design, and enforcement defence before competent authorities in Cyprus and across the EU. Our team includes practitioners with experience advising on digital services matters before EU-level and national regulatory bodies. As an international law firm serving clients who need a lawyer in Cyprus with cross-border expertise, we combine Portuguese civil law understanding with English common law rigour to deliver practical, jurisdiction-specific advice. To discuss your company's obligations under Cyprus's digital services legislation, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.