Cyprus has passed a new law requiring anyone aware of market
manipulation or insider trading to have a clear, legally protected route to
flag it to the country's financial regulator, with criminal penalties now
facing those who try to silence them.
The legislation formally encodes the procedure for reporting
actual or suspected violations of the EU's Market Abuse Regulation - known as
MAR - to the Cyprus Securities and Exchange Commission, or CySEC.
A Decade-Long EU Obligation, Finally in Hard Law
The EU framework behind this legislation is not new. The
Market Abuse Regulation was adopted back in April 2014, with Article 32
obligating each national regulator to establish dedicated whistleblowing
channels.
The European Commission followed up with Implementing
Directive 2015/2392 in December of that year, spelling out exactly how those
channels should function, who should manage them, and how reporters should be
protected. MAR took effect across the EU in July 2016.
Cyprus had already been operating whistleblowing procedures
in practice. CySEC issued Circular C488 in February 2022, which introduced
formal procedures for receiving market abuse reports and included a dedicated
external disclosure form.
That circular, however, carried the force of regulatory
guidance, not primary legislation. What changed now is that Cyprus moved those
obligations off circulars and into statute, giving the framework the full
weight of Cypriot law.
This follows a broader period of intensifying regulatory
activity out of Nicosia. Earlier this year, CySEC announced plans for on-site visits at
Cyprus Investment Firms to examine how brokers manage conflicts of interest,
scrutinizing pay structures, digital platform design, and inducement practices.
CySEC Chair Dr. George Theocharides signaled in January
that 2026 would bring stricter supervision under new EU rules,
as Cyprus's 253 licensed Cyprus Investment Firms navigate a tightening
compliance
Compliance
In finance, banking, investing, and insurance compliance refers to following the rules or orders set down by the government regulatory authority, either as providing a service or processing a transaction. Compliance concerning finance would also be a state of being following established guidelines or specifications. This designation can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation. Understanding ComplianceCompliance is a
In finance, banking, investing, and insurance compliance refers to following the rules or orders set down by the government regulatory authority, either as providing a service or processing a transaction. Compliance concerning finance would also be a state of being following established guidelines or specifications. This designation can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation. Understanding ComplianceCompliance is a
Read this Term environment.
What the Law Actually Requires
Under the new legislation, CySEC must maintain
"specialized staff members," trained personnel whose sole job is to
handle incoming breach reports, acknowledge receipt, and stay in contact with
reporters who have identified themselves.
These staff members must operate through channels that are
"separate from its general communication channels," designed to
"ensure the completeness, integrity, and confidentiality of information
and to prevent access by unauthorized Commission employees."
Reports can be filed in writing, by phone - with or without
recording - or in person. Where calls are recorded, reporters who identify
themselves have the right to review and sign off on any transcript.
CySEC is also required to publish clearly on its website
what those channels are, what the confidentiality rules look like, and,
critically, that reporting a potential violation does not expose the
whistleblower to legal liability for disclosing otherwise restricted
information.
Personal data collected during the reporting process must be
deleted within three months of the procedure's conclusion, unless judicial or
disciplinary proceedings are still ongoing.
Prison and Fines for Anyone Who Retaliates
The sharpest change from the previous circular-based regime
is the criminal liability section. The law specifies that a person who
"knowingly makes false reports of violations or false public
disclosures," obstructs a report being filed, "retaliates against a
person who has submitted a report of an infringement," or initiates
malicious legal proceedings against a whistleblower
Whistleblower
A whistleblower is an individual who manages to provide information or activity within a private or public organization that is deemed illegal, unethical, or not correct. In many countries, including the United States, whistleblowers are protected by law and in some cases can even recoup rewards if their information leads to successful prosecution.In the context of the financial services industry, whistleblowers play a large role in oversight, helping unmask several episodes of illicit behavior
A whistleblower is an individual who manages to provide information or activity within a private or public organization that is deemed illegal, unethical, or not correct. In many countries, including the United States, whistleblowers are protected by law and in some cases can even recoup rewards if their information leads to successful prosecution.In the context of the financial services industry, whistleblowers play a large role in oversight, helping unmask several episodes of illicit behavior
Read this Term "is guilty of a
criminal offense" and faces "imprisonment for a term not exceeding
three (3) years or a fine not exceeding thirty thousand euros (€30,000) or
both."
That liability extends up the corporate ladder. Where the
offense is committed by a legal entity, "criminal liability shall be
borne, in addition to the legal entity itself, any of the members of its
administrative, management, supervisory, or controlling bodies who are proven
to have consented to or participated in the commission of the offense."
The practical implication for Cyprus's broker industry is
significant. Cyprus-regulated firms currently serve around 3.6 million of
the 10.5 million retail clients trading across EU borders - about one
in three - according to ESMA data.
With that scale of operations, the risk that an employee
somewhere in those organizations might witness conduct that looks like market
manipulation is not trivial. Until now, the regulatory protections and
consequences for suppressing such reports sat in circulars. They now sit in
criminal law.
CySEC's Review Obligation
The law also requires CySEC to review its own whistleblowing
procedures at least once every two years, taking into account "its
experience and that of other relevant competent authorities" and adapting
"in line with developments in technology and markets."
The Commission retains the power to issue binding directives
under the law, which it can use to fill in procedural details not specified in
the statute itself.
The legislation arrives as Cyprus continues to push its
regulated firms toward greater transparency more broadly. In February, CySEC moved to require financial firms to share
their group structure disclosures with European authorities, shifting from
a model where disclosures were published solely on individual firms' own
websites.
Cyprus has passed a new law requiring anyone aware of market
manipulation or insider trading to have a clear, legally protected route to
flag it to the country's financial regulator, with criminal penalties now
facing those who try to silence them.
The legislation formally encodes the procedure for reporting
actual or suspected violations of the EU's Market Abuse Regulation - known as
MAR - to the Cyprus Securities and Exchange Commission, or CySEC.
A Decade-Long EU Obligation, Finally in Hard Law
The EU framework behind this legislation is not new. The
Market Abuse Regulation was adopted back in April 2014, with Article 32
obligating each national regulator to establish dedicated whistleblowing
channels.
The European Commission followed up with Implementing
Directive 2015/2392 in December of that year, spelling out exactly how those
channels should function, who should manage them, and how reporters should be
protected. MAR took effect across the EU in July 2016.
Cyprus had already been operating whistleblowing procedures
in practice. CySEC issued Circular C488 in February 2022, which introduced
formal procedures for receiving market abuse reports and included a dedicated
external disclosure form.
That circular, however, carried the force of regulatory
guidance, not primary legislation. What changed now is that Cyprus moved those
obligations off circulars and into statute, giving the framework the full
weight of Cypriot law.
This follows a broader period of intensifying regulatory
activity out of Nicosia. Earlier this year, CySEC announced plans for on-site visits at
Cyprus Investment Firms to examine how brokers manage conflicts of interest,
scrutinizing pay structures, digital platform design, and inducement practices.
CySEC Chair Dr. George Theocharides signaled in January
that 2026 would bring stricter supervision under new EU rules,
as Cyprus's 253 licensed Cyprus Investment Firms navigate a tightening
compliance
Compliance
In finance, banking, investing, and insurance compliance refers to following the rules or orders set down by the government regulatory authority, either as providing a service or processing a transaction. Compliance concerning finance would also be a state of being following established guidelines or specifications. This designation can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation. Understanding ComplianceCompliance is a
In finance, banking, investing, and insurance compliance refers to following the rules or orders set down by the government regulatory authority, either as providing a service or processing a transaction. Compliance concerning finance would also be a state of being following established guidelines or specifications. This designation can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation. Understanding ComplianceCompliance is a
Read this Term environment.
What the Law Actually Requires
Under the new legislation, CySEC must maintain
"specialized staff members," trained personnel whose sole job is to
handle incoming breach reports, acknowledge receipt, and stay in contact with
reporters who have identified themselves.
These staff members must operate through channels that are
"separate from its general communication channels," designed to
"ensure the completeness, integrity, and confidentiality of information
and to prevent access by unauthorized Commission employees."
Reports can be filed in writing, by phone - with or without
recording - or in person. Where calls are recorded, reporters who identify
themselves have the right to review and sign off on any transcript.
CySEC is also required to publish clearly on its website
what those channels are, what the confidentiality rules look like, and,
critically, that reporting a potential violation does not expose the
whistleblower to legal liability for disclosing otherwise restricted
information.
Personal data collected during the reporting process must be
deleted within three months of the procedure's conclusion, unless judicial or
disciplinary proceedings are still ongoing.
Prison and Fines for Anyone Who Retaliates
The sharpest change from the previous circular-based regime
is the criminal liability section. The law specifies that a person who
"knowingly makes false reports of violations or false public
disclosures," obstructs a report being filed, "retaliates against a
person who has submitted a report of an infringement," or initiates
malicious legal proceedings against a whistleblower
Whistleblower
A whistleblower is an individual who manages to provide information or activity within a private or public organization that is deemed illegal, unethical, or not correct. In many countries, including the United States, whistleblowers are protected by law and in some cases can even recoup rewards if their information leads to successful prosecution.In the context of the financial services industry, whistleblowers play a large role in oversight, helping unmask several episodes of illicit behavior
A whistleblower is an individual who manages to provide information or activity within a private or public organization that is deemed illegal, unethical, or not correct. In many countries, including the United States, whistleblowers are protected by law and in some cases can even recoup rewards if their information leads to successful prosecution.In the context of the financial services industry, whistleblowers play a large role in oversight, helping unmask several episodes of illicit behavior
Read this Term "is guilty of a
criminal offense" and faces "imprisonment for a term not exceeding
three (3) years or a fine not exceeding thirty thousand euros (€30,000) or
both."
That liability extends up the corporate ladder. Where the
offense is committed by a legal entity, "criminal liability shall be
borne, in addition to the legal entity itself, any of the members of its
administrative, management, supervisory, or controlling bodies who are proven
to have consented to or participated in the commission of the offense."
The practical implication for Cyprus's broker industry is
significant. Cyprus-regulated firms currently serve around 3.6 million of
the 10.5 million retail clients trading across EU borders - about one
in three - according to ESMA data.
With that scale of operations, the risk that an employee
somewhere in those organizations might witness conduct that looks like market
manipulation is not trivial. Until now, the regulatory protections and
consequences for suppressing such reports sat in circulars. They now sit in
criminal law.
CySEC's Review Obligation
The law also requires CySEC to review its own whistleblowing
procedures at least once every two years, taking into account "its
experience and that of other relevant competent authorities" and adapting
"in line with developments in technology and markets."
The Commission retains the power to issue binding directives
under the law, which it can use to fill in procedural details not specified in
the statute itself.
The legislation arrives as Cyprus continues to push its
regulated firms toward greater transparency more broadly. In February, CySEC moved to require financial firms to share
their group structure disclosures with European authorities, shifting from
a model where disclosures were published solely on individual firms' own
websites.
