{"id":141152,"date":"2026-04-29T14:34:03","date_gmt":"2026-04-29T14:34:03","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=141152"},"modified":"2026-04-30T09:37:53","modified_gmt":"2026-04-30T09:37:53","slug":"cyprus-technology-outsourcing","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/cyprus-technology-outsourcing\/","title":{"rendered":"Cyprus: Tech Outsourcing"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-141152","comparative_guide","type-comparative_guide","status-publish","hentry","guides-technology-outsourcing","jurisdictions-cyprus"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Markos P. Spanos &amp; Co LLC<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2026\/04\/markos-logo.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Markos P. Spanos &amp; Co LLC<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2026\/04\/markos-logo.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Tech Outsourcing laws and regulations applicable in Cyprus<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Market overview: Please provide a high-level overview of the outsourcing market in your jurisdiction (e.g. who are the key players and in what sectors (public and private) are you seeing outsourcing services being adopted)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cyprus is a well-established technology hub with a strong ecosystem of financial institutions, fintechs, startups, research and development (R&amp;D) centres, gaming companies and service providers. Its appeal is driven by EU passporting rights, a business-friendly environment, a skilled talent pool and strong service infrastructure. Many of these companies use advanced technologies such as AI, blockchain and automation, and often outsource part or all of their technology development, particularly in the case of startups.<\/p>\n<p>In recent years, Cyprus has listed hundreds of startups, including a growing number of blockchain ventures attracting significant investment. Over 800 technology companies, including giants like Microsoft, IBM and Oracle, have established a presence in the country.<\/p>\n<p>The public sector remains the largest IT services consumer, followed by banking and telecommunications, while hosting infrastructure services dominate the outsourcing market.<\/p>\n<p>Despite this growth, some organisations remain concerned about vendor lock-in and limited scalability in outsourcing arrangements. However, these concerns are expected to diminish with the introduction of the EU Data Act (see question 13) and the development of heightened regulatory protections.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Market overview: What is the current attitude of the government and of regulators to the use of outsourcing in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cyprus government strongly supports the IT sector and outsourcing, both as a user of outsourced services and by fostering a business-friendly environment through funding, tax incentives and immigration support. A key initiative includes a memorandum of understanding signed with Amazon Web Services to accelerate public sector cloud adoption under the \u2018cloud-first\u2019 policy. This builds on existing strategies such as the National Digital Strategy 2020\u20132026, with further alignment to the EU Digital Decade Policy Programme 2030 envisioned through a recent public tender for the development of a new, robust strategy.<\/p>\n<p>Regulators are also supportive, provided that appropriate third-party risk management and oversight are in place (see questions 6 and 14). The Cyprus Securities and Exchange Commission (CySEC) has introduced an \u2018Innovation Hub\u2019 (regulatory sandbox), enabling fintech companies to test new products in a controlled environment, while benefiting from regulatory guidance and reduced administrative burden.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Procurement: Are there specific procurement-related laws or regulations governing outsourcing by public sector or government bodies?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Cyprus, outsourcing by public sector or government bodies is strictly regulated. The two main public procurement laws are:<\/p>\n<ol>\n<li>The Regulation of Procedures for the Award of Public Contracts and Related Matters Law of 2016 (transposing Directive 2014\/24\/EU), which applies to the state (central government departments and ministries), regional or local authorities (municipalities and community councils) and bodies governed by public law (including semi-governmental organisations or entities established to meet a need of public interest).<\/li>\n<li>The Regulation of Procedures for the Award of Public Contracts by Entities Operating in the Water, Energy, Transport and Postal Services Sectors and Related Matters Law of 2016 (transposing Directive 2014\/25\/EU), which applies to authorities or public undertakings active in the utility sectors, including gas, electricity, water, transport, airports and postal services.<\/li>\n<\/ol>\n<p>The General Regulations for the Award of Public Supply Contracts, Public Works Contracts and Public Service Contracts (Regulatory Administrative Act 2001\/2007) which act as subsidiary legislation for the central government (with the broader framework including local authorities and other public law bodies), govern the tender procedure while setting out the creation and operation of the competent bodies responsible for evaluating public tenders.<\/p>\n<p>This regime sets out different tendering procedures depending on the value of the contract and the activities the contracting parties pursue. The threshold values of the contracts are also important as they determine the applicable recourse procedure.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Procurement: Are there specific procurement-related laws or regulations governing outsourcing by private sector organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Cyprus, outsourcing by private organisations is not regulated by procurement\u2013related laws. However, certain laws applicable in the public sector may impact outsourcing arrangements in the private sector. For example, the Procurement of Contracts by Entities Operating in the Water, Energy, Transport and Postal Services Sectors and Related Matters Law of 2016 (see question 3) also applies to private entities if (i) they pursue one or more of the designated utility activities and (ii) they operate on the basis of special or exclusive rights granted to them by a competent authority by way of any legislative, regulatory or administrative provision. In such cases, or even where private organisations receive public funding to perform a project, they are expected to follow a public-sector level of procurement process to demonstrate fair, transparent and non-discriminatory vendor selection.<\/p>\n<p>For private companies, outsourcing is generally a matter of private contract and common law principles. Subject to sector-specific laws and regulations (see question 6), parties are free to agree the terms of the outsourcing arrangement, with certain terms usually being the subject of heavier negotiation, including IP rights, indemnities and liability exclusions and limitations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Laws and Regulations: Are there any other specific laws or regulations that apply to outsourcing? If not, what key general laws and regulations are most relevant?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Save for sector-specific laws which apply to outsourcing (see question 6), there are no other specific laws regulating outsourcing in Cyprus. Other key laws are discussed further down in this Q&amp;A, including laws on the processing of personal and non-personal data, intellectual property and cybersecurity, as well as employment and tax.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Laws and Regulations: Do any specific regimes apply to outsourcing arrangements in particular sectors (e.g. financial services)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The main sectors are:<\/p>\n<p style=\"padding-left: 40px\"><strong>1. Financial Services:<\/strong><\/p>\n<ol>\n<li>: The EU Digital Operational Resilience Act (DORA) applies to designated financial entities such as banks, EMIs, CASPs and trading venues and acts as a specialized cybersecurity and operational resilience law for the financial sector. It requires that financial entities conduct robust third-party ICT risk management and mandates specific contractual provisions in outsourcing agreements, including termination and exit rights, audit rights, incident reporting, and business continuity measures. Liability remains with the financial entity, so contracts typically include flow-down provisions across the supply chain to ensure compliance. DORA also applies to designated critical ICT providers, which are subject to specific reporting obligations.<\/li>\n<\/ol>\n<p style=\"padding-left: 40px\">In March 2026, CySEC adopted ESMA Guidelines on outsourcing to cloud service providers, targeting depositaries outside DORA\u2019s scope, namely those safeguarding AIFs and UCITS.<\/p>\n<p style=\"padding-left: 40px\">Banking outsourcing is governed by the Central Bank of Cyprus Directive on internal governance, which requires institutions to maintain and regularly review outsourcing policies, alongside compliance with EBA outsourcing guidelines.<\/p>\n<p style=\"padding-left: 40px\"><strong>2. Insurance<\/strong>: The Insurance and Reinsurance Services and Other Related Issues Law of 2016 (implementing Solvency II), governs outsourcing in this sector, and companies should also follow the relevant EIOPA Guidelines on Cloud Outsourcing.<\/p>\n<p style=\"padding-left: 40px\"><strong>3. Investment:<\/strong> Under the Investment Services and Activities and Regulated Markets Law of 2017 (implementing MiFID II), Cyprus investment firms may outsource key functions provided this does not increase operational risk or impair internal controls or regulatory oversight.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Competition law: To what extent might outsourcing arrangements require notification or approval under merger control rules?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Outsourcing arrangements do not usually require notification to the Commission for the Protection of Competition (CPC). However, notification is mandatory under the Control of Concentrations Between Undertakings Law (83(I)\/2014) where the arrangement constitutes a \u2018concentration of major importance\u2019:<\/p>\n<p>\u2018Concentration\u2019: A concentration arises where there is a lasting change of control over an autonomous entity, typically through a merger, acquisition or joint venture. Outsourcing arrangements involving the transfer of assets and personnel, or the creation of a joint venture to manage outsourcing needs, may therefore fall within scope.<\/p>\n<p>\u2018Major Importance\u2019: Even where a concentration is established, notification is only required if certain thresholds are met: (i) at least two undertakings each have an aggregate global turnover exceeding \u20ac3.5 million; and (ii) at least two undertakings generate turnover in Cyprus; and (iii) the combined aggregate turnover of all participants generated in Cyprus is at least \u20ac3.5 million.<\/p>\n<p>Accordingly, parties must assess both the structure of the arrangement and the relevant financial thresholds to determine whether notification is required.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Competition law: To what extent are the terms of outsourcing agreements the subject of restrictions under competition law?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Outsourcing agreements are typically vertical arrangements (between parties at different levels of the supply chain) and are subject to the Protection of Competition Law (13(I)\/2022), which reflects Articles 101 and 102 of the Treaty of the Functioning of the European Union (TFEU). Compliance focuses on three key areas:<\/p>\n<p><strong>I. Restrictive Agreements<\/strong><\/p>\n<p>Terms that have as their object or effect the restriction, prevention or distortion of competition are prohibited, including price fixing, market sharing, limiting production or investment, and discriminatory practices. In outsourcing, exclusivity and non-compete clauses are closely scrutinised and generally fall outside the vertical block exemption if they exceed five years. Resale price maintenance &#8211; whereby a party attempts to dictate the prices another party charges third parties &#8211; is strictly prohibited.<\/p>\n<p><strong>II. Abuse of Dominant Position<\/strong><\/p>\n<p>Abuse of dominance (generally presumed at market shares exceeding 50%) is prohibited. Potentially abusive outsourcing terms include unfair pricing, exclusivity obligations, and tying or bundling services.<\/p>\n<p><strong>III. Abuse of Economic Dependence<\/strong><\/p>\n<p>Cyprus law also prohibits abuse of economic dependence, so that even where a party is not dominant in the broader market it cannot unfairly exploit a counterparty that lacks equivalent alternative options, ensuring a higher standard of commercial equity.<\/p>\n<p>Regarding horizontal outsourcing agreements (between competitors), anti-trust issues may arise, particularly cartel-type concerns, triggering action under the Protection of Competition Law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Intellectual property (\u2018IP\u2019) rights: What IP (registrable and non-registrable) is typically created in the course of an outsourcing arrangement?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Different types of intellectual property (IP) may be created in outsourcing arrangements depending on the services provided. These can be divided into non-registrable and registrable rights.<\/p>\n<p><strong>I. Non-registrable IP<\/strong><\/p>\n<p>Certain rights are afforded automatic legal protection by operation of law upon creation, without the need for formal registration. In outsourcing, these typically encompass:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>Copyright: Protects original works such as software (source and object code), databases, technical manuals, and website content.<\/li>\n<li>Trade secrets and know-how: Covers confidential business information, including algorithms, customer data, and strategic processes, provided they meet the legal criteria for secrecy.<\/li>\n<li>Unregistered trademarks: Protected through the common law tort of passing off, which safeguards the goodwill and reputation of the business against misrepresentation.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>II. Registrable IP<\/strong><\/p>\n<p>These rights require formal registration to obtain protection. In outsourcing arrangements, these often include:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>Patents: Protect novel inventions with industrial application. In tech-heavy outsourcing, patents may apply to unique hardware or innovative industrial processes.<\/li>\n<li>Registered trademarks: These encompass brand names, logos and slogans.<\/li>\n<li>Industrial designs: Protect the visual appearance of products, including shape, design or ornamentation.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Intellectual property (\u2018IP\u2019) rights: In an outsourcing arrangement, would any contractual terms or formal steps be required to vest supplier-created IP in the customer?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>IP created in outsourcing arrangements does not automatically vest in the customer and must be expressly assigned. It is standard for contracts to include provisions assigning all IP developed for the customer during the term, with suppliers also required to ensure their personnel execute any necessary assignments and documents.<\/p>\n<p>Moral rights under Cyprus law are generally not assignable, so contracts typically include waivers or undertakings not to assert them, to the extent permitted, to ensure unrestricted use of the deliverables by the customer.<\/p>\n<p>Where supplier pre-existing IP is incorporated into deliverables, customers usually receive a broad (often perpetual, irrevocable, royalty-free) licence to use it for the purpose of exploiting the deliverables. Conversely, suppliers usually receive a limited licence to use customer IP solely for the purposes of service delivery.<\/p>\n<p>From a risk management perspective, customers also typically seek warranties of originality and non-infringement, indemnities for third-party IP claims, and, where relevant, escrow arrangements for critical software or source code.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Intellectual property (\u2018IP\u2019) rights: How are confidential information, know-how and trade secrets protected in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Protection is provided under the Protection of Undisclosed Know-how and Business Information (Trade Secrets) Law 2020 (Law 164(I)\/2020) and contract law principles.<\/p>\n<p>In practice, parties also use NDAs and include confidentiality, non-compete, and non-solicitation clauses in outsourcing agreements. Service providers may include \u201cresidual knowledge\u201d carve-outs allowing continued use of general experience, skills, and know-how gained during the engagement, provided this excludes the customer\u2019s confidential information and trade secrets.<\/p>\n<p>In case of breach, Cypriot courts offer strong remedies, including interim injunctions, search orders (Anton Piller) and disclosure orders.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data: What is the regime in your jurisdiction for regulating the protection and processing of personal data and what are the main implications for outsourcing arrangements?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The processing of personal data is governed by the GDPR (Regulation (EU) 2016\/679), supplemented in Cyprus by the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 Law 125(I)\/2018, which addresses administrative requirements and sets penalties and enforcement procedures.<\/p>\n<p>In outsourcing arrangements, a controller\u2013processor relationship is typically established, with processors acting strictly on documented instructions. Controllers remain responsible for ensuring that processors maintain appropriate technical and organisational measures, and the Office of the Commissioner for Personal Data Protection generally holds controllers primarily accountable unless robust due diligence can be demonstrated.<\/p>\n<p>Where personal data is transferred outside the EEA, Standard Contractual Clauses (SCCs) or equivalent safeguards must be in place. Transfers of special category data may also require notification to the Commissioner.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data: What is the regime in your jurisdiction for regulating the processing of non-personal data and what are the main implications for outsourcing arrangements?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cyprus does not have a national legal framework for the processing of non-personal data and regulation is primarily derived from EU law and sector-specific rules.<\/p>\n<p>The Free Flow of Non-Personal Data Regulation (2019) ensures that non-personal data can be stored and processed freely across the EU by prohibiting unjustified localisation requirements, while the EU Data Governance Act (EU 2022\/868) sets framework rules for data sharing and regulates data intermediation services.<\/p>\n<p>&nbsp;<\/p>\n<p>More significantly, the EU Data Act (in force since September 2025) introduces a harmonised regime on access to, sharing and use of data, including non-personal data, particularly for connected products and digital services.<\/p>\n<p>Key implications of the EU Data Act for outsourcing include:<\/p>\n<ul>\n<li>Cloud switching and anti-vendor lock-in: Providers must facilitate switching and multi-cloud use by removing technical, contractual and financial barriers. Consumers should also be able to access alternative repair and maintenance services using available product data and not depend on one single provider.<\/li>\n<li>User access: Users (individuals and businesses) may access data generated by connected devices and share it with third parties.<\/li>\n<li>Fair terms: Data sharing must be on fair, reasonable and non-discriminatory terms, with unfair contractual restrictions being deemed unenforceable.<\/li>\n<li>Data portability by design: Products must be designed to enable data access and transfer in usable, machine-readable formats.<\/li>\n<li>Industrial use: Businesses can use shared data to improve efficiency and performance.<\/li>\n<\/ul>\n<p>Cybersecurity obligations (see question 14) and protections for trade secrets and confidential information (see question 11) continue to apply alongside the EU Data Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cyber: Does your jurisdiction have specific cybersecurity legislation or regulations and what are the main implications for outsourcing arrangements?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Supply chain security is a core regulatory requirement under Cyprus cybersecurity law. The main framework is the Security of Networks and Information Systems Laws of 2020 and 2025 (the \u2018NIS Law\u2019), which first implemented the NIS Directive and was later updated to transpose the NIS2 Directive. It applies to operators of essential services and digital service providers across critical sectors (including energy, transport, healthcare, cloud services and data centres). It imposes obligations on risk management, supply chain security, incident detection and response, and mandatory reporting.<\/p>\n<p>The GDPR, as supplemented by Cyprus law, also establishes baseline cybersecurity requirements by requiring appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of personal data across all sectors.<\/p>\n<p>In addition, the Regulation of Electronic Communications and Postal Services Law 2004 requires telecoms and postal\/courier providers to maintain network security, integrity and availability.<\/p>\n<p>The Attacks on Information Systems Law 2015 criminalises unauthorised access (hacking), system and data interference and other related cyber offences, supporting enforcement and deterrence.<\/p>\n<p>For financial services, cybersecurity obligations under DORA apply (see question 6).<\/p>\n<p>The EU Cyber Resilience Act, fully applicable from December 2027 (with earlier reporting obligations from 2026), introduces further cybersecurity and reporting requirements for manufacturers of products connected to a network or device, and may also impact commercial distribution of open-source technologies.<\/p>\n<p>Given these obligations, regulated entities typically impose equivalent requirements on service providers through contractual flow-down provisions. However, regulatory responsibility remains with the customer, requiring ongoing oversight and risk management.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Technologies: To what extent are certain technologies commonly used in outsourcing arrangements (e.g. artificial intelligence, robotic process automation, cloud computing and blockchain\/distributed ledger technologies) the subject of specific regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>AI is regulated at EU level under the EU AI Act, which introduces a risk-based framework with enhanced obligations for high-risk systems, including governance, transparency, data quality, and human oversight. Cyprus does not currently have separate AI-specific legislation.<\/p>\n<p>Cloud computing is widely used in Cyprus and is regulated through general contract law, data protection rules, and sector-specific requirements, especially in financial services (see question 6 on DORA and ESMA Guidelines on cloud outsourcing). Cybersecurity obligations (see question 14) are also relevant where cloud services support critical infrastructure. In practice, regulatory focus is placed on governance of the outsourcing arrangements, including data security, audit rights, subcontracting controls and exit provisions.<\/p>\n<p>Robotic and other process automation technologies are not specifically regulated but are subject to general legal frameworks, including data protection and cybersecurity.<\/p>\n<p>Blockchain and distributed ledger technologies are not specifically regulated under Cyprus law but may fall under EU regimes such as the Markets in Crypto-Assets Regulation (MiCA) (where applicable), AML rules and data protection legislation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Employment law: Do your jurisdiction\u2019s employment laws and regulations have specific implications for outsourcing arrangements?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Implications for outsourcing may arise under the Preservation and Protection of Employees\u2019 Rights on Transfer of Undertakings Law 2000 (TUPE-equivalent), where employees transfer to the customer, with redundancy-related claims possibly arising (see question 17).<\/p>\n<p>Further, where the service provider is an individual, even if the outsourcing agreement designates them as a consultant or independent contractor, the Social Insurance Department or Employment Tribunal could reclassify them as an employee based on factors such as control over working arrangements, equipment ownership and degree of independence. Such reclassification may trigger social insurance and other employer liabilities and employment-related claims.<\/p>\n<p>While not strictly employment law, immigration rules may also affect outsourcing where foreign expertise is required necessitating relocation to or work-related entry in Cyprus. Cyprus facilitates this through the Business Facilitation Unit, which streamlines visa and work permit processes for qualifying foreign-owned companies in sectors such as ICT, pharmaceuticals and R&amp;D. Skilled third-country nationals with advanced expertise in ICT, pharma-related R&amp;D and shipping may also qualify for the EU Blue Card.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Employment law: How are employees transferred under an outsourcing arrangement?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>If TUPE applies, employees transfer automatically by operation of law and the transferee becomes their employer. TUPE applies where there is a transfer of an economic entity (such as a business unit or function) that retains its identity post-transfer, meaning it continues to carry out substantially the same activities. It can therefore apply to first-generation outsourcing, second-generation outsourcing, and insourcing where an identifiable, organised economic entity exists.<\/p>\n<p>Transferring employees retain their existing rights and continuity of employment. Dismissals by reason of the transfer are prohibited unless justified by economic, technical or organisational reasons. If such reasons exist, termination of transferred employees would typically be due to redundancy.<\/p>\n<p>Where TUPE does not apply, there is no automatic transfer of employees and any movement must be effected through standard employment law mechanisms, such as termination and re-engagement (with redundancy liabilities possibly arising), consensual transfers or secondment arrangements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Tax: What are the general tax considerations in your jurisdiction with implications for outsourcing arrangements?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>VAT may apply to outsourcing arrangements. In domestic outsourcing (B2B or B2C), Cyprus VAT applies subject to exemptions. For cross-border outsourcing, the place of supply of the services generally determines taxation and it is typically the place where the recipient is established. Accordingly, reverse charge rules would apply for services between Cyprus and other EU entities, while services provided by Cyprus entities to foreign (non-EU) taxable persons are generally outside the scope of Cyprus VAT.<\/p>\n<p>From a corporate tax perspective, payments to outsourcing providers are generally tax deductible if wholly and exclusively incurred for business purposes, properly documented, and consistent with Cyprus substance requirements. Intra-group arrangements are subject to transfer pricing rules requiring arm\u2019s length transactions and appropriate documentation.<\/p>\n<p>Cyprus does not generally impose withholding tax (\u2018WHT\u2019) on dividends, interest or royalties paid to non-residents. However, WHT may apply to royalties for rights used within Cyprus, and anti-abuse rules may trigger taxation on payments to low-tax or blacklisted jurisdictions.<\/p>\n<p>Outsourcing may also create permanent establishment risks, particularly where core business functions are outsourced or where the service provider acts in a dependent capacity. Sufficient management and control must be maintained in Cyprus to support tax residency.<\/p>\n<p>Where personnel are provided (e.g. secondments), Cyprus payroll taxes and social insurance contributions may apply.<\/p>\n<p>In the context of technology outsourcing, the Cyprus IP Box regime may reduce the effective tax rate on qualifying IP income to as low as 2.5%, subject to conditions. Enhanced deductions for R&amp;D expenditure are also available at a rate of 120% until 2030.<\/p>\n<p>Cyprus also benefits from an extensive double tax treaty network, supporting cross-border structuring. Professional tax advice should be sought early on to ensure timely consideration of all relevant implications.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">ESG: Are there any specific ESG requirements in your jurisdiction (e.g. relating to carbon emissions, modern slavery, anti-bribery\/corruption, waste electronic equipment, etc.), and what are the implications of these for outsourcing arrangements?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cyprus does not have a single national ESG statute and ESG obligations derive from a number of EU regulations and domestic laws.<\/p>\n<p>Cyprus transposed the Corporate Sustainability Reporting Directive (\u2018CSRD\u2019) in July 2025 through amendments to its Companies Law, the Auditors Law and the Transparency Requirements Law. The amendments introduce phased reporting obligations for in-scope companies covering environmental (including carbon emissions), social (including human rights) and governance (including anti-corruption, bribery and whistleblowing) matters. Obligations extend across the supply chain, including outsourced service providers. Following the EU Omnibus I simplification package (February 2026), which reduces the CSRD\u2019s and the Corporate Sustainability Due Diligence Directive\u2019s reporting burdens on smaller companies, Cyprus is expected to transpose the new provisions in the following year.<\/p>\n<p>&nbsp;<\/p>\n<p>ESG-related obligations are also supported by domestic laws, including anti-bribery and corruption offences under criminal law, corporate governance requirements under the Companies Law and CySEC rules (for regulated entities), and employment laws covering health and safety, non-discrimination, salary and labour protections. Cyprus has also implemented the Waste Electrical and Electronic Equipment Directive.<\/p>\n<p>&nbsp;<\/p>\n<p>The implications for outsourcing are significant for both customers and vendors. Companies are increasingly held accountable for ESG risks across their supply chains and outsourced operations. This is typically addressed contractually at the vendor onboarding level (pre-contractual vendor due diligence) and within the outsourcing agreement itself (ESG-specific provisions including warranties, audit and termination rights). Vendors are also usually required to comply with the customer\u2019s supplier code of conduct, which incorporates ESG obligations. In practice, vendors that are unable to demonstrate adequate ESG compliance may be excluded from procurement processes, particularly by regulated entities and larger organisations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cross-border: Do cross-border or multi-jurisdictional outsourcing arrangements raise any specific challenges or concerns in your jurisdiction (e.g. relating to export control or data transfer laws)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cross-border and multi-jurisdictional outsourcing requires careful management of regulatory differences, particularly in data protection and export controls. While Cyprus is EU-aligned, such arrangements must include contractual safeguards to address differing international requirements.<\/p>\n<p>Under the GDPR, transfers outside the EEA are permitted only where an adequacy decision exists or appropriate safeguards (such as SCCs or Binding Corporate Rules) are in place. Cyprus also imposes specific notification requirements for transfers of special category data to third countries, with non-compliance attracting administrative fines and criminal sanctions. Complementing the GDPR, the EU Data Act strengthens restrictions against unjustified data localisation and requires cloud and other data processing providers to prevent unlawful third-country access to non-personal data stored in the EU (see question 13).<\/p>\n<p>Export control rules under the EU Dual-Use Regulation may also apply where software, technology, or technical assistance is transferred outside the EU. Parties must therefore conduct rigorous know-your-vendor checks to ensure compliance.<\/p>\n<p>In financial services, DORA and EBA Guidelines impose additional requirements, mandating that regulators, such as the Central Bank of Cyprus and CySEC, maintain unrestricted access to the data and premises of service providers, regardless of location. Accordingly, contracts must be structured to ensure operational continuity and robust exit strategies to mitigate the risks associated with foreign vendor dependency.<\/p>\n<p>Finally, governing law and jurisdiction must be carefully considered. While parties may generally choose governing law under Rome I, Cypriot overriding mandatory rules (such as employment and competition law) cannot be derogated from. As the enforcement of foreign judgments and arbitral awards is subject to international treaties and conventions, forum selection is a key risk consideration.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Liability: Are there limits on what liabilities can be contractually excluded in your jurisdiction (e.g. are there certain liabilities which cannot be limited or excluded by law)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Cyprus law, parties are generally free to agree contractual liability provisions, including exclusions, limitations, financial caps, and exclusions of indirect or consequential loss, provided they comply with applicable law.<\/p>\n<p>Although customary and permissible for liability clauses to limit or exclude various heads of loss, certain liabilities cannot be excluded, including fraud or fraudulent misrepresentation, and death or personal injury caused by negligence. Courts may also refuse to enforce exclusions arising from willful misconduct as a matter of principle.<\/p>\n<p>Limitation and exclusion clauses are subject to judicial scrutiny, particularly in standard form contracts, where they must be clear, properly incorporated and not create significant imbalance between the parties. This is especially relevant in B2C contracts, where consumer protection legislation (including the Abusive Terms in Consumer Contracts Law 1996 and the Sales of Goods Act 1994) applies. Sector-specific regimes, such as financial services regulation, may also impose mandatory liability standards that cannot be contracted out of.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Disputes and enforcement: How are contractual disputes in outsourcing arrangements typically resolved in your jurisdiction and what remedies are commonly available in relation to contractual breaches?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Agreements typically include escalation clauses requiring senior management to attempt good-faith resolution before any formal proceedings. In cases where the parties are interested in preserving a long-term relationship or where the customer cannot easily find an alternative provider, disputes are usually settled through settlement agreements with payment of an agreed sum. However, if resolution is not achieved, the innocent party is typically entitled to terminate the contract in case of material or repeated breaches. Legal disputes may be (i) brought before the competent courts (the District Court or, for claims exceeding \u20ac2,000,000, the Commercial Court once it is operational), or (ii) resolved through voluntary mediation or (iii) resolved through arbitration under the Arbitration Law (Cap. 4) or the International Commercial Arbitration Law 101\/1987 for cross-border disputes.<\/p>\n<p>The primary remedy for breach is monetary damages. Liquidated damages and service credits are common but enforceable only if they represent a genuine pre-estimate of loss; otherwise, they may be deduced as penalties and the court may reduce the award to actual proven loss. Specific performance is rarely granted in complex technology outsourcing.<\/p>\n<p>In urgent cases, courts may grant interim relief including prohibition orders and mandatory injunctions to compel acts such as data return or transition assistance, as well as freezing orders (Mareva injunctions) to preserve assets pending final judgment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Disputes and enforcement: What, if any, other enforcement measures are typically relevant to outsourcing arrangements (e.g. regulatory fines and other sanctions)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>In competition law,<\/strong> the Commission for the Protection of Competition (CPC) may impose fines where outsourcing agreements include no-poaching or non-solicitation clauses (now treated as \u201cby object\u201d restrictions). Where an arrangement constitutes a notifiable concentration under merger control thresholds (see question 7), failure to notify may result in hefty fines.<\/p>\n<p><strong>In financial services,<\/strong> the Central Bank of Cyprus and CySEC have broad supervisory powers and may impose administrative fines for inadequate oversight of service providers. Under the Business of Credit Institutions Law (66(I)\/1997) and the Investment Services Law (87(I)\/2017), they may also revoke or suspend operating licences in case of serious breaches.<\/p>\n<p><strong>For data protection,<\/strong> the Commissioner for Personal Data Protection can impose administrative fines and corrective measures, including bans that may suspend outsourcing arrangements. Certain breaches, such as unlawful data transfers to third countries, may also constitute criminal offences punishable by imprisonment and\/or a fine.<\/p>\n<p>Since July 2025, enforcement of sanctions has been centralised under the <strong>National Sanctions Implementation Unit,<\/strong> which may impose administrative fines for deficiencies in sanctions-screening procedures within the outsourcing chain, as well as criminal liability or even judicial dissolution.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">5048<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/141152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=141152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}