Does the new Cyprus governance directive apply to electronic money institutions as well as payment institutions?

Yes. K.D.P. 246/2026 is the substantive nineteen-page governance directive for payment institutions, issued under Articles 5(3)(c) and 105 of the Payment Services and Access to Payment Systems Laws 2018 to 2025. K.D.P. 245/2026 is the parallel directive for electronic money institutions, issued under Article 45 of the Electronic Money Laws 2012 to 2018. The electronic money institutions directive is short, and its operative provision is paragraph 5, which provides that the payment institutions governance directive applies by analogy to electronic money institutions. Both populations are now held to the same governance framework on the same compliance calendar.

What are the key compliance deadlines under the new directive?

Two milestones. Within three months of publication on 29 May 2026, the institution must submit to the Central Bank of Cyprus an action plan for full compliance with the directive, which lands around the end of August 2026. Full compliance must be achieved within nine months of publication, around late February 2027. New licence applicants must satisfy the framework at the point of licensing rather than after.

Can the internal control functions be outsourced under the new directive?

Yes. Article 33 of the payment institutions directive explicitly permits the outsourcing of activities including the control functions, subject to conditions and to the European Banking Authority guidelines on outsourcing arrangements (EBA/GL/2019/02). The institution remains fully responsible for outsourced functions. It must conduct due diligence and risk assessment, have written outsourcing agreements, classify critical or important functions, retain the ability to oversee and audit the provider, ensure business continuity and the Central Bank's access rights, and notify or obtain approval where required.

Cyprus PI/EMI Governance Directive 2026

Q: What governance framework does the new directive require institutions to put in place?

A management body of at least five members, with executive members not outnumbering non-executive members and a strong independent and non-executive presence, meeting at least four times a year with at least one fully in-person meeting and a quorum of fifty per cent. Where proportionality requires, a risk committee and an audit committee. Three independent and permanent control functions: risk management, regulatory compliance including Anti-Money Laundering and Counter-Terrorist Financing, and internal audit. An information and communications technology risk management function aligned with the Digital Operational Resilience Act. Plus a code of conduct, a customer-complaints procedure, internal whistleblowing channels, a new-product approval process, and annual reporting of the control functions to the management body and to the Central Bank.

On 29 May 2026 the Central Bank of Cyprus published two directives that together reset the internal organisation and governance framework for payment institutions and for electronic money institutions. K.D.P. 246/2026 sets out the substantive governance framework for payment institutions across nineteen pages. K.D.P. 245/2026, the parallel directive for electronic money institutions, is short. Its operative provision is paragraph 5, which provides that the payment institutions directive applies by analogy to electronic money institutions. The same standard, the same calendar, the same supervisory expectations on two regulated populations.

The directive does not introduce governance into the sector. Most of what it asks for has been the implicit reference architecture for some time. The change is that the framework is now in print, and in print does not negotiate the way conversations did.

What was already in place

Payment institutions and electronic money institutions in Cyprus have been operating under regulated frameworks for years. Fit-and-proper assessments of board members are not new and have been governed by a separate directive of 2025 (K.D.P. 164/2025). Non-executive composition has been a licensing expectation. The three lines of defence have been the implicit reference architecture for internal control since the European Banking Authority started issuing guidelines on the subject. Anti-Money Laundering and Counter-Terrorist Financing compliance officers are required by the Prevention and Suppression of Money Laundering Activities Law. An internal audit function has been a supervisory expectation. Information and communications technology, outsourcing and operational resilience have been governed by European Banking Authority guidelines and, since January 2025, by Regulation (EU) 2022/2554, the Digital Operational Resilience Act.

The audience for this article will recognise all of this. It is the existing baseline against which the new directive should be read. What the directive does is more specific, and more interesting.

What the directive writes down

The directive writes down a management body of at least five members, with executive members not outnumbering non-executive members and a strong independent and non-executive presence on the board. The board and its committees meet at least four times a year, with at least one fully in-person meeting and a quorum of fifty per cent. Where proportionality requires, a risk committee and an audit committee. Three independent and permanent control functions, namely risk management, regulatory compliance (including Anti-Money Laundering and Counter-Terrorist Financing) and internal audit. An information and communications technology risk management function aligned with the Digital Operational Resilience Act. A code of conduct, a customer-complaints procedure, internal whistleblowing channels, a new-product approval process, and an annual reporting cadence of the control functions to the management body and to the Central Bank.

The proportionality principle remains. It now scales a written threshold rather than substituting for one. An institution that wants to depart from the printed framework has to argue against the printed framework, on the record, with documentation. That is not the same conversation as the one that ended in a judgment both sides could live with.

The room to manoeuvre is narrower

This is the change that outlasts the calendar. Until last month, an institution at the smaller end of scale could have a conversation with the supervisor about what reasonable governance looked like on its particular risk profile, its size, its commercial activity. The conversation usually ended in a judgment, and the documentation reflected the judgment. After 29 May, the same conversation has narrower edges. There is now a printed reference for what a board of at least five looks like, for how often it meets, for who chairs it, for which independent control functions report to it, for how each function reports to the Central Bank.

The institution that built its governance on judgments handed across the supervisor's desk now needs to align the written record with the written rulebook. The institution that built it on documented thresholds will find the work narrower. In both cases, the supervisor's questions in the next examination cycle will be about whether what is on paper is happening in practice, not whether what is in practice is reasonable. That is judgment-based supervision against a written reference, and the directive is the scaffolding it needs.

When the rulebook is clearer, there is less space for manoeuvring.

The calendar runs through summer

The action plan to the Central Bank is due within three months of publication, around the end of August 2026. Full compliance follows within nine months, around late February 2027. New licence applicants must satisfy the framework at the point of licensing. The build window runs through summer holidays and into year-end close, and the safeguarding compliance cycle for electronic money institutions runs alongside it on its own track (the firm's earlier note on the safeguarding obligation covers that surface).

For institutions that have most of the framework already in place, the work is documenting it against the new written reference, identifying the gaps between the rulebook and the operating reality, and closing them in writing. Article 33 of the payment institutions directive explicitly permits the outsourcing of activities, including the control functions, subject to the European Banking Authority guidelines on outsourcing arrangements. That is not an accident of drafting. It is the Central Bank acknowledging that the cost stack of three independent permanent control functions plus an information and communications technology risk function plus an audit committee plus a risk committee is significant for institutions at the lower end of scale, and that outsourced capacity is part of how the framework gets built in time.

The clock between now and February is real, and tighter than it looks on paper. The deeper change is permanent. The rulebook is clearer. There is less space for manoeuvring. The institution that recognises this early gets a quieter supervisory relationship; the institution that does not will find that what it could once explain across a desk now has to survive a written comparison against a printed reference.

The CBC has not raised the bar.It has put the bar in print.

What was already in place

What the directive writes down

The room to manoeuvre is narrower

The calendar runs through summer

The CBC has not raised the bar.
It has put the bar in print.