Antoniou McCollum & Co. LLC

1. Competition law In 2022 Cyprus enacted a new competition framework, which introduces additional powers for the CPC. The new legislation consolidates previous statutes regulating collusive conduct, abuses of dominance and abuses of relationships of economic dependence. The new legislation enhances the safeguards of the CPC’s independence and competence, as it transposes Directive (EU) 2019/1 into Cyprus law (Directive (EU) 2019/1 of the European Parliament and of the Council of 11 December 2018 to empower the competition authorities of the Member States to be more effective enforcers and to ensure the proper functioning of the internal market). Some of the key changes brought about by the new legislation: the CPC is empowered to continue investigating a complaint which has in the meantime been withdrawn the CPC, acting on its own account or on behalf of national competition authorities of other EU member states, is empowered to summon persons before it to provide information and evidence in interviews to the CPC in relation to matters under the CPC’s competence the deadline to settle any fines imposed by the CPC is 60 days (unless specified otherwise in the CPC’s decision) and fines are subject to annual interest if they not settled by such deadline procedural aspects relating to access to case files and the protection of confidential information and personal data have been enhanced the powers of the CPC to cooperate with other national competition authorities in other EU member states have been enhanced, with the CPC now able to carry out dawn-raids and collect evidence on behalf of such other national competition authorities the CPC is now able to issue announcements, recommendations and guidelines regarding its competence, its procedures and the assessment of the seriousness, duration and mitigatory factors relating to an infringement that are considered to impose an administrative fine an undertaking to which a statement of objections has been notified is entitled to access the non-confidential evidence forming part of their case file. Infringements provided under the law remain largely the same, and comprise: (a) Abuse of dominance Any abuse by one or more undertakings of a dominant position within the market or in a substantial part of it in respect of a product is prohibited, particularly if this practice results or may result in: directly or indirectly imposing unfair purchase or selling prices or other unfair trading conditions limiting production, markets or technical development to the prejudice of consumers applying dissimilar conditions to equivalent transactions with other trading parties, thereby placing them at a competitive disadvantage making the conclusion of contracts subject to acceptance by the other parties of supplementary obligations which, by their nature or according to commercial usage, have no connection with the subject of such contracts. (b) Abuse of relationship of economic dependence The Cypriot legal order features the abuse of a relationship of economic dependence as a distinct competition infringement. It is prohibited for an undertaking that is either a customer, supplier, producer, representative, distributor or trading partner of another undertaking, which other undertaking does not have an equivalent alternative solution, to abuse a relationship of economic dependence. (c) Restrictive agreements, decisions and practices Agreements between undertakings, decisions by associations of undertakings and concerted practices that have as their object or effect the prevention, restriction or distortion of competition within the national market are void ab initio. Restrictive agreements, decisions and practices are those which: directly or indirectly fix purchase or selling prices or any other trading conditions limit or control production, markets, technical development, or investment share markets or sources of supply apply dissimilar conditions to equivalent transactions with other trading parties, thereby placing them at a competitive disadvantage make the conclusion of contracts subject to acceptance by the other parties of supplementary obligations which, by their nature or according to commercial usage, have no connection with the subject of such contracts. The CPC is also tasked with the control of concentrations between undertakings. The Control of Concentrations Between Undertakings Law of 2014, L. 83(I)/14 (the Merger Control Law), provides for the notification of mergers, acquisitions and joint ventures that meet the jurisdictional thresholds. Clearance of a concentration falling within the ambit of the Merger Control Law is required prior to its implementation. Amongst the thresholds under the Merger Control Law is the relatively low threshold of two undertakings concerned, taken together, achieving a turnover of at least €3.5 million in Cyprus. This threshold often leads foreign-to-foreign transactions, which otherwise have little impact on the Cypriot market, to requiring clearance by the CPC prior to their implementation. 2. Audiovisual media services In December 2021 Cyprus transposed the Audiovisual Media Services Directive (EU) 2018/1808 amending the Audiovisual Media Services Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (AVMS Directive). Further to television broadcasts and on-demand audiovisual media services, the new framework also regulates video-sharing platforms. The framework also provides for safeguards regarding the prohibition of hate speech, the protection of minors as users of audio-visual media services to maximise consumer protection and general media accessibility in view of changing market realities. The national regulatory authority responsible for the enforcement of the framework applicable to audiovisual media service providers and video-sharing platform providers is the Cyprus Radio-Television Authority (CRTA). (a) Video-sharing platforms Services providing user-generated videos to the public, for which a video-sharing platform provider does not have editorial responsibility but determines the organisation of such content, including by automatic means or algorithms in particular by displaying, tagging and sequencing, are caught under the new framework as video-sharing platform services. Video-sharing platform providers that fall under the jurisdiction of Cyprus are required to register with the CRTA. Video-sharing platform providers are required to take appropriate measures to protect the public, including: minors, from content that may impair their physical, mental or moral development the public, from content containing incitement to violence or hatred directed against a group of persons or a member of a group the public, from the content the dissemination of which constitutes public provocation to commit a terrorist offence, offences concerning child pornography and offences concerning racism and xenophobia. (b) Advertisements and product placement Audio-visual media service providers and video-sharing platform providers must comply with a set of obligations and restrictions governing the way advertisements (audiovisual commercial communications) are cognitively understood and made accessible. Audiovisual advertising must be readily recognisable as such, and must not: use subliminal techniques prejudice respect for human dignity include or promote discrimination encourage behaviour prejudicial to health or safety encourage behaviour grossly prejudicial to the protection of the environment. Video-sharing platform providers must comply with the same requirements as those applicable to media service providers where advertisements are marketed, sold or arranged by the video-sharing platform providers. When advertisements are marketed, sold or arranged by the video-sharing platform providers, the latter must take appropriate measures to comply with the said requirements, but account must be taken of the limited control exercised by video-sharing platforms over such advertisements. (c) Financial contributions / levies The CRTA is tasked with ensuring that media service providers and video-sharing platforms comply with the applicable framework. The CRTA may require media service providers under the jurisdiction of the Republic of Cyprus to contribute financially to the production of European works, including via direct investment in content and contribution to national funds. In exercising this power, the CRTA may also require media service providers targeting audiences in the territory of the Republic of Cyprus but established in other EU Member States to make such financial contributions. 3. Network and Information Security Cyprus transposed Directive 2016/1148 on the security of network and information systems (the NIS Directive), through the Security of Networks and Information Systems Law of 2020 (the Cyprus NIS Law). While the text of the NIS Directive has generally been transposed into the Cypriot legal order, the Cyprus NIS Law also specifically addresses network and information security requirements for electronic communication services provides (i.e. telecommunications operators). The Cyprus NIS Law creates a framework for the security of network and information systems in all critical information infrastructures in Cyprus and enhances the island State’s existing capabilities of handling and responding to cyberattacks. The key purpose of the Cyprus NIS Law and its subsidiary legislation is to ensure that the Cypriot network infrastructure can respond to cyberattacks and other cybersecurity threats. The Digital Security Authority (DSA) is designated by the Cyprus NIS Law as the competent supervisory authority for the enforcement of its provisions and the adoption of national cybersecurity strategies. The Cyprus NIS Law also entrusts the Cypriot computer-security incident response team (CSIRT-CY) with the responsibility of offering technical support and for monitoring, risk-handling, management and responding to cybersecurity incidents while participating in the CSIRTs network of the member states. CSIRT-CY is tasked with implementing proactive and reactive security services to reduce the risks of network information and cybersecurity incidents, as well as respond to such incidents. Under the NIS Directive, EU Member states must supervise the cybersecurity of critical market operators in their jurisdiction: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector) Ex-post supervision for critical digital service providers (online marketplaces, cloud and search engines) The Cyprus NIS Law identifies the following types of operators and providers falling under its ambit: operators of essential services critical information infrastructure operators electronic communications providers digital services providers Under the Cyprus NIS Law, critical infrastructure comprises the assets, systems or parts thereof within the territory of Cyprus, which are essential for the maintenance of operations of vital importance for society, health, security, the economic and social welfare of citizens and the interruption of operation or destruction of which would have a significant impact to the State, as a result of an inability of maintaining these operations. Under the Cyprus NIS Law, the criteria for the identification of both operators of essential services as well as critical information infrastructure operators are for such operators to be: an entity provides a service that is essential for the maintenance of critical societal and/or economic activities the provision of that service depends on network and information systems; and an incident would have significant disruptive effects on the provision of that service. While the NIS Directive introduces the obligation on essential services providers and digital service providers (providers of search engines, cloud computing services and online marketplaces) to take the appropriate security measures and to notify of serious incidents, the Cyprus NIS Law also imposes the said obligation to providers electronic communication services. As a result, providers electronic communication services are also supervised by the DSA within the ambit of the Cyprus NIS Law and should therefore comply with applicable cybersecurity requirements. Specifically, network and electronic communication service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and electronic communication services. The DSA is responsible to ensure that these providers notify every incident regarding security having a significant impact on the operation of networks and electronic communication services. The Cyprus NIS Law confers the DSA with wide-ranging powers concerning all providers, including the power to carry out investigations, request information and impose administrative fines for infringements of statutory provisions. in terms of information requests, the DSA is empowered, amongst others, to request information regarding their network and information system security, including their security policies, from digital services providers, operators of essential services, critical information infrastructure operators, electronic communications providers. The DSA has the power to impose administrative fines of up to EUR 200,000 for any infringement of the Cyprus NIS Law, as well as a fine of up to EUR 10,000 for each day the infringement persists. Infringement of any decisions or regulations could result in administrative fines of up to EUR 300,400, as well as an additional fine up to EUR 200,000 where the infringement persists. The Cyprus NIS Law provides inter alia for criminal liability in relation to a failure to comply with notification obligations under the Cyprus NIS Law, a failure to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems under the Cyprus NIS Law or a failure to provide any information requested by the DSA. Conclusion Efforts are ongoing to improve the consultation of stakeholders when preparing legislation, particularly bills intended to transpose EU directives. In the context of the Better Regulation Project, a partnership between the OECD and the European Commission, the Ministry of Finance and the Legal Service of the Republic have established an obligation to conduct a public consultation with all stakeholders before proceeding with a governmental bill. A completed questionnaire accompanies every bill submitted to the Council of Ministers for approval and subsequently presented before the House of Representatives for enactment, explaining all aspects of the proposed legislation and the consultation that has taken place. As noted by the European Commission in its lates Rule of Law report, several challenges exist in Cyprus regarding the regulatory impact assessment framework concerning both laws and regulations, which could be improved by establishing an oversight body for impact assessment quality control. Cyprus is poised to seize the growth opportunities expected to arise in the post-pandemic world. The establishment of a Deputy Ministry of Research, Innovation and Digital Policy in 2020 and other policy objectives are steps in the direction of enhancing the competitiveness of Cyprus in an increasingly changing jurisdictional landscape.