On the 1st of August 2025, the Cyprus Securities and Exchange Commission (hereinafter referred to as “CySEC”), via the Circular C724, brought to the attention of and introduced to the Compliance and Legal Departments of all Regulated Entities within the Republic of Cyprus, Three New pieces of Legislation, that were published in the Official Gazette of the Republic. These instruments, collectively redefine and establish the New Legal Framework for Restrictive Measures/Sanctions.
The New Legal Framework is marking a structural shift in how sanctions are implemented, supervised, and enforced in the Republic of Cyprus.
The “Shift”
- Criminalization of Sanctions Violations
The Criminalization of the Violation of the Restrictive Measures of the European Union Law of 2025 (L. 149(Ι)/2025), aligns national law with Directive (EU) 2024/1226, establishing and defining clear criminal offences and penalties for breaches and/or violation of EU sanctions. It amends Directive (EU) 2018/1673 and repeals the Implementation of the Provisions of the Resolutions or Decisions of the United Nations Security Council (Sanctions) and the Decisions and Regulations of the Council of the European Union (Restrictive Measures) Law of 2016. Moreover, L.149(I)/2025, expands liability to cover incitement, aiding, abetting, and attempts.
Key takeaway: Violations are now treated as criminal offences, raising the stakes for compliance failures.
- Establishment of the National Sanctions Implementation (NSIU- known locally as “EMEK”)
Under the Establishment of the NSIU Law of 2025 (L. 150(Ι)/2025), a new Directorate within the Ministry of Finance, is tasked with the central coordination of sanctions implementation. Its functions, inter alia, include:
- Supervising and implementing the EU and UN restrictive measures
- Coordinating competent authorities and state services
- Reviewing licensing/derogation requests
- Investigating potential violations
- Issuing guidance, directives, and circulars
- Organizing training and awareness initiatives.
L.150(I)/2025, also establishes the framework for authorization applications, for the obligations of regulated entities, as well as for the imposition of administrative fines by the NSIU without affecting the powers and responsibilities of the Supervisory Authorities.
Key takeaway: Cyprus now has a dedicated enforcement body, increasing oversight and harmonizing implementation across sectors.
- Strengthened Whistleblower Protections
The Protection of Persons Reporting Breaches of Union and National Law (Amending) Law of 2025 (L. 148(Ι)/2025) extends whistleblower protections to include sanctions violations. This aligns national law with the Directive (EU) 2024/1226 of the European Parliament and of the Council, of 24 April 2024, on the definition of criminal offences and penalties for the violation of Union restrictive measures and amending Directive (EU) 2018/1673 by adding the violations of Union restrictive measures listed in article 5 of the Law on the Criminalization of the Violation of Union Restrictive Measures, including cases of incitement, aiding and abetting and attempting to commit them, to the application of the relevant law.
Key takeaway: L.148(I)/2025 encourages reporting of non-compliance without the fear of retaliation.
Compliance Actions Required
Circular C724, applies to a wide spectrum of Regulated Entities, including CIFs, AIFMs, UCITS managers, ASPs, CASPs, and small AIFMs.
CySEC instructs firms to harmonize their procedures, in order to comply with the new legal framework, specifically:
- Reviewing and updating sanctions screening mechanisms to detect potential breaches promptly.
- Enhancing reporting channels and escalation protocols to meet new legal timelines.
- Strengthening internal governance, ensuring clear accountability for sanctions compliance.
- Documenting procedures and controls to demonstrate compliance upon request.
- Ensuring training and awareness at all levels, from staff to board members, to understand criminal liability and the operational implications of C724.
- Preparing for closer supervisory engagement and potential administrative fines by the NSIU.
The issuance of C724 is not happening in a vacuum. As the EU and international community tighten sanctions regimes, Cyprus, as a major financial hub, faces increasing expectations to demonstrate its regulatory rigour.
A Call to Act, not to React
Non-compliance carries significant reputational, legal, and financial risks. With C724, CySEC has made it clear that passive or reactive approaches are no longer acceptable.
For Compliance and Legal Departments of the Regulated Entities, Circular C724 should trigger a comprehensive review of existing frameworks. Those who act early by integrating sanctions compliance into enterprise-wide risk strategies, will be best positioned to navigate the more stringent environment ahead.
In the words of CySEC Chairman Dr. George Theocharides, entities are called to “harmonise the existing measures and procedures in place” to align with the new legal framework. This isn’t merely regulatory housekeeping, it’s a fundamental shift on how sanctions compliance is understood and enforced in Cyprus.
By Stefania G. Christofidou