A New Supervisory Era for Cyprus-Regulated Entities
The implementation of Regulation (EU) 2024/1620, establishing the European Anti-Money Laundering Authority (AMLA), marks a key turning point in how anti-money laundering (AML) is supervised across the European Union. AMLA introduces a centralised authority with powers to directly supervise certain high-risk entities and oversee national regulators.
For Cyprus, this is a significant development. Cyprus plays a key role as a regional centre for financial services, investment structures, and professional services. This means local entities must begin preparing now. This includes those regulated by the Cyprus Securities and Exchange Commission (CySEC), the Institute of Certified Public Accountants of Cyprus (ICPAC), and the Cyprus Bar Association (CBA).
The publication of CySEC Circular C748 on 31 December 2025 marks the beginning of a new supervisory era, one that is uncompromising, data-driven, and increasingly aligned with the centralised EU AMLA model. While addressed to CySEC-supervised entities, its core obligations and tone apply more broadly. Notably, CySEC has made it clear that no reminders will be issued, placing full accountability for regulatory submissions on each firm, regardless of size or sector. This signals a shift toward self-monitoring, structured compliance, and stronger governance expectations across the board.
These supervisory principles,emphasising timeliness, data integrity, and institutional accountability,are increasingly relevant across Cyprus’s wider AML ecosystem, including obliged entities regulated by competent authorities such as ICPAC and the Cyprus Bar Association. While AMLA-specific directives have not yet been issued by these bodies, its centralised framework is expected to shape supervisory expectations across all professional sectors.
As AMLA moves toward the data-driven model model across all obliged entities , our AML Compliance Support team can help you transition from PDF-based records to the structured, machine-readable data formats AMLA now requires for direct and indirect supervision.
CySEC Circular C748: Priorities for AMLA Readiness
Circular C748 outlines how CySEC expects firms to start preparing for AMLA. Although it does not set new legal rules, it shows that supervision in Cyprus is shifting towards a more structured, data-driven model.
Key Points:
- Start Date: AMLA Regulation applies across the EU from 1 July 2025.
- Who Is Affected: CIFs, AIFMs, UCITS managers, CASPs, RAIFs, and other CySEC-regulated entities.
- Information Requests: CySEC may ask firms to provide structured data, such as risk categories for clients, STR statistics, exposure to certain jurisdictions, and governance frameworks.
- 2026 Expectations (RTS): AMLA has already begun preparing Regulatory Technical Standards (RTS), with drafts expected around mid-2026. These standards will define the minimum requirements for how firms assess AML risks, maintain governance structures, collect and report data, and apply controls across the EU. Further RTS will continue to be developed beyond 2026 as AMLA expands its supervisory toolkit.
While the circular comes from CySEC, its direction is relevant for all firms that fall under Cyprus AML rules. Other regulators are expected to follow similar lines.
Regulatory Technical Standards (RTS): Implications for 2026 Implementation
Building on these immediate reporting obligations, 2026 will also mark the introduction of binding Regulatory Technical Standards (RTS) under the AMLA framework. These RTS will serve as the operational backbone of AMLA’s supervisory mandate,establishing common criteria across Member States for key areas such as risk-based customer segmentation, governance controls, internal audit requirements, and structured data reporting protocols. Although the finalised texts are pending publication, their adoption will introduce legally enforceable obligations, requiring regulated entities to realign internal policies, compliance manuals, and client risk assessment tools accordingly. Early gap analysis, system flexibility, and Board-level awareness will be critical to ensure timely and disruption-free alignment with the RTS rollout.
Our team provides specialized Risk Management Consulting to ensure your internal risk scoring and governance frameworks withstand this new EU-level scrutiny.
AMLA’s Role: Centralised and Risk-Focused Supervision
The AMLA Regulation introduces a common framework for how AML is supervised across the EU. Its aim is to improve consistency, close gaps, and strengthen the EU’s response to money laundering.
AMLA’s Main Functions:
- Direct Supervision: AMLA will directly supervise a small number of high-risk, cross-border firms.
- Oversight of National Authorities: AMLA will monitor how well CySEC, ICPAC, and CBA carry out their roles.
- Rule Development: AMLA will publish a single AML rulebook and technical standards to ensure all firms follow common rules.
When Will AMLA Supervise Directly?
Under the AMLA Regulation, AMLA will select a limited number of Selected Obliged Entities for direct supervision. These are typically credit institutions or financial institutions that:
- Operate in multiple Member States, showing substantial cross-border activity, and
- Present a high residual money laundering and terrorist financing risk, after internal controls are considered.
This selection will follow a harmonised methodology and will be reviewed periodically. While the full list of supervised entities will be finalised closer to implementation, firms with significant cross-border operations and elevated risk profiles are most likely to be included.
Firms in Cyprus should assess their operational footprint and internal risk controls in light of these evolving supervisory benchmarks. Even if they do not, they will still be subject to enhanced local supervision based on AMLA’s model.
Implications for All Cyprus-Regulated Firms
Although Circular C748 targets CySEC-supervised entities, all Cyprus-based obliged entities ,including those under ICPAC and the Cyprus Bar Association , will be affected.
What This Means for Non-Financial Firms:
- Data Quality: Structured, accessible, and reliable AML data will be required , even for small audit or legal firms.
- Documentation: Firms must document how they assess and manage AML risks, and how Boards and MLCOs are involved.
- National Alignment: ICPAC and CBA are likely to adopt supervisory approaches in line with AMLA, even if not yet formalised.
2026 and Beyond: New Technical Standards (RTS)
By 10 July 2026, AMLA is required under the new EU AML/CFT framework to submit a package of draft Regulatory Technical Standards (RTS) and related technical instruments to the European Commission. These RTS will lay down detailed, harmonised rules on how AML/CFT controls across the EU must be designed and operated, covering areas such as governance arrangements, group‑wide policies and procedures, customer due diligence, risk assessment, internal controls, and supervision criteria
What the RTS Are Expected to Cover:
- Risk scoring and risk-based decision-making standards,
- Internal control and governance structures,
- Standard formats for submitting AML data,
- Group-wide AML rules for firms with overseas branches.
Firms should begin reviewing their systems, policies, and internal controls to ensure they can align with these upcoming standards.
Preparing for AMLA: Practical Steps
Is Your Entity Ready for the July 2026 RTS Standards?
Firms regulated by CySEC, ICPAC, and CBA can begin their readiness work now:
1. Review AML Data
- Identify key data fields (client risk, STRs, jurisdictional exposure).
- Ensure they are stored in exportable, structured formats.
2. Update Risk Models
- Review client and service risk scores.
- Make sure these reflect sectoral and geographic risks.
3. Align Manuals and Procedures
- Update AML policies to reference AMLA.
- Include future reporting obligations and RTS considerations.
4. Prepare for Data Requests
- Designate points of contact and build internal workflows.
- Test your ability to respond quickly to regulator requests.
5. Train Key Personnel
- Brief MLCOs, compliance staff, and Boards on AMLA.
- Include AMLA in annual AML training and risk planning.
Common Weaknesses in Cyprus Firms
From existing reviews and inspections, recurring issues include:
- Outdated or generic AML manuals,
- Risk scores lacking clear justifications,
- Poor data quality or systems not fit for export,
- Weak Board engagement with AML risks.
AMLA supervision will bring greater scrutiny. Addressing these issues is necessary to ensure a compliant and defensible AML programme.
Frequently Asked Questions (FAQ)
What should Cyprus firms do now to prepare for AMLA?
Firms should prioritise compliance with CySEC Circular C748, assess system readiness for structured data reporting, and initiate a gap analysis against expected AMLA standards. Key focus areas include risk scoring models, governance frameworks, and documentation quality. Early alignment will reduce implementation risk and position firms favourably with both national and EU supervisors.
Will Cyprus firms be directly supervised by AMLA?
Only a limited subset of high-risk obliged entities will fall under AMLA’s direct supervisory remit. For most Cyprus-regulated firms, including those supervised by CySEC, ICPAC, or the Cyprus Bar Association, AMLA will exercise indirect supervision,primarily by setting binding EU standards and overseeing the performance of national competent authorities. Nonetheless, all firms will be subject to AMLA’s regulatory framework through the implementation of common technical standards and EU-level risk oversight mechanisms.
Will RTS adoption require firms to revise their AML framework?
Adoption of the RTS will necessitate updates to AML/CFT policies and procedures, firm-wide risk assessment (FWRA) methodologies, customer onboarding processes, and related compliance documentation templates. Firms are advised to conduct a structured gap analysis in advance to ensure timely alignment and mitigate implementation risk.
Does AMLA apply to lawyers and accountants?
Yes. All obliged entities , including those supervised by ICPAC and CBA , must comply with the AMLA Regulation.
What does “structured data” mean?
It refers to data that is stored in consistent, exportable formats like spreadsheets or databases , not just PDFs or email threads.
Structured Compliance Alignment: The Role of CX Financia
The move towards AMLA implementation presents an opportunity for firms to critically assess their AML frameworks and ensure readiness for a more standardised supervisory model.
CX Financia supports this transition by working with regulated entities to:
- Benchmark existing AML practices against anticipated AMLA expectations,
- Review and enhance internal AML governance and documentation,
- Assess system readiness for structured data extraction and regulatory reporting,
- Deliver targeted training aligned with the evolving EU supervisory landscape.
These efforts help firms not only meet compliance requirements but also strengthen their overall risk posture in line with future supervisory expectations.
Learn more about our AML Compliance Support
The shift to AMLA is not only about meeting new rules. It reflects a broader move towards professionalising AML compliance and aligning with EU-wide governance expectations.
CX Financia works with regulated entities across sectors to:
- Review AML controls and align with AMLA standards,
- Prepare firms for CySEC data requests and inspections,
- Update AML manuals and risk models,
- Conduct training for Boards, MLCOs, and compliance teams.
Begin your AMLA alignment journey with structured compliance diagnostics and a Board-level briefing. Our AMLA Compliance Support team can help you build defensible, data-ready frameworks before RTS take effect.
Conclusion: A Strategic Opportunity for Compliance Maturity
The AMLA Regulation marks a strategic shift in AML supervision. It creates new expectations around governance, data quality, and risk accountability.
Firms in Cyprus — whether supervised by CySEC, ICPAC, or CBA — are encouraged to begin aligning with this new framework now. Doing so will not only reduce compliance risk but also improve internal governance and increase transparency with supervisors.
Entities that invest in readiness today will be better positioned to operate with confidence in the changing regulatory landscape of 2026 and beyond.
The transition to AMLA is more than a reporting change—it’s a shift to a data-driven supervisory model. Don’t wait for the mid-2026 Technical Standards to find gaps in your framework.
Our AMLA Readiness Assessment Includes:
- Gap Analysis: Benchmarking your current manual against the EU Single Rulebook.
- Data Audit: Ensuring your KYC data is “structured” and exportable per CySEC requirements.
- Board Briefing: Training your leadership on their new personal liability under 6AMLD.
Urgent Compliance Notice – CySEC AMLA Data Submission (Circulars C748 & C749)
The submission deadline for the AMLA data collection under CySEC Circular C748, as amended and extended by Circular C749, is Monday, 12 January 2026. The original deadline set in Circular C748 was Friday, 9 January 2026, and has now been formally extended to this new final date.
Important sources: