Go to content
Search Typeahead
${facet.Name} (${facet.TotalResults})
${item.Icon}
${ item.Overline }
${ item.Title }
${ item.Date } | ${ item.Authors }
${ item.PhoneNumber } ${ item.Email }
${ item.ShortDescription }
${ item.SearchLabel?.ViewModel?.Label }
See all results
Search Typeahead
${facet.Name} (${facet.TotalResults})
${item.Icon}
${ item.Overline }
${ item.Title }
${ item.Date } | ${ item.Authors }
${ item.PhoneNumber } ${ item.Email }
${ item.ShortDescription }
${ item.SearchLabel?.ViewModel?.Label }
See all results
  1. Home
  2. Our Blogs
  3. Regulatory
  4. Cyprus strengthens sanctions obligations for Obliged Entities

Cyprus strengthens sanctions obligations for Obliged Entities

19 Jan 2026
|

The recent enactment of the National Sanctions Implementation Unit Law 2025 (the NSIU Law) and establishment of the National Sanctions Implementation Unit (NSIU) in Cyprus marks a significant milestone in the island’s sanctions enforcement regime.

For obliged entities operating in regulated sectors, understanding how the NSIU Law affects your business is not just a matter of compliance, it is essential for mitigating significant financial and reputational risk.

This detailed overview is designed for "obliged entities" and their compliance professionals, focussing on obligations regarding risk management and reporting to the NSIU.

For completeness, the NSIU Law also contains provisions which are of general application (not just to obliged entities). You can find a more general overview of the NSIU Law here.

  1. New obligations under the NSIU Law

The NSIU Law introduces, among other things, a set of obligations for obliged entities specifically targeting sanctions compliance. These obligations are additional to those applicable to obliged entities under the AML Law or directives issued by their supervisory authorities under powers granted by the AML Law.

  1. What types of entities are “obliged entities” under the NSIU Law?

The NSIU Law borrows the concept of an “obliged entity” from the Cyprus Prevention and Suppression of Money Laundering and Terrorist Financing Law 2007 (the AML Law) and includes:

  • Credit institutions
  • Financial institutions (such as investment firms, AIFs, payment institutions and EMIs)
  • Administrative service providers
  • Crypto-asset service providers
  • Gambling service providers
  • Auditors, external accountants and tax advisors
  • Legal professionals (in certain cases)
  • A real estate agent or intermediary in real estate rentals (for transactions above a certain threshold)
  • Traders in precious metals, precious stones, or high-value goods like art and cultural artefacts
  1. Risk management

The NSIU Law requires every obliged entity to establish and implement adequate and appropriate policies, controls and procedures. The goal is to effectively identify, assess, mitigate, and manage the risks of sanctions violations and possibly actions or omissions which amount to sanctions violations.

Such policies, controls and procedures must be proportionate to the characteristics and activities of the relevant obliged entity.

Supervisory authorities (such as CySEC, the Central Bank, the Cyprus Bar Association and ICPAC) are empowered to issue binding regulations and directives specifying the details and method of implementation of the risk management obligations under the NSIU Law, also noting that certain authorities had already issued directives with respect to sanctions and restrictive measures prior to the NSIU Law.

  1. Mandatory reporting of possible breaches to the NSIU

A cornerstone of the new regime is the direct line of communication between obliged entities and the NSIU. Obliged Entities are required to report directly to NSIU any information related to potential sanctions breaches that comes into their possession or awareness in the context of their activities, subject to data protection considerations under the General Data Protection Regulation (GDPR).

The NSIU has the authority to request, in writing, any additional information it deems necessary for its investigations.

Importantly, the sanctions breach reporting obligation under NSIU Law is independent of suspicious activity reporting (SAR) and suspicious transaction reporting (STR) obligations to the Financial Intelligence Unit (MOKAS) under the AML Law.

Where obliged entities a case of potential sanctions violation, they must carefully assess whether a report to MOKAS must be under the AML Law, in addition to their reporting obligations to the NSIU.

  1. Severe penalties for non-compliance

Under the NSIU Law, the NSIU is empowered to impose various administrative measures on obliged entity where they breach their risk management obligations set out in part 2 above:

  • Administrative fines: Supervisory authorities can impose administrative fines of up to €500,000. In cases of continuing violation, an additional daily fine of €500 may be levied.
  • Other administrative measures: These include suspending or revoking an obliged entity’s operating licence, prohibiting permanently or temporarily individuals from holding management positions, requiring an obliged entity or an individual to cease and desist from any action amounting to a breach, and issuing public statements labelling the non-compliant entity.

Separately, the breach of reporting obligations under the NSIU Law may amount to a criminal offence under the Law on Criminal Offenses and Penalties for Violation of Union Restrictive Measures 2025 which transposes the provisions of EU Directive 2024/1226.

Overall, the establishment of the NSIU is a pivotal step in modernising the sanctions enforcement framework of Cyprus and the ruleset for obliged entities aims to brings sanctions compliance mechanisms on equal footing with those under the AML Law.

The NSIU Law can be accessed here (in Greek)

Authors
Aki Corsoni Husain Harneys front portrait image on a grey background
Aki Corsoni-Husain
Partner | Regulatory & Tax | London
Angelos Lanitis Harneys front portrait image on a grey background
Angelos Lanitis
Associate | Regulatory & Tax | Cyprus