Status regarding Budapest ConventionStatus : Party Declarations and reservations : – See legal profile
The Ministry of research, innovation and digital policy of the Republic of Cyprus published a new “Cybersecurity Strategy” [in Greek] in 2020. This document reviews the previous national strategy (2013) and focuses on 7 areas identified as priorities in the Cypriot response to cyber threats:
- Organization the different competent State bodies,
- Creation of an integrated legislative and regulatory framework,
- Creation and/or adaptation of the necessary structures and mechanisms,
- Formulating of technical and organizational measures and procedures relating to the preparation, protection, detection and response to cyber threats and other events,
- Development of the necessary skills and appropriate training,
- Effective cooperation between the State and the competent bodies of the public/private sectors,
- Development of research and innovation.
State of cybercrime legislation
1. The Law ratifying the Convention on Cybercrime (Budapest Convention), L.22(III)/2004. This legislation covers hacking, child pornography and fraud committed via electronic communication and the Internet.
2. The Law that revises the legal framework on the prevention and combating the sexual abuse and sexual exploitation of children and child pornography, L 91(I)/2014. This legislation ratifies the EU Directive 2011/93/ΕΕ and covers child pornography, grooming and notice and takedown.
3. The Law ratifying the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Racist and Xenophobic acts, L.26(III)/2004. This legislation covers racism and xenophobia via computer systems and the Internet.
The Law ratifying the Convention on Cybercrime (Budapest Convention), L.22(III)/2004. This legislation covers hacking, child pornography and fraud committed via electronic communication and the Internet. The L22(III)/2004 includes:
- Art. 48: Offences against confidentiality integrity and availability of computer data systems
- Art. 910: Computer-related offences
- Art. 11: Contentrelated offences
- Art. 12: Offences related to infringements of copyright and related rights
The Law that revises the legal framework on the prevention and combating the sexual abuse and sexual exploitation of children and child pornography, L 91(I)/2014. This legislation ratifies the EU Directive 2011/93/ΕΕ and covers child pornography, grooming and notice and takedown. The L91(I)/2014 includes provisions on “websites containing or disseminating child pornography” (art. 11).
The following investigative techniques are permissible under national law:
- search and seizure of information systems/computer data ( Code of Criminal Procedure)
- preservation of computer data (Law 22(III)/2004)
- order for stored traffic/content data; however, only for stored traffic data (Law 183(I)/2007)
- order for user information (Law 183(I)/2007).
National law does not allow for real-time interception/collection of traffic/content data. However, Law 183(I)/2007 forces ISPs to store telecommunication and traffic data for the purpose of investigation for a period of six months. The use of specialised software such as Child Protection System (CPS) and NetClean facilitate cybercrime investigations.
The right to privacy and freedom of communication are protected under Articles 15 and 17 of the Cyprus Constitution. Specific provisions for the protection of fundamental rights and freedoms are also included in the relevant legislation (specified under section 3.2).
In July 2018, Cyprus adopted a national law ”providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data” (L. 125(I)/2018) (unofficial English translation). This Law supplements the EU General Data Protection Regulation (GDPR) (Regulation no 2016/679).
Related laws and regulations
- The Law on the Retention of Telecommunication data for the investigation of serious offences, L. 183(I)/2007. This legislation transposed Directive 2006/24/JHA. Although the Directive was invalidated by the Court of Justice of the EU, the national law is still valid. The national law is founded on a constitutional provision and it includes specific safeguards for the protection of privacy; for example, communication data are released only following a court order. A case was recently filed with the Supreme Court on the impact of the annulment of the EU Directive on Law 183(I)/2007 and the Supreme Court found that it complied with the European Convention of Human Rights.
- Law 112(I)/2004 Regulating Electronic Communication and Postal Services.
- Law implementing Directive 2013/40/EU on attacks against information system, 147(i)/2015.
- Law on the protection of the privacy of the communication and access to written communication content, Law 216(i)/2015
- Law 89(I)/2020 on the security of networks and information systems https://dsa.cy/legislation/laws (only available in Greek)
The Ministry of Justice and Public Order, together with the Cyprus Police, are the authorities responsible for the prevention and combating of cybercrime.
The Office for Combating Cybercrime (O.C.C.). The specialised body for cybercrime investigation is the Office for Combating Cybercrime of Cyprus Police. The Office was established in September 2007 based on Police Order No. 3/45 in order to implement the Law on the Convention on Cybercrime (Ratifying Law) L.22(III)/2004. This legislation covers hacking, child pornography, racism and fraud committed via electronic communication and the Internet. According to Police Order No. 3/45, the Office is responsible for the investigation of crimes committed via the Internet or via computers and at the same time it is responsible for the investigation of all offences that violate the rules laid down in Law 22(III)/2004.
The Digital Evidence Forensic Laboratory (DEFL). The DEFL was established in 2009 and is responsible for the effective examination of electronic evidence. DEFL is staffed with specialised officers for the collection and forensic analysis of electronic devices. Their mission is the collection and forensic analysis of digital devices as well as the presentation of expert scientific evidence to the courts.
The Digital Security Authority (DSA) (https://dsa.cy/)
National Computer Security Incident Response Team of Cyprus (CSIRT-CY) (https://csirt.cy)
Office of the Commissioner for Personal Data Protection (OCPDP) (https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_el/home_el?opendocument)
Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR) (https://ocecpr.ee.cy/)
Competent authorities and channels
Police-to Police Cooperation
Cyprus cooperates with EU and third countries on the basis of bilateral and multilateral agreements in this field and other channels for exchange of information. The O.C.C cooperates closely with the following organisations:
- Europol/EC3/AWF/ EMPACTS
- EUCTF (European Union Cybercrime Taskforce)
- CIRCAMP (COSPOL Internet Related Child Abusive Material Project)
- ENISA (European Network and Information Security Agency)
- ECTEG (European Cybercrime Training and Education Group)
- CEPOL (European Police College)
- EUROJUST (European Union’s Judicial Cooperation Unit)
- CERT-EU (Computer Emergency Response Team)
- INTERPOL (International Criminal Police Organization)
- European Commission
- EEAS (European External Action Service)
- USA FBI
- VCACITF (Violence Crime Against Children International Task Force) USA FBI.
- Council of Europe (T-CY Assessment)
Practical guides, templates and best practices
Law 23(I)/2001 on International Cooperation in Criminal Matters is the national law applicable to MLA requests. In addition, MLA is carried out on the basis of bilateral agreements and conventions such as the European Convention on Mutual Assistance in Criminal Matters, Law 2(III)/2000 and the Convention on Cybercrime Law 22(III)/2004.
The Ministry of Justice and Public Order is the central authority for receiving and sending requests for mutual legal assistance. For the purpose of simplifying and improving international cooperation a Unit for International Legal Cooperation has been established within the Ministry of Justice and Public Order. A written letter of request must be sent by email, fax or post.
The Ministry of Justice and Public Order receives incoming requests from abroad and sends out MLA requests. Incoming requests are evaluated by the Ministry and forwarded for execution to the competent judicial authority in Cyprus. Regarding outgoing requests, the Ministry also collects requests received internally and sends them abroad.
Sources and links
- GENVAL – Evaluation report on the seventh round of mutual evaluations "The practical implementation and operation of European policies on prevention and combating Cybercrime" – Report on Cyprus
- Other GENVAL 7th round evaluation reports
- The Digital Security Authority (DSA) (https://dsa.cy/)