Whistleblower law in Cyprus #
Cyprus implemented Directive (EU) 2019/1937 through Law 6(I)/2022, published on 4 February 2022. The basic private-sector trigger is 50 employees, but Cyprus organises external reporting through a competent-authority structure rather than one universal state inbox.
Applicable law #
Who must establish an internal channel #
- All public-sector entities (with limited statutory exceptions).
- Private employers with 50 or more employees.
- Entities in certain regulated industries (notably financial services) regardless of headcount.
Private firms with 50-249 employees had until 17 December 2023 to establish their internal channels.
Penalties and enforcement #
Cyprus enforces through a single criminal-penalty tier rather than a graded administrative-fine schedule. The enumerated offences — obstructing or hindering a report, retaliating against a reporter, bringing malicious or vexatious proceedings, breaching the confidentiality of a reporter’s identity, and knowingly making false reports — are punishable by up to 3 years’ imprisonment and/or a fine of up to €30,000.
| Conduct | Penalty |
|---|---|
| Obstruction, retaliation, malicious proceedings, breach of confidentiality, or knowingly false reports | Up to 3 years’ imprisonment and/or a fine up to €30,000 |
| Legal entity — offences committed on its behalf, or lack of supervision/control enabling them | Fine up to €30,000 (imprisonment applies only to natural persons) |
An honest assessment of enforcement. Note what the penalty schedule targets: it attaches to misconduct toward a reporter (obstruction, retaliation, breaking confidentiality), not to the bare administrative fact of not having set up a channel. The obligation to establish a channel is mandatory, but the research found no distinct fine for simply lacking one, and no public record of any company being prosecuted, fined, or sanctioned under Law 6(I)/2022 to date. Enforcement is decentralised across sector-specific authorities, and no proactive inspection regime has surfaced. The real exposure is criminal liability the moment a reporter is silenced or retaliated against — which a functioning internal channel is designed to prevent.
External reporting authority #
Cyprus uses a list of competent authorities for external reporting, depending on the subject matter and sector. The official central guidance is the government whistleblower explainer , which points to guides for competent authorities rather than one single cross-sector authority.
Data protection authority #
For data-protection complaints relating to report handling, the relevant authority is the Office of the Commissioner for Personal Data Protection . The office has also issued a whistleblower-specific announcement .
Key compliance points #
- Cyprus expects obliged entities to publish both worker-facing guidance and internal handling rules.
- The law also covers anonymous reports where the whistleblower is later identified and suffers retaliation.
- In practice, Cypriot organisations should tell reporters which external authority fits the topic instead of treating “external reporting” as one generic route.
Official sources #
- Law 6(I)/2022 — official text PDF
- Law 6(I)/2022 — consolidated text
- Government whistleblower explainer
- Whistleblowers Guide for employees (gov.cy, April 2024)
- Audit Office — competent authorities for receiving and investigating complaints
- CyPAOB — whistleblower reporting channels
- Office of the Commissioner for Personal Data Protection — home page
- Office of the Commissioner for Personal Data Protection — whistleblower announcement
Deploy your reporting channel →
Last updated: