For most Cypriots, the country’s digital transformation goes largely unnoticed. Connections are fast, mobile coverage is near-universal, and public services increasingly rely on systems few people ever see. Yet beneath that surface lies a more fragile reality: a state modernising at speed while facing rising cyber threats, growing regulatory pressure and uneven institutional readiness.

Cyprus has moved faster than many EU countries on connectivity, achieving nationwide 5G coverage and pushing toward near-universal fibre-to-the-home. But a series of cyber incidents affecting public institutions has shifted the debate from infrastructure to resilience. The question is no longer how quickly networks can be built, but whether they can be protected.

At the centre of this shift is the Office of the Commissioner of Electronic Communications and Postal Regulation. In this interview, George Michaelides discusses how Cyprus is redefining digital regulation, why cybersecurity has become a governance issue, and what true digital resilience will require in the years ahead.

The Office of the Commissioner for Electronic Communications and Postal Regulation (OCECPR) is mandated to safeguard users and support the national economy by ensuring that electronic communications and postal markets in Cyprus remain competitive, affordable, innovative, and reliable. In recent years, however, the Office has undergone a profound transformation—moving well beyond the role of a traditional sector regulator.

OCECPR has repositioned itself as a proactive, data-driven and forward-looking authority within the wider digital ecosystem. This shift is reflected in the evolution of our regulatory approach. We have moved from a predominantly asymmetrical model—focused mainly on operators with significant market power—to a more symmetrical framework, applying common rules across the market in areas such as consumer protection, quality of service, rights of way, in-building wiring, and colocation. The result is a more level playing field, reduced regulatory friction, and faster deployment of next-generation networks, particularly fiber and mobile broadband.

At the same time, the Office’s mandate has expanded into cybersecurity and artificial intelligence, transforming OCECPR into a genuinely multidisciplinary regulator. In cybersecurity, we are responsible for implementing and enforcing the NIS Directive, operating the National CSIRT, and coordinating national incident response. We also run the National Coordination Centre, which channels European funding into Cyprus’s cybersecurity ecosystem, strengthening national capabilities and market maturity.

A key next step is the completion of the establishment of the National Cybersecurity Certification Authority (NCCA), which will oversee the implementation and enforcement of European cybersecurity certification schemes for ICT products and services, thereby enhancing trust, resilience, and transparency in the digital market. In parallel, we have been appointed as the Artificial Intelligence (AI) Regulator, assuming responsibility for the effective implementation and supervision of the AI Act.

Complementing regulation, we have established and operate a regional ICT Academy, focused on developing digital and cybersecurity skills for citizens and professionals. Together, these initiatives support Cyprus’s strategic ambition to position itself as a regional hub for trusted digital and cybersecurity services, combining effective regulation, skills development, and innovation.

Cyprus is currently performing well regarding very high capacity fixed networks (VHCN) coverage, an area where it has not only closed the gap with the EU average but, over the past three years, has surpassed it.

In mobile networks coverage, Cyprus has achieved full population 5G coverage from 2022 (one of the first in Europe) and has been above EU average coverage since. In both cases a predictable regulatory environment has enabled rapid deployment and extensive geographic reach.

Around 95% of households have internet access, exceeding the EU average, with more than 90% covered by fiber networks. Although some rural and remote areas still depend on legacy copper networks, these gaps are being systematically addressed through the state aid plan administered by the Deputy Ministry of Research, Innovation and Digital Policy. Most importantly, Cyprus is on track to achieve near-universal fibre-to-the-home coverage by the end of 2026. Once completed, this will effectively eliminate remaining urban-rural coverage disparities.

The postal market in Cyprus faces structural transformation like other countries across Europe, intensified by the country’s small size, island geography, and reliance on cross-border trade. While traditional letter mail will continue to decline due to digitalization, e-commerce will remain the dominant force in the market, driving parcel volumes and shaping future infrastructure, service quality, and delivery models.

Looking ahead, automation and digital transformation are central to the sector’s future sustainability. Investments in automated sorting systems, parcel lockers, advanced track-and-trace capabilities, real-time shipment management, data-driven route optimization and other artificial intelligence applications are expected to play an increasing role in demand forecasting and operational processes. At the same time, environmental sustainability is becoming a priority, driving investments in electric delivery vehicles, energy-efficient facilities, and greener last-mile solutions in line with European climate objectives.

As  the Cypriot postal market is evolving into a parcel driven platform, the universal service will still remain essential for social cohesion, but it is likely to become leaner and more targeted. Regulatory flexibility, strategic partnerships, and workforce reskilling will be critical to ensuring long-term viability and competitiveness. Overall, the sector’s outlook remains positive: e-commerce penetration, growing demand for faster and more transparent services, continued automation, and the expansion of flexible delivery solutions point to a dynamic and resilient postal market in the years ahead.

The reality is that cybersecurity incidents occur constantly. Many are detected and mitigated before they result in real impact, others cause significant disruption, and only some reach public attention. What organisations in both the public and private sectors must clearly understand is that it is no longer a question of “if” an incident will occur, but “when”.

The greatest challenge remains the lack of a strong, security-driven culture within organisations, combined with insufficient and inconsistent commitment from senior management. Cybersecurity can no longer be treated as a purely technical issue. Under the NIS2 Directive, responsibility and liability for failing to implement appropriate technical and organisational measures rest squarely with top-level management. This requires a shift in mindset, governance, and accountability, with organisations moving decisively towards higher levels of cybersecurity maturity—not only to protect their own operations, but, above all, to safeguard customers, service users, and trust in the digital ecosystem.

The National CSIRT (CSIRT-CY) functions as the central technical point for handling and coordinating cybersecurity incidents across critical sectors. Its role is to support operators of Critical Infrastructures (CIIs) before, during, and after an incident — from preparation and early detection to response, recovery, and lessons learned.  It operates on a 24/7 basis, using standardized response procedures, secure communication channels, and clear escalation paths to ensure that incidents are managed quickly and consistently. Its operations are in line with the EU’s NIS2 framework, strengthening national situational awareness and cooperation across sectors and borders.

Detection, response, and international cooperation have all improved significantly, mainly through deeper operational collaboration at EU level. The National CSIRT now works more closely with its European counterparts through the CSIRT Network coordinated by ENISA, enabling faster early warnings, mutual assistance, and coordinated cross-border responses. This has directly improved both the speed and quality of incident handling.

Participation in EU-wide cyber exercises, such as ENISA’s Cyber Europe, as well as EU-funded projects, has strengthened preparedness, tested response procedures, and improved interoperability with partner CSIRTs. At the same time, daily threat-intelligence exchange and expert-to-expert cooperation within the CSIRT community have enhanced detection capabilities and situational awareness.

Our priority is to deliver top-quality services through the National CSIRT. To this end, we have successfully completed the certification audit process to become a CERTIFIED Member of the international Trusted Introducer (TI) organisation, placing our National CSIRT among the top 9% of CSIRTs globally in terms of maturity.  The official award ceremony is expected to take place in Q1 2026.

Unfortunately, our budget has been adversely affected by the lengthy and bureaucratic processes that continue to characterise parts of the public sector. Despite the fact that we consistently submit our budget proposals in a timely and responsible manner, these prolonged and often unproductive procedures have brought us to a point where we were approaching serious constraints in meeting our financial obligations and, in some cases, the risk of delaying payments.

I would therefore like to take this opportunity to sincerely thank the Standing Committee on Finance and Budget of the House of Representatives of Cyprus, as well as the Parliament as a whole, for their swift response and decisive action in approving our budgets. Their timely intervention was crucial in ensuring the continuity of our operations and in allowing us to carry out our responsibilities effectively, for the public interest.

I do not think it is a matter of identifying a single ‘biggest’ risk to focus on – more so, the significance lies in understanding the value of building a strong cybersecurity posture, across many levels, which is what we have recognized at the Digital Security Authority and what has driven our vision for a stronger and more digitally resilient society overall. Although our main focus began with the identification, protection and support of essential and important entities which perform vital societal functions and services, such as in the energy, transport, health and governmental sectors for example, we have rapidly expanded our activities and services beyond this.

We are offering multi-level support to SMEs and other businesses across Cyprus, we are working hard on product security and certification, and we firmly believe that we cannot be truly cyber-secure without ‘Security For All’ – where every citizen’s security and awareness level count. A truly resilient digital society caters for cybersecurity threats across all sectors, business types and citizen types alike, and thus is becomes paramount (and evident) that we must work together in order to achieve the required results.

More Info