Cyprus

The Stamp Duty Law (Law No. 19/1963) historically constituted a mechanism for the imposition of stamp duty on a wide range of documents in Cyprus. By virtue of Law No. 239(I)/2025, the Stamp Duty Laws were abolished as of 1 January 2026, with the result that new documents executed from 2026 onwards are no longer subject to stamp duty, while documents signed up to 31 December 2025 continue to be governed by the previous legal framework, pursuant to the applicable transitional provisions. Stamp duty was an indirect tax imposed on specific documents, enabling them to be regarded as fully valid and admissible for use before courts or public authorities. This obligation was regulated by the Stamp Duty Law (Law No. 19/1963), which underwent multiple amendments up to 2025. Payment of stamp duty was effected either through physical stamps or via electronic means, and failure to comply within the prescribed timeframes resulted in the imposition of penalties. For this reason, proper and timely stamping constituted a substantive prerequisite for the smooth use of documents in both private transactions and legal proceedings. A significant change occurred with the enactment of the Stamp Duty (Abolition) Law of 2025, pursuant to which the Stamp Duty Laws were repealed with effect from 1 January 2026. From that date onwards, documents and contracts executed or signed are no longer subject to stamp duty. Nevertheless, documents that were executed or signed up to 31 December 2025 remain subject to the provisions of the previous legislative framework, even where stamp duty had not been paid by that date. This transitional arrangement renders it necessary to review older agreements in order to determine whether any outstanding stamp duty obligations subsist. The abolition of stamp duty represents an important step towards simplifying administrative procedures and reducing transactional costs for both individuals and businesses. At the same time, it enhances flexibility in contractual arrangements and aligns the Cypriot legal system with modern practices aimed at facilitating business activity. Notwithstanding the abolition of stamp duty for new contracts, a proper understanding of the former regime remains important, particularly in cases involving older documents that continue to produce legal effects. It is important to note, however, that the abolition of stamp duty has not resulted in the abolition of court fees. The historical use of stamps as a means of paying court fees has caused a degree of confusion within the courts. As matters currently stand, court documents are still required to bear stamps as evidence of payment of court fees, which will continue to be used until existing stocks are exhausted. Court fees arise under the Court Fees Procedural Regulation (Cap. 546/1953) and relate to the fees payable for the use of judicial procedures, which were traditionally collected through stamp duty. In the meantime, a new method for the payment of court fees is being explored. Consequently, parties appearing before the courts should be aware that they will continue to be required to pay the prescribed fees applicable to the processing of their cases. In conclusion, the abolition of stamp duty marks a broader effort to simplify procedures and modernise the legal framework. Despite these changes, certain obligations remain in force, making proper awareness and adjustment essential.   Author: Myria Pornari, January 2026

The authorities of the Ministry of Foreign Affairs of the Republic of Cyprus have recently updated the “Assumption of Responsibility for Hosting” form used in visa applications submitted through Cyprus embassies and consulates abroad. This development is important for individuals in Cyprus who intend to host third-country nationals for short stays. What Is the Assumption of Responsibility Form? The Assumption of Responsibility for Hosting is a formal declaration completed by a host residing in Cyprus. By signing the form, the host undertakes responsibility for: The visitor’s accommodation during their stay Subsistence and living expenses Medical and emergency costs Ensuring the visitor departs Cyprus before the visa expires The form is typically required when a visa applicant states that they will be staying with family members or friends in Cyprus rather than in hotel accommodation. Where Is the New Form Used? The updated form is available through official Cyprus diplomatic missions abroad, including Cyprus embassies and consulates operating under the Ministry of Foreign Affairs. Applicants and hosts should ensure that they download and submit the most recent version of the form from the relevant embassy or consulate website handling the visa application. Important Procedural Requirements In most cases: The host’s signature must be certified by a competent authority in Cyprus (e.g., certifying officer). Supporting documentation may be required, such as proof of residence, copy of ID/passport, and evidence of financial capacity. The completed and certified form must accompany the visa application submitted abroad.   Failure to use the correct and updated version of the form may result in delays or requests for additional documentation.   Author: Valeria Azovidi, March 2026

In the digital age, cybersecurity breaches—commonly referred to as “hacking incidents”—have become increasingly disruptive, posing significant legal, financial, and reputational risks to organizations. These incidents can lead to unauthorized access to sensitive information, causing harm not only to the affected companies but also to individuals whose data may be compromised. It is therefore imperative for Cypriot companies to be well-informed about their responsibilities and to take prompt action to mitigate the consequences of such breaches. This article provides a concise overview of the key guidelines that should be followed in the event of a data breach. First and foremost, under the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as “the Regulation”) — organizations have clear legal obligations in the event of a personal data breach. Pursuant to Article 33 of the regulation, when a breach occurs, the Data Protection Officer (DPO), or another responsible person within the organization, must notify the Office of the Commissioner for Personal Data Protection without undue delay and, where feasible, no later than 72 (seventy – two) hours after becoming aware of the breach. This timely notification is critical to ensure appropriate regulatory oversight and to protect the rights of data subjects. It has to be noted that if such notification is not made within the 72-hour timeframe, the entity must provide a justified explanation for the delay. The notification must, inter alia, include the nature of the personal data breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its potential adverse effects. In reference to the above – mentioned according to article 34 of the regulation, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must also communicate the breach to the data subjects without undue delay, using clear and plain language to describe the nature of the breach. Furthermore, the hacking incident must be reported to the relevant police authorities without undue delay. Timely notification is essential to enable law enforcement to initiate appropriate investigative and protective actions, mitigate any ongoing or future threats, facilitate potential criminal proceedings, and uphold the rights and interests of the individuals whose personal data may have been compromised. While criminal prosecution is a vital aspect of addressing cybercrime, victims of such incidents may also seek civil remedies through the courts to obtain compensation and prevent further harm. In the aftermath of a cyber incident—such as hacking, data breaches, or unauthorized interference with servers—interim reliefs play a critical role in preserving evidence, protecting sensitive data, and preventing further harm. These remedies are granted by the court on an urgent and often ex parte (without notice) basis, particularly where the risk of irreparable damage or destruction of evidence exists. The most essential interim reliefs in such cases are inter alia the following: Prohibitory Injuctions: A prohibitory injunctionrestrains a party—typically the alleged hacker or a third party in possession of compromised data—from engaging in harmful conduct. In the context of cyber incidents, such injunctions may prohibit the continued unauthorized access to systems or databases, distribution, sale, or publication of stolen data as well as the communication or disclosure of confidential or sensitive information. These orders are often accompanied by ancillary reliefs, including requirements to preserve digital records or log user activity. Norwich Pharmacal orders: it is essential to state that Norwich Pharmacal Orders can be characterised as a very useful tool in such cases andare used to compel third parties (such as ISPs, hosting providers, or platforms) to disclose the identity of anonymous wrongdoers — for instance, the IP address or account information used in the hacking. Such orders are essential when the perpetrator's identity is unknown, allowing the victim to gather necessary information to initiate formal proceedings. When hackers are unknown, claimants often rely on Norwich Pharmacal orders to compel disclosure from third parties to trace the culprit before pursuing full civil or criminal actions. Mandatory Injuctions: Unlike prohibitory injunctions,mandatory injunctions compel a defendant to undertake specific actions. In cyber-related claims, courts may order the defendant to: Return or destroy unlawfully obtained data, disable accounts or services used to carry out the breach and Provide access credentials or assist in forensic investigations. Given their invasive nature, mandatory injunctions are generally granted only where the claimant can demonstrate an overwhelming need and the inadequacy of alternative remedies. In reference to the above – nentioned, Gagging orders(or non-disclosure injunctions) may be granted to: Prevent the media or other third parties from reporting on the incident, prohibit the publication or further dissemination of compromised data and protect the identity of affected individuals or parties under investigation. AnAnton Piller order is a powerful civil court injunction that permits the claimant to enter the defendant’s premises without prior warning to search for, inspect, and seize evidence relevant to the claim. In the context of hacking or illegal interference with computer systems, Anton Piller orders serve critical functions, including inter alia the following:  Seizing compromised data or stolen information and preventing the destruction or concealment of digital evidence since hackers or perpetrators may delete files, erase logs, or otherwise tamper with electronic data once they learn of legal action. It is essential to state that English case - law treats hacking incidents with increasing seriousness, recognizing them as significant violations of property rights and personal privacy under common law principles. Courts have consistently upheld that unauthorized access to computer systems constitutes a tortious wrong, often framed as trespass to chattels or misuse of private information. Additionally, English courts have demonstrated a strong willingness to grant robust interim remedies—such as injunctions and Anton Piller orders—to prevent ongoing harm and preserve crucial digital evidence. Through precedent, the judiciary emphasizes the need to protect both commercial interests and individual data privacy, balancing the rapid technological developments with established legal doctrines. This evolving body of case law reflects a proactive approach in addressing cybercrime within the civil justice system alongside parallel criminal prosecutions. In conclusion, addressing hacking incidents requires swift action, clear legal obligations, and effective remedies to protect data and prevent further damage. Legal systems are evolving to respond firmly to cyber threats, balancing the need for security with individual rights. Coordinated regulatory, criminal, and civil measures are essential to combat and mitigate the impact of cybercrime in today’s digital world.   Author: Myria Pornari, November 2025

The Cyprus Cabinet has approved a draft bill allowing law enforcement and intelligence services to intercept telephone communications under specified circumstances, with the aim of strengthening criminal investigations and tackle organised crime. Now awaiting parliamentary approval, the proposal has raised significant questions regarding the balance between national security and individual privacy, as well as its implications for constitutional and EU law. Why a New Law? Phone tapping and electronic surveillance in Cyprus are currently governed by the Protection of the Privacy of Private Communication (Interception of Conversations and Access to Recorded Content of Private Communication) Law (N. 92(I)/1996), as amended in 2020. While this framework was intended to provide safeguards and clear procedures, in practice it has proven insufficient as it has faced practical challenges, including technical limitations, ambiguous legal definitions, and procedural gaps, complicating lawful interceptions and exposing authorities to potential legal challenges. The Cabinet-approved draft law of 13 February 2026 seeks to address these issues by introducing clearer rules, stronger judicial oversight, and stricter obligations for telecom providers. It also broadens the constitutionally defined list of serious offences permitting communications interception and allows the Attorney General, in exceptional cases, to authorise such interception without judicial approval on national security grounds. These proposed changes raise important questions regarding their compatibility with the constitutional safeguards governing the secrecy of communications in Cyprus. Constitutional Considerations The Cyprus Constitution guarantees the secrecy of communications under Article 17, allowing interference only in narrowly defined circumstances, such as with a court order at the request of the Attorney General of Cyprus for national security or specific serious offenses like murder, trafficking, drug offenses, or corruption. Article 17(2) specifies that interception requires judicial authorisation and must be necessary for the security of the Republic or the prevention, investigation or prosecution of the serious criminal offences set out in the constitution. If the proposed bill seeks to expand or clarify the list of crimes subject to interception, such as terrorism, espionage, organised cybercrime, or other forms of organised crime, it may necessitate either constitutional clarification or amendment to ensure legality. The Supreme Court case Police v. Georghiades (1983) also underscores the constitutional limits on interception, holding that evidence obtained via secret recordings without proper authorization violates Articles 15 (right to private life) and 17 (right to confidentiality of correspondence) of the Constitution and is inadmissible in court. From a Cypriot criminal law perspective, the practical implications of the new bill lie primarily in the admissibility and evidential integrity of intercepted communications. Under established principles of Cyprus criminal procedure, unlawfully obtained evidence and particularly evidence obtained in breach of constitutional rights faces a serious risk of exclusion. The current uncertainty surrounding interception procedures has repeatedly exposed prosecutions to defence challenges, not on the merits of the case but on procedural and constitutional grounds. A clearer statutory framework, if tightly aligned with Article 17 of the Constitution, could enhance legal certainty by defining precise thresholds for authorization, standardising warrant content, and clarifying the role of investigators, prosecutors, and service providers in the interception chain. In this sense, the bill is as much a criminal procedure reform as it is a security measure. At the same time, the bill’s implementation will require careful calibration within the broader architecture of Cypriot criminal justice, particularly regarding prosecutorial discretion and judicial control. Interception orders are likely to become a focal point of pre-trial litigation, with defence counsel scrutinising necessity, proportionality, and scope at every stage. Cypriot Courts will therefore play a pivotal role not merely as authorising bodies, but as constitutional gatekeepers tasked with preventing routine or speculative surveillance. If interception powers expand beyond traditionally enumerated serious offences, courts may be called upon to develop stricter jurisprudential standards for justification, duration, and renewal of warrants. Ultimately, the success of the bill in Cyprus criminal law will depend less on its breadth and more on how rigorously judges enforce its safeguards in everyday criminal proceedings. The new amendment to the bill introduces two major changes: it broadens the list of serious offences for which the Attorney General can request the lifting of telecommunications secrecy, and it allows phone tapping without judicial approval in exceptional cases. Under this provision, the Attorney General could directly authorise intelligence or police agencies to monitor communications for state security reasons. This change would be enshrined in a proposed constitutional amendment, specifying that such interference is permissible with the Attorney General’s written approval when necessary to protect the Republic’s security and sovereignty. European Law Implications Any interception of communications must comply with European standards, notably Article 8 of the European Convention on Human Rights, which requires that interference with private communications be lawful, necessary, and proportionate in a democratic society. Such interference may be justified, for example, on grounds of national security, public safety, economic well-being, or the prevention of crime. Article 2(2)(d) of the GDPR excludes personal data processing by competent authorities for the prevention, investigation, and prosecution of criminal offences. Such processing falls under Directive (EU) 2016/680, which establishes principles of lawfulness, necessity, proportionality, data minimisation, and data subject rights, as transposed in Cyprus through Law 44(I)/2019. Landmark CJEU cases emphasise strict limits on personal data processing. In Valsts ieņēmumu dienests (C-175/20), the Court confirmed that the GDPR applied, as tax authorities are not competent authorities under Directive 2016/680. Data collection is allowed only to the extent that it is strictly necessary for a specific purpose, and any further use requires a clear legal basis under the GDPR. In VS v Inspektor (C-180/21), the Court held data collected for criminal investigations cannot be repurposed for other objectives without legal authorisation, and such processing must be necessary and proportionate under Directive 2016/680. Cyprus has transposed the ePrivacy Directive (Directive 2002/58/EC) through the Regulation of Electronic Communications and Postal Services Law of 2004 (Law 112(I)/2004). Under Article 99 of the Cypriot law, communications and related traffic data may not be intercepted without the consent of the users, except in cases provided by law and authorised by the Court. In line with Article 15(1) of the ePrivacy Directive, such restrictions are permitted where necessary, appropriate, and proportionate to safeguard national security, defence, public security, or to prevent, investigate, detect, and prosecute criminal offences or unauthorised use of electronic communications. Member States may also adopt data retention measures for a limited period where such measures are justified on these grounds. All such measures must comply with the general principles of the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights. The new bill should aim to implement these obligations by establishing clear procedural safeguards and restricting the scope and duration of interceptions. Balancing Security and Privacy While the draft bill seeks to address operational gaps in the existing framework, privacy protection, safeguarding of fundamental rights and constitutional conformity remain of pivotal importance. Key safeguards should include mandatory judicial authorisation, clearly defined limits on the scope, purpose, and duration of interceptions, strict rules governing access to, storage, and destruction of data, as well as obligations for telecom providers to ensure technical compliance and traceability. Nevertheless, privacy advocates caution that broadening interception powers, even with judicial oversight, risks eroding fundamental rights. European law requires any restriction on privacy to be necessary, proportionate, and transparent. The proposed bill highlights the ongoing tension between national security and the right to privacy, particularly where judicial oversight may be bypassed in exceptional circumstances. Two companion bills are being prepared to support the implementation of the new framework, incorporating safeguards to mitigate potential limitations on judicial oversight, with all three expected to be considered together once the legislative package is finalised. Ultimately, whether the new framework can achieve operational effectiveness without compromising fundamental rights will depend on the precise scope of crimes covered, the robustness of judicial oversight and the strict implementation of safeguards in practice. The proposed legislation represents a significant development in Cyprus surveillance law. While the bill aims to modernise interception procedures and address operational challenges, it also raises important constitutional and European law questions. As the bill moves to Parliament, the key challenge will be ensuring that any expansion of interception powers is accompanied by robust safeguards, effective judicial oversight, and strict compliance with European privacy standards. Co-authors: Filippos Neocleous – Associate Avgi Michael - Associate