Focus on: Regulatory and competition law developments in Cyprus
Antoniou McCollum & Co. LLCView firm profile
The past year has been a very productive one for the Cypriot competition authority, the Commission for the Protection of Competition (CPC). While Cyprus has yet to transpose Directive 2019/1 into its legal order, the CPC carried out a public consultation in 2020 on a draft bill intending to implement the said Directive. Provisions guaranteeing the necessary independence, resources and enforcement and fining powers for the CPC are envisaged in the draft bill. It is also expected that mutual assistance between the CPC and other national competition authorities will be enhanced as a result of the transposition of Directive 2019/1.
The Protection of Competition Law of 2008, L. 13(I)/2008, as amended (the Competition Law), is the statutory basis for the current manifestation of the CPC. The Competition Law mirrors Articles 101 and 102 TFEU, creating equivalent prohibitions in the national legal order, while also providing for the prohibition of abuses of relationships of economic dependence.
The CPC enacted a leniency and immunity programme in 2011, in the form of subsidiary legislation (the Leniency Programme). The objective of the Leniency Programme, which largely mirrors the European Commission’s equivalent scheme. A revised leniency framework intended to replace the Leniency Programme was placed in public consultation in 2020.
The CPC is also tasked with the control of concentrations between undertakings. The Control of Concentrations Between Undertakings Law of 2014, L. 83(I)/14 (the Merger Control Law), provides for the notification of mergers, acquisitions and joint ventures that meet the jurisdictional thresholds. Clearance of a concentration falling within the ambit of the Merger Control Law is required prior to its implementation. Amongst the thresholds under the Merger Control Law is the relatively low threshold of two undertakings concerned, taken together, achieving a turnover of at least €3.5m in Cyprus. This threshold often leads foreign-to-foreign transactions, which otherwise have little impact on the Cypriot market, to requiring clearance by the CPC prior to their implementation.
The tenacity in which the civil service of the CPC is pursuing investigations and dealing with cases over the past few years, under the leadership of the CPC’s Director, is producing tangible results. Illustratively, the CPC has been increasingly identifying abuses of a dominant position or a relationship of economic dependence, including cases that were re-investigated following annulments of the CPC’s membership.
Trade secrets law
With much delay, Cyprus has transposed Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.
Trade secret refers to information that:
- is secret in the sense that it is not generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question (as a body or in the precise configuration and assembly of its components)
- has commercial value because it is secret
- has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.
Acquiring a trade secret is considered lawful only if obtained in certain prescribed manners. Unlawfully acquiring a trade secret will be the result of the following actions:
- unauthorised access, stealing or copying of documents, objects, materials, substances or electronic files which are lawfully under the control of the trade secret holder
- any other conduct which, under the circumstances, is considered contrary to honest business practices.
Use or disclosure of the trade secret without the owner’s consent is unlawful if a person acquires the trade secret unlawfully.
Certain exceptions are provided under applicable legislation, such as the following:
- exercising the right to freedom of expression and information, including respect for the freedom and pluralism of the media
- revealing misconduct, wrongdoing or illegal activity, provided that it was to protect the general public interest
- disclosure by workers to their representatives (provided that such disclosure was necessary to carry out their function)
- protecting a legitimate interest recognised law.
As such, persons acting in the public interest will be safeguarded when disclosing a trade secret to reveal misconduct, wrongdoing or illegal activity. This safeguard is operative if the trade secret was acquired or passed to the whistle-blower through the use of illicit means such as the breach of law or contract. If no unlawful conduct takes place the disclosure of the trade secret is out of the scope of the trade secrets legislation and no safeguards are necessary.
Network and Information Security
Cyprus has now fully transposed Directive 2016/1148 on the security of network and information systems (the NIS Directive), through the Security of Networks and Information Systems Law of 2020 (the Cyprus NIS Law).
While the text of the NIS Directive has generally been transposed into the Cypriot legal order, the Cyprus NIS Law also specifically addresses network and information security requirements for electronic communication services provides (i.e. telecommunications operators).
The Cyprus NIS Law creates a framework for the security of network and information systems in all critical information infrastructures in Cyprus and enhances the island State’s existing capabilities of handling and responding to cyberattacks. The key purpose of the Cyprus NIS Law and its subsidiary legislation is to ensure that the Cypriot network infrastructure can respond to cyberattacks and other cybersecurity threats.
The Digital Security Authority (DSA) is designated by the Cyprus NIS Law as the competent supervisory authority for the enforcement of its provisions and the adoption of national cybersecurity strategies. The Cyprus NIS Law also entrusts the Cypriot computer-security incident response team (CSIRT-CY) with the responsibility of offering technical support and for monitoring, risk-handling, management and responding to cybersecurity incidents while participating in the CSIRTs network of the member states. CSIRT-CY is tasked with implementing proactive and reactive security services to reduce the risks of network information and cybersecurity incidents, as well as respond to such incidents.
Under the NIS Directive, EU Member states have to supervise the cybersecurity of critical market operators in their jurisdiction:
- Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector)
- Ex-post supervision for critical digital service providers (online marketplaces, cloud and search engines)
The Cyprus NIS Law identifies the following types of operators and providers falling under its ambit:
- operators of essential services
- critical information infrastructure operators
- electronic communications providers
- digital services providers
Under the Cyprus NIS Law, critical infrastructure comprises the assets, systems or parts thereof within the territory of Cyprus, which are essential for the maintenance of operations of vital importance for society, health, security, the economic and social welfare of citizens and the interruption of operation or destruction of which would have a significant impact to the State, as a result of an inability of maintaining these operations.
Under the Cyprus NIS Law, the criteria for the identification of both operators of essential services as well as critical information infrastructure operators are for such operators to be:
- an entity provides a service that is essential for the maintenance of critical societal and/or economic activities
- the provision of that service depends on network and information systems; and
- an incident would have significant disruptive effects on the provision of that service.
While the NIS Directive introduces the obligation on essential services providers and digital service providers (providers of search engines, cloud computing services and online marketplaces) to take the appropriate security measures and to notify of serious incidents, the Cyprus NIS Law also imposes the said obligation to providers electronic communication services. As a result, providers electronic communication services are also supervised by the DSA within the ambit of the Cyprus NIS Law and should therefore comply with applicable cybersecurity requirements.
Specifically, network and electronic communication service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and electronic communication services. The DSA is responsible to ensure that these providers notify every incident regarding security having a significant impact on the operation of networks and electronic communication services.
The Cyprus NIS Law confers the DSA with wide-ranging powers concerning all providers, including the power to carry out investigations, request information and impose administrative fines for infringements of statutory provisions.
in terms of information requests, the DSA is empowered, amongst others, to request information regarding their network and information system security, including their security policies, from digital services providers, operators of essential services, critical information infrastructure operators, electronic communications providers.
The DSA has the power to impose administrative fines of up to EUR 200,000 for any infringement of the Cyprus NIS Law, as well as a fine of up to EUR 10,000 for each day the infringement persists. Infringement of any decisions or regulations could result in administrative fines of up to EUR 300,400, as well as an additional fine up to EUR 200,000 where the infringement persists.
The Cyprus NIS Law provides inter alia for criminal liability in relation to a failure to comply with notification obligations under the Cyprus NIS Law, a failure to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems under the Cyprus NIS Law or a failure to provide any information requested by the DSA.
Efforts are ongoing to improve the consultation of stakeholders when preparing legislation, particularly bills intended to transpose EU directives. In the context of the Better Regulation Project, a partnership between the OECD and the European Commission, the Ministry of Finance and the Legal Service of the Republic have established an obligation to conduct a public consultation with all stakeholders before proceeding with a governmental bill. A completed questionnaire accompanies every bill submitted to the Council of Ministers for approval and subsequently presented before the House of Representatives for enactment, explaining all aspects of the proposed legislation and the consultation that has taken place.
As noted by the European Commission in its Rule of Law report for 2020, a number of challenges exist in Cyprus regarding the regulatory impact assessment framework concerning both laws and regulations, which could be improved by establishing an oversight body for impact assessment quality control.
Cyprus is poised to seize the growth opportunities expected to arise in the post-pandemic world. The establishment of a Deputy Ministry of Research, Innovation and Digital Policy in 2020 and other policy objectives are steps in the direction of enhancing the competitiveness of Cyprus in an increasingly changing jurisdictional landscape.