The Cyprus Whistleblower Protection Act

Cyprus Whistleblower Protection Law overview

Cyprus amended its whistleblower protection laws in 2022 to transpose the EU Whistleblower Protection Directive’s requirements into national law. The law defines whistleblower protections for anyone reporting violations of either EU law or Cypriot national law, and imposes several obligations on organizations to protect internal whistleblowers. 

The new legislation covers all public and private organizations with at least 50 employees, requiring them to establish mechanisms to allow for whistleblower reports and to protect whistleblowers. Employers must also appoint someone to investigate whistleblower claims, and this can be an internal manager or an external third party. 

The law protects whistleblowers and those assisting them from retaliation for submitting a report. It also allows them to report their concerns externally to Cypriot law enforcement and several regulatory agencies (the Labor Department and the Public Service Commission, for example), depending on the exact concern being raised. If a whistleblower reports their concerns publicly (for example, to the press), protections only apply if the whistleblower has already tried to report internally or to regulators with no success, and the whistleblower believes the public interest is in imminent danger.

What does the Cyprus whistleblower protection law cover?

The law adopts the minimum standards for whistleblower protection outlined in the EU Whistleblower Protection Directive. These requirements include: 

1. A secure and confidential channel for receiving whistleblower reports must be in place. 
2. Acknowledgment of the receipt of every whistleblowing report must be provided to the whistleblower within seven days. 
3. An impartial person or department must be appointed to follow up on the reports. 
4. Records must be kept of every report received in compliance with confidentiality requirements.
5. There must be diligent follow-up of the report by the designated person or department. 
6. Feedback on the follow-up or investigation must be given to the whistleblower within three months of receiving the report. 
7. All processing of personal data must be done in accordance with GDPR.

All covered business must meet the following basic requirements

The law requires all covered organizations to: 

1. Set up a whistleblowing system with comprehensive whistleblower protections
2. Adopt a policy on reporting legal violations and other misconduct. Businesses must also train employees on how to use the hotline and on the importance of non-retaliation. 
3. Companies are allowed to outsource the management of their hotline to a third-party service provider.

Confidentiality, retaliation and disclosures

Whistleblowers are allowed to submit reports in writing, verbally or in person; and the company must preserve a record of every report submitted. Any personal data in the report must be erased within three months of any subsequent investigation being concluded.

Anonymous report intake and management

The Cyprus law does not expressly state that companies must allow anonymous reporting. If, however, a company does receive an anonymous report and that person’s identity later becomes known, they are still eligible for the law’s anti-retaliation protections just like any other whistleblower.

What are the risks of non-compliance?

Companies that violate Cyprus’ whistleblower law by failing to implement a whistleblower program or by retaliating against a whistleblower can face regulatory fines of up to €30,000. Individuals who retaliate against whistleblowers can face fines of up to €30,000 or up to three years’ imprisonment.