Cyprus's regulatory framework for EU access - core rules, authorities, structures

Register with CySEC and obtain a CIF license to access EU markets via passporting. Ensure compliance with MiFID II/MiFIR, maintain sufficient own funds, establish clear governance, and appoint a local compliance officer to coordinate cross-border activities.

Cyprus implements the EU framework through the Investment Services and Activities and Regulated Markets Law and accompanying CySEC rules. Firms classify clients, disclose costs, and design products with defined purposes. Managers undergo fit and proper assessments. Institutions implement risk controls, keep detailed records, and report to CySEC on a regular basis.

Key regulators and bodies include the Cyprus Securities and Exchange Commission (CySEC) as the main licensing authority for investment services, the Central Bank of Cyprus (CBC) for banks and payment services within the Eurosystem, and ESMA for pan-EU supervisory coherence. Legal entities and filings fall under the Department of Registrar of Companies and Official Receiver, with oversight from the Ministry of Finance.

Licensing requires a business plan, internal policies, governance arrangements, and capital adequacy demonstrations. CySEC conducts on-site reviews and ongoing supervision, with periodic reporting, annual audits, and compliance checks. Firms establish AML/CFT programs, appoint a money-laundering reporting officer, perform customer due diligence, and monitor suspicious activity in line with EU directives and national law.

After authorization, set up passporting arrangements for eligible member states and align operations accordingly. Build a local compliance team, integrate data protection with GDPR, and implement cross-border reporting tools. Keep documentation up to date, prepare for potential ESMA coordination actions, and maintain a clear contact point with CySEC for changes in rules or enforcement matters.

Who may apply from 5 March 2025: eligible categories plus limits

Review the official eligibility notice published on 5 March 2025 to confirm exact categories and caps. Eligible applicants fall into two main groups: natural persons seeking recognition to practice in regulated sectors, and legal entities aiming to provide cross-border services under Cyprus supervision.

Category A – natural persons with recognized professional qualifications: EU and EEA nationals, as well as Cyprus residents, may apply to practice in regulated professions after professional bodies in Cyprus recognize their qualifications. Applicants must meet local licensing or registration requirements and comply with sector-specific conditions, including continuing professional development where applicable.

Category B – entities establishing or operating in Cyprus: firms established in the EU or with a Cyprus presence may obtain authorizations to offer cross-border services within the scope allowed by the regime. Applicants must demonstrate substance in Cyprus, appoint an authorized representative or local branch, and maintain compliance with applicable prudential, insurance, and reporting rules.

Category C – temporary or project-based service providers: service delivery for defined, time-limited projects or assignments may be approved where the activity is ancillary to the entity’s core operations. Projects typically have a maximum duration and require a project-specific permit, including clear end dates and performance milestones.

Category D – research, education, and professional mobility: researchers, academics, and educational institutions may participate under mobility or collaboration schemes that enable secondments, joint programs, or short-term teaching and research engagements, subject to sector-specific approvals.

Category E – mutual recognition and transitional routes: applicants covered by mutual recognition agreements or transitional arrangements may access certain regulated activities with streamlined steps, provided they meet defined equivalence or transitional criteria set by the competent authority.

Limits and allocation: the competent authority sets caps per category and sector, with allocations published in the regulatory schedule accompanying the 5 March 2025 notice. When demand exceeds the cap, the authority uses objective criteria to allocate places, prioritizing local economic impact, sector shortages, and compliance history on record. Applicants should monitor the official portal for updates, deadlines, and any sector-specific conditions that affect eligibility.

Preparation and submission: compile proof of identity, nationality, and any required professional qualifications; gather licensing or registration evidence from relevant professional bodies; document Cyprus presence (for entities), including corporate registry details, local address, and appointment of a local representative if needed; prepare financial and insurance disclosures as required by the regime; and ensure conformity with data protection and anti-money-laundering requirements.

Required documents: a practical pre-submission checklist

Prepare a complete, English-language dossier with certified copies, a detailed index, and clear cross-references to the licensing category. Submit through CySEC's online e-submission portal and keep originals available for verification.

1. Corporate identity and ownership

   • Certificate of Incorporation, Memorandum and Articles of Association, and a current extract from the Cyprus Registrar of Companies.
   • Registered and trading names, legal form, and the firm’s registered office address.
   • List of current directors, secretaries, and beneficial owners with ownership percentages.
   • Proof of registration with the Tax Department and the VAT status (if applicable).
   • Bank reference letter or bank statements showing a functioning corporate account in the firm’s name.
   • Certified copies of IDs or passports for all directors and UBOs, plus proof of address.

2. See also: Company registration cyprus corporate services.

   Management and governance (fit and proper)

   • CVs for all directors and senior managers; professional qualifications and references.
   • Declarations of integrity and conflict-of-interest statements for each responsible person.
   • Police clearance certificates or equivalent where required; overview of past regulatory actions, if any.
   • Organizational chart showing reporting lines and the allocation of compliance and risk duties.

3. Scope of activity and business plan

   • Detailed business plan specifying licensed activities, target client segments, and geographic focus.
   • Product and service catalog with service levels, intended client onboarding flow, and pricing model.
   • Forecasts for the first three years, including revenue, costs, capital needs, and liquidity projections.
   • Description of client classifications (retail, professional, eligible counterparties) and onboarding criteria.

4. Policies, controls and governance documentation

   • AML/CFT policy, customer due diligence (CDD) procedures, and risk-based CDD templates.
   • Sanctions screening policy and ongoing monitoring process.
   • Internal control framework, compliance function remit, and periodic testing plan.
   • Whistleblowing policy, data protection policy (GDPR alignment), and data processing agreements.
   • Policy on PR, conflicts of interest, and inducement controls; record-keeping and retention schedule.

5. Financial resources and solvency

   • Evidence of minimum capital applicable to the license category (include calculation basis and supporting documents).
   • Recent audited financial statements (last two years) or, if not available, management accounts plus a statement of assurance from the directors.
   • Funding plan, liquidity management policy, and bank references or letters of comfort.

6. Client assets, custody and record-keeping

   • Client asset protection policy and segregation arrangements; custody and reconciliation procedures.
   • Procedures for client money, if applicable, including trust accounts and client ledger controls.
   • Record-keeping policy for trade confirmations, statements, and KYC/CDD data for the required retention period.

7. Information technology and operational readiness

   • IT security policy, access controls, and vulnerability management plan.
   • Business continuity and disaster recovery plan with RTO/RPO targets and testing results.
   • Data protection impact assessment where processing of EU personal data occurs; data breach response procedure.
   • Technology architecture overview and logs for critical systems; backup and recovery procedures.

8. Outsourcing and third-party relationships

• List of material outsourcing arrangements, service providers, and due diligence performed.
• SLAs, risk assessments, and ongoing oversight mechanisms for key vendors.
• Business continuity implications and escalation paths for outsourced functions.

Operational policies for clients and products

• Client onboarding files, KYC data collection templates, and risk-based verification steps.
• Complaint handling process, escalation paths, and reporting to clients.
• All product disclosures, conflict disclosures, and suitability/appropriateness considerations.

Annexes, translations and supporting materials

• Certified translations of non-English documents; apostille or legalization if required.
• Index, cross-reference matrix, and page numbering; readable PDFs (not encrypted) with searchable text.
• Sample templates (KYC, risk assessment, policy documents) and copies of official forms used in the application.

Application phases and typical timelines: from submission to decision

Submit a complete, regulator-ready dossier and schedule a pre-application meeting with CySEC to align expectations.

Phase 1 – Preparation and pre-application (1–2 weeks). Compile governance documents, organizational chart, key personnel profiles, and a robust AML/CFT framework. Prepare the business plan, risk management policies, IT controls, outsourcing arrangements, and capital plan. Appoint a single regulatory liaison and gather template-ready templates and exhibits to streamline the submission process.

Phase 2 – Submission and completeness check (2–4 weeks). Deliver the full application package through CySEC’s portal, including all annexes, translations where required, and up-to-date corporate approvals. Use CySEC’s checklist to verify that every item is present and consistently formatted to avoid delays.

Phase 3 – Administrative screening and initial assessment (4–8 weeks). CySEC verifies eligibility, corporate structure, control persons, and fit-and-proper standards for directors and senior managers. The authority also checks solvency, capital adequacy planning, and organizational readiness to support regulatory requirements.

Phase 4 – In-depth regulatory assessment (8–16 weeks). The regulator examines risk management, internal controls, compliance program, AML/CFT measures, IT governance, outsourcing arrangements, and the business plan’s realism. Expect requests for clarifications or supplementary documents to validate controls, governance, and capital planning.

Phase 5 – Information requests and responses (2–6 weeks per round). CySEC may issue targeted questions or request additional evidence. Provide precise, well-structured responses with cross-referenced sections, and attach updated policies or diagrams when needed. Limit response times to keep the review moving efficiently.

Phase 6 – Decision and licensing steps (4–8 weeks after final information). CySEC issues the decision letter, which may grant the license with specific conditions or, in rare cases, request further amendments. Prepare for possible conditional approvals that specify timelines for implementing controls, reporting, or additional capital requirements.

Phase 7 – Post-decision and readiness to operate (2–6 weeks, if applicable). Finalize licensing formalities, register with relevant authorities, and set up ongoing supervision arrangements. Once licensed, you gain cross-border passporting rights to provide services in other EU jurisdictions under the MiFID II framework, subject to ongoing compliance and periodic reviews.

Avi Sela's take: what eToro, fintechs gain from Cyprus access collectively

Recommendation: Secure a CySEC-regulated CIF license to passport core investment services across the EU, and back it with a Cyprus-based Payment Services or Electronic Money license to handle client payments and wallets. This creates a single, EU-wide compliance footprint from a Cyprus hub.

With CySEC, you access the MiFID II framework across 27 markets via passporting, avoiding separate licenses in each state. That enables eToro and other fintechs to scale quickly while maintaining a consistent product and client onboarding across the bloc.

Key data points support the move: Cyprus maintains a 12.5% corporate tax rate, a broad network of double tax treaties, and a stable, EU-aligned supervisory regime under CySEC. A CySEC CIF license carries established controls on client due diligence, AML/CFT, and reporting that counterparties expect from licensed brokers and asset managers.

What this means in practice for the business: a Cyprus base reduces cross-border risk, enables faster EU client acquisition, and lowers duplicate compliance costs. It also opens doors to liquidity providers, fintech vendors, and banks that favor an EU-authorized hub with clear risk governance.

Operational blueprint for scale

Build a governance framework that covers KYC, AML, data protection, and cyber security, with a local MLRO and a dedicated CySEC-compliant compliance team. Run risk controls for onboarding, monitoring, and sanctions screening tied to CySEC reporting cycles. Pair the CIF license with a payments/EMI capability to streamline client flows, wallets, and settlements. Align crypto activities with MiCA compliance where applicable, including white-label or advisory services to avoid misclassification.

Actionable steps here and now

1) Initiate dialogue with CySEC to confirm license scope for your product set and confirm the capital adequacy requirements under MiFID II. 2) Map passporting rights to target markets and draft a cross-border operations plan covering onboarding, marketing, and client protection. 3) Hire a local compliance lead, establish AML/KYC protocols, and implement GDPR-aligned data protections. 4) Establish a modular tech stack for trading, payments, and risk reporting, ensuring seamless integration with EU supervisors. 5) Run a pilot in two or three member states, monitor client acquisition costs, and adjust pricing and product offers accordingly.

Practical implications: residency, banking, plus tax considerations for applicants

See also: Manifesto 2024.

Apply for permanent residency through the investment route only after confirming a property value of at least €300,000 plus VAT and ensuring funds come from traceable sources. The Civil Registry and Migration Department will review your documentation, and you should prepare passport pages, clean criminal record, health insurance, proof of address, property title, and evidence of funds.

Residency path specifics: A qualifying property purchase with ongoing income supports eligibility. Permits are typically issued for five years and renewable, provided you maintain ownership and meet income conditions. If you prefer a non-investment path, consider a long-term stay tied to employment, self-employment, or family ties, and verify current program options with the Civil Registry.

Banking: Open a Cypriot bank account to manage day-to-day finances and transfers. Bring your passport, proof of address, Cyprus Tax Identification Number or foreign TIN, and documents showing source of funds (sale contracts, investment records, salary statements). Banks perform standard due diligence, may request a local address, and can require a minimum balance or monthly fees. Use online banking and multi-currency accounts to simplify cross-border activity.

See also: London Tonight.

Tax considerations: You become a Cyprus tax resident if you spend more than 183 days in the year here, or you qualify under the 60-day rule if you have no other state where you are tax resident and you meet three conditions: maintain a Cyprus home, be employed or run a business in Cyprus, and spend the remainder of the year outside Cyprus. Non-domiciled residents avoid defence contribution on dividends and interest for up to 17 years. Personal income tax rates are 0% up to €19,500; 20% to €28,000; 28% to €36,300; 30% to €60,000; 35% above. Corporate tax is 12.5%; VAT standard rate is 19%. Capital gains tax applies at 20% on gains from disposal of immovable property located in Cyprus. Cyprus has double tax treaties with many jurisdictions to ease cross-border planning.