Cyprus adopted its national cybersecurity strategy in 2012: Cybersecurity Strategy of the Republic of Cyprus - Network and Information Security and Protection of Critical Information Infrastructures, https://www.cyberwiser.eu/sites/default/files/ec_doc_stratigikikevernoas....
The national strategy has the following objectives:
- Obj. 1 - Developing and preserving a safe and secure electronic business environment in Cyprus.
- Obj. 2 - Supporting the targets of the government that have been identified in the ‘Digital Cyprus’ strategy programme to develop conditions for an Information Society.
- Obj. 3 - Developing trust, on behalf of citizens and organisations/businesses, in e-government services, including the preservation of information and data in transit, processing and storage.
- Obj. 4 - Establishing a safe electronic environment in the Republic of Cyprus for all of its citizens, including children,
- Obj. 5 - Mitigating the effects of threats in cyberspace and the effective response to emergencies,
- Obj. 6 - Supporting a future coordinated national response plan for the protection of critical infrastructures (beyond ICT) in the Republic of Cyprus.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||2012 CYBERSECURITY STRATEGY OF THE REPUBLIC OF CYPRUS http://www.cyberwiser.eu/sites/default/files/ec_doc_stratigikikevernoasf...|
|Updates and revisions||
In 2006, the Ministry of Communications and Works (MCW) approved a policy document3, through which a number of specific actions in the area of network and information security are promoted, via OCECPR: the formation of Computer Emergency Response Teams (CERTs / CSIRTs), the creating of an institutional framework for the security and integrity of information infrastructures, and the raising of awareness of all stakeholders and Cypriot society about relevant security matters.
In 2017, at the Conference titled "How S@fe is your Business?", George Michaelides, Commissioner of Electronic Communications & Postal Regulation (OCECPR), spoke about the new Network and Information Security (NIS) directive which applies to operators of "essential services” in "critical sectors” .
|Operational capacity building||
The Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR) is an independent regulatory authority of the Republic of Cyprus in matters of electronic communications and postal services, with additional responsibilities in the areas of terminal equipment, network and information security and protection of critical information infrastructures. It has been designated as the body responsible for coordinating the implementation of the National Cybersecurity Strategy of the Republic of Cyprus, which concerns the pillars of network and information security (cybersecurity), cybercrime, cyberdefence and related external affairs.
OCECPR is responsible for the creation and coordination of a body or bodies for response to incidents related to Network and Information Security (CSIRTs - Computer Security Incident Response Teams or CERTs - Computer Emergency Response Teams) in Cyprus. It also supervises and regulates the activity of the above CSIRT / CERT entities.
OCECPR, with secondary legislation, sets minimum standards for the security of public networks and networks that offer electronic communications services to third parties, and monitors the level of implementation of relevant organisational, procedural and technical measures. It is also responsible for receiving security breach notifications, related to the networks and personal data of the consumers, and disseminating them as deemed necessary for national level cooperation, but also to other Member States of the European Union, ENISA and the European Commission.
The main laws in the field of cybercrime in Cyprus are:
Business and Public private partnerships
There is public-private co-operation on awareness of cybersecurity and in the creation of a cybercrime centre of excellence. A biennial CYpBER conference provides a liason between Cyprus government and private sector representatives dealing with cybersecurity concerns (mostly related to oil and gas industry).
|Other capacity-building measures: research and education||
The strategy includes a dedicated chapter on training and capacity development, including:
The Cyprus Cybercrime Center of Excellence (3CE), http://www.3ce.cy/en/, provides short-term, highly focused and specialised training seminars on cybercrime-related issues for public and private sector participants. Courses facilitate the exchange and diffusion of tacit knowledge and expertise and familiarise participants with new technologies and tools, and improve their day-to-day activities related to the Cybercrime area. University courses on Cybercrime developed and delivered to stakeholders will provide better understanding of the legal and technical elements of cybercrime for new generation scientists. Courses will be made available under creative commons licensing terms for LEAs worldwide. 3CE aspires to become an exemplary Centre of Excellence in the area of Cybercrime by conducting research in relevant fields, focusing particularly on areas dealing with forensic analysis, intrusion detection systems of critical information infrastructures, and legal aspects of cybercrime.
|Implementation & Monitoring||
The competent/related authorities that are involved at this stage are the following:
It is noted that the competent authority of the Republic of Cyprus that has responsibilities relating to Classified Information (CI) and European Union Classified Information (EU CI) is the National Security Authority.
|Overall assessment/best practices||
Public-private co-operation on awareness of cybersecurity and creation of a Cybercrime Centre of Excellence (3CE), which provides short-term, highly focused and specialised training seminars on cybercrime-related issues for public and private sector participants.
Creation of a suitable workforce with the necessary specialised knowledge.
GDPR and NIS Directive: Compliance and Notification
National Computer Security Information Response Team (CSIRT)
Computer Emergency Response Team (CERT)
Notification obligations in the event of a data breach
NIS Directive (operators of essential services and digital service providers): actual, adverse and significant impact on the continuity of essential services. Actual, adverse and substantial impact on the provision of enumerated digital services.
GDPR (any organisation dealing with the data of EU citizens): accidental or unlawful destruction, loss, altercation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Cyprus does not have a CERT or similar authority for the central logging for cybersecurity incident data.
Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR): http://www.ocecpr.org.cy/
Department of Information Technology Services (DITS)
National Security Authority
Central Intelligence Service
Department of Electronic Communications (DEC)
Cyprus Research and Academic CSIRT
The mission of the KIOS Research and Innovation Centre of Excellence (KIOS CoE) http://www.kios.ucy.ac.cy/ is to conduct multidisciplinary research and innovation in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control, Security and Management of Critical Infrastructures.
KIOS CoE strives to create a regional research and innovation ecosystem in the area of ICT, resulting in major economic and societal benefits for Cyprus and Europe as a whole, by cultivating a vibrant research and innovation cluster in high technology areas linking universities, technology companies and end users, government agencies, as well as enterprise support companies.
|Last WISER update||October 2017|