Cyprus has passed a new law requiring anyone aware of market manipulation or insider trading to have a clear, legally protected route to flag it to the country's financial regulator, with criminal penalties now facing those who try to silence them.
The legislation formally encodes the procedure for reporting actual or suspected violations of the EU's Market Abuse Regulation - known as MAR - to the Cyprus Securities and Exchange Commission, or CySEC.
A Decade-Long EU Obligation, Finally in Hard Law
The EU framework behind this legislation is not new. The Market Abuse Regulation was adopted back in April 2014, with Article 32 obligating each national regulator to establish dedicated whistleblowing channels.
The European Commission followed up with Implementing Directive 2015/2392 in December of that year, spelling out exactly how those channels should function, who should manage them, and how reporters should be protected. MAR took effect across the EU in July 2016.
- SEC Grants 100th Whistleblower Award, Tipster Receives $1.8 Million
- FSMA Blocks 245 Scam Websites; Whistleblowing Increases 12% in 2025
- FCA Reports 209 Consumer Duty Allegations Among 2,684 Whistleblowing Claims
Cyprus had already been operating whistleblowing procedures in practice. CySEC issued Circular C488 in February 2022, which introduced formal procedures for receiving market abuse reports and included a dedicated external disclosure form.
That circular, however, carried the force of regulatory guidance, not primary legislation. What changed now is that Cyprus moved those obligations off circulars and into statute, giving the framework the full weight of Cypriot law.
This follows a broader period of intensifying regulatory activity out of Nicosia. Earlier this year, CySEC announced plans for on-site visits at Cyprus Investment Firms to examine how brokers manage conflicts of interest, scrutinizing pay structures, digital platform design, and inducement practices.
CySEC Chair Dr. George Theocharides signaled in January that 2026 would bring stricter supervision under new EU rules, as Cyprus's 253 licensed Cyprus Investment Firms navigate a tightening compliance environment.
What the Law Actually Requires
Under the new legislation, CySEC must maintain "specialized staff members," trained personnel whose sole job is to handle incoming breach reports, acknowledge receipt, and stay in contact with reporters who have identified themselves.
These staff members must operate through channels that are "separate from its general communication channels," designed to "ensure the completeness, integrity, and confidentiality of information and to prevent access by unauthorized Commission employees."
Reports can be filed in writing, by phone - with or without recording - or in person. Where calls are recorded, reporters who identify themselves have the right to review and sign off on any transcript.
CySEC is also required to publish clearly on its website what those channels are, what the confidentiality rules look like, and, critically, that reporting a potential violation does not expose the whistleblower to legal liability for disclosing otherwise restricted information.
Personal data collected during the reporting process must be deleted within three months of the procedure's conclusion, unless judicial or disciplinary proceedings are still ongoing.
Prison and Fines for Anyone Who Retaliates
The sharpest change from the previous circular-based regime is the criminal liability section. The law specifies that a person who "knowingly makes false reports of violations or false public disclosures," obstructs a report being filed, "retaliates against a person who has submitted a report of an infringement," or initiates malicious legal proceedings against a whistleblower "is guilty of a criminal offense" and faces "imprisonment for a term not exceeding three (3) years or a fine not exceeding thirty thousand euros (€30,000) or both."
That liability extends up the corporate ladder. Where the offense is committed by a legal entity, "criminal liability shall be borne, in addition to the legal entity itself, any of the members of its administrative, management, supervisory, or controlling bodies who are proven to have consented to or participated in the commission of the offense."
The practical implication for Cyprus's broker industry is significant. Cyprus-regulated firms currently serve around 3.6 million of the 10.5 million retail clients trading across EU borders - about one in three - according to ESMA data.
With that scale of operations, the risk that an employee somewhere in those organizations might witness conduct that looks like market manipulation is not trivial. Until now, the regulatory protections and consequences for suppressing such reports sat in circulars. They now sit in criminal law.
CySEC's Review Obligation
The law also requires CySEC to review its own whistleblowing procedures at least once every two years, taking into account "its experience and that of other relevant competent authorities" and adapting "in line with developments in technology and markets."
The Commission retains the power to issue binding directives under the law, which it can use to fill in procedural details not specified in the statute itself.
The legislation arrives as Cyprus continues to push its regulated firms toward greater transparency more broadly. In February, CySEC moved to require financial firms to share their group structure disclosures with European authorities, shifting from a model where disclosures were published solely on individual firms' own websites.
