NEWS

We are pleased to announce that Alexandros Economou LLC has been recognised by The Legal 500 EMEA 2025 edition as a leading firm in Cyprus in the Banking & Finance (Tier 3), and Commercial Corporate and M&A (Tier 2) practice areas. Alexandros Economou has been recognised as a leading partner and Maria Katsikidou as a next generation partner.

On 10 April 2025, the House of Representatives passed the Network and Information Systems Security (Amendment) Law of 2025 (the “Law”), which transposed into national law the provisions of Directive (EU) 2022/2555, known as the NIS2 Directive.

The NIS2 Directive, which was voted on 14 December 2022 and entered into force at European level on 17 October 2024, aims to strengthen the flexibility of key and important entities against cyber threats and is a significant step in upgrading cybersecurity at the European level.

The Law provides, inter alia, the following:

1. It substantially broadens the scope of the original law by including sectors that were not previously covered, such as public sector entities, postal services and digital infrastructures. The distinction between essential and important entities depends on criteria such as their size and importance to society, i.e. the impact they have on the economy, public security, public order, public health and the environment.
2. Key and significant entities must implement the cybersecurity framework set out in the Law by taking appropriate, proportionate technical, operational and organisational measures to manage the risks to the systems on which their services are based and to prevent or minimise the impact of incidents on their services.
3. It introduces a distinction in the supervisory regime of key and significant entities aiming to ensure a fair balance of obligations for both the entities in question and the competent authorities. Therefore, key entities are subject to a full ex-ante and ex-post supervisory regime, while significant entities are subject to an ex-post supervisory regime only.
4. It introduces the responsibility of the top management as it provides that the top management has the ultimate responsibility for the management of cybersecurity risks in key and significant entities.
5. Possibility of imposing stricter administrative fines on key and significant entities in case of failure to comply with the legislation.

Following the transposition of the Fifth AML Directive into the Prevention and Suppression of Money Laundering and Terrorist Financing Laws of 2007 to 2019 (the “Law”), which introduced the register of UBOs of companies and other legal entities accessible to the general public (the “Register”), the legislative regulations complementing the Law have finally been approved by the Cyprus Parliament on 16 March 2021 (the “Directive”).

The information to be recorded for Companies/legal entities are amongst other: name, date of birth, nationality, residence address, ID number, the nature and extent of the beneficial interest held (the “Information”);

The Directive, in a nutshell, includes the following:

1. The Register will be kept by the Cyprus Registrar of Companies;

2. All Companies/legal entities and their officers have a severable obligation to record the Information within six months as of 16 March 2021- An exceptional right of non-disclosure to the public is also available if sufficient proof is filed evidencing that such disclosure will, amongst others, harm and/or expose the UBO to harm/danger;

3. New Companies/legal entities will have 30 days within which to record the Information;

4. The change of a UBO must be notified within 14 days;

5. Regulatory Authorities, Tax Authorities, the Police and Customs Authorities will have direct (without an obligation to notify the company), unrestricted and free access to the Register;

6. The Register will be publicly accessible with no requirement to demonstrate legitimate interest with an applicable fee of €3.50; The accessible information will be limited to the name, month and year of birth, nationality, country of residence and the nature and extent of the beneficial interest held by the UBO;

7. The Register will be interconnected with the UBO registers of the other EU Member States;

8. The Information must be confirmed annually;

9. The Information remains on record for up to10 years following the deletion of the Company/legal entity – For five years following the deletion the access is available only due to a regulatory or criminal investigation;

10 A Company/legal entity and its officers are subject to various administrative, criminal and civil sanctions for failure to register or for filing inaccurate information.

For a more comprehensive view on the matter, please refer to our detailed MEMO THE CYPRUS UBO REGISTER

A note that the Directive does not include trusts registers.

On 25 March 2020, Vladimir Putin in his announcement to the Russian nation regarding the main measures to be taken in order to tackle the coronavirus, also instructed the Government to initiate negotiations with foreign jurisdictions to amend Russia’s current DTT’s and set the minimum withholding tax rate on dividends and interest payed from Russia at 15% (as opposed to the current 0%, 5% and 10% rates).

Russia dictates the modification of the parts concerning “Dividends” and “Interest” in a way that these may also be taxed in the country of source at a rate not exceeding 15%. The possibility of applying for reduced tax rates is not provided. We say ‘dictated’ because Russia said that it unilaterally terminate its DTT with any jurisdiction that does not accept the said changes.

Cyprus, alongside (amongst others) Luxemburg and Malta, already received the relevant official request. The Russian embassy in Cyprus made clear that the changes will also take place to taxation treaties with other countries and “mainly those which large amounts of Russian money go through” (e.g. the Netherlands and in general all EU Member States, Switzerland and Singapore).

The matter is monitored closely, and this briefing will be updated accordingly.

The Registrar of Companies announced the following in order to support Companies affected by the restrictive measures imposed to limit the spread of Coronavirus:

1. Submission of Annual Reports (Audited Accounts) Due 4th Companies' Compliance Campaign for

• The three-month publication in the Official Gazette of the Republic resulting in the strike off / deregistration of Companies that received warning letters about their default in filing their Annual Reports (i.e. their Audited Financial Statements), is suspended until January 2021. Therefore, Companies that received such default letters now have until January of 2021 within which to get up-to-date with their obligation to file their audited financial statements.

2. Payment of the Annual Levy of €350

• The deadline for the payment of the 2020 annual levy is extended to 31 December 2020 (from 30 June 2020). The penalty imposition of 10% (up to 2 months delay) and 30% (delay between 2 to 5 months) for late payments is suspended accordingly.

3. Penalty on late submission of documents to the Department

• Following the approval of the House of Representatives, the implementation of penalties on late submission of statutory forms to the Department will be postponed until 2021.

4. Submission of 2020 Annual Report to the Department

• The 2020 Annual Report, i.e. the one submitting the 2019 Audited Financial Statements, may be submitted by 28/01/2021 without the additional penalty charge of €20 applicable on late submission.