Understanding the regulatory foundation, licence types and supervisory expectations under the Central Bank of Cyprus
In the fast-changing European payments landscape, choosing the right licence regime is a key strategic decision for any fintech, payment institution, or e-money issuer aiming to operate across the EU Single Market. Cyprus has gradually established itself as a safe and well governed entry point into the European market by such companies but the future success will depend on a good dedication to regulatory fulfilment and operational quality.
In CX Financia, we utilise our extensive knowledge of regulatory advice and licensing to help our clients through the entire authorisation process. We are publishing our experiences in this paper to explain what a Payment Services Licence in Cyprus is about, what is the legal and regulatory environment, what types of licences are offered and what regulatory and operational risks the applicant is likely to face.
We want to offer specific, practical advice that can guide businesses through the regulatory environment and enable them to establish viable and sustainable operations in Cyprus, as well as in the larger EU market.
1. Regulatory Environment and Competent Authority.
The Central Bank of Cyprus (CBC) is the competent authority in Cyprus that authorises and oversees payment institutions.Under the “Provision and Use of Payment Services and Access to Payment Systems Laws , the CBC is empowered to grant, refuse or revoke authorisations of payment institutions.
Specifically, where a legal person intends to provide any of the payment services listed in Points 1-7 of Annex I of the Law (i.e., the Cyprus national transposition of Directive (EU) 2015/2366 on payment services in the internal market (“PSD2”)), an authorisation from the CBC is required.
For electronic-money institutions (EMIs), the CBC likewise exercises authorisation powers under the relevant EMI law.
From a strategic perspective, a licence offers regulated status, EU passporting rights (for EU/EEA operations), and the ability to engage in payment or e-money services with the credibility of supervision by an EU competent authority.
2. Legal and Supervisory Foundations
2.1 Cyprus’s Legal Framework for Payment and Electronic Money Institutions
The main legal provision is the revision of the Payment Services Law 2018/2018/Law 31(I) of 2018 which governs payment institutions in Cyprus. The act is pegged on the transfer of the Second Payment Services Directive (PSD2) of the EU to the law of Cyprus and the foundation of the payment service providers regulation in the country.
The law that has the greatest impact on the Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions, in the case of electronic money institutions (EMIs), is the Electronic Money Law of 2012 (Law 81(I)/2012) as amended.
Together, these laws define the scope of regulated activities, outline the licensing and authorisation requirements, set safeguarding and capital obligations, and establish the rights of consumers as well as the supervisory powers of the Central Bank of Cyprus (CBC).
2.2 Regulatory Guidance and EBA Standards
The CBC refers to, and expects compliance with, the guidelines of the European Banking Authority (EBA). For example:
- Guidelines on authorisation under PSD2 (EBA/GL/2017/09) — adopted by the CBC.
- Guidelines on the safeguarding of funds (EBA/GL/2018/05)
- Guidelines on outsourcing (EBA/GL/2019/02)
These guidelines frame not only the application stage but also ongoing supervision. In effect, firms must build their systems and controls to meet both national law and EU-wide supervisory expectations.
2.3 Supervisory Strategy
The Central Bank of Cyprus (CBC) has set out an enhanced supervisory strategy for the licensing and oversight of Electronic Money Institutions (EMIs) and Payment Institutions (PIs). This strategy places particular focus on digitalisation, operational resilience, and cross-border cooperation within the EU’s regulatory framework.
As a matter of fact, the supervision of the CBC does not end with the authorisation. Companies should be substantive in terms of good governance, effective risk management, and well-developed systems of operations. The CBC requires institutions to have good internal controls that will guarantee continuity of business, integrity of data and consumer protection.
This future-proofing strategy can be combined with the future EU regulatory changes, such as PSD3, the proposed Payment Services Regulation (PSR), and the Digital Operational Resilience Act (DORA). Within the framework of DORA, companies will be required to enhance their ICT risk management, incident reporting and their third-party supervision, which will guarantee the stable level of operational resilience throughout the EU financial sphere.
All in all, the approach of the CBC highlights the idea that sustainable authorisation is not just about satisfying original licence terms but rather the active, robust and disciplined model of operation designed to be able to fulfill the demands of the future in terms of regulation.
3. Types of Licence: Payment Institutions (PIs) and Electronic Money Institutions (EMIs)
Selecting the correct licence type is essential because the scope of permitted services, capital requirements, safeguarding obligations and supervisory effort vary materially.
3.1 Payment Services Licence
Payment Institution (PI) Licence
Under the Payment Services Law of 2018 (Law 31(I)/2018), the Central Bank of Cyprus (CBC) is responsible for granting authorisation to Payment Institutions (PIs). To be eligible, the applicant should be a legal person that is incorporated in Cyprus, the registered office and head office of which are situated in the Republic, and it should carry out at least part of its business in Cyprus.
The law outlines a variety of regulated payment services which include:
• Payments transactions like credit transactions, direct debits and card payments.
• Selling payment instruments or purchasing payment transactions.
• Money remittance (money without account relationship)
• Account information services (AIS), where applicable, and Payment initiation services (PIS).
Applicants should be explicit on what of these services they wish to do and show the required capacity of operations and prudence to do so.
The initial capital requirement varies according to the type of service offered:
- Money remittance only: €20,000 minimum capital
- Payment initiation only: €50,000 minimum capital
- Other payment services (points 1–5, e.g. execution, acquiring, issuing): €125,000 minimum capital
These capital requirements indicate varying amounts of riskiness of each service type – more capital will be required where companies deal with client money or where they are issuing instruments, as proper prudential controls and financial security will be ensured.
The evaluation of the CBC does not contain only the fulfillment of such quantitative criteria but also covers the governance, system of compliance and protection that the applicant must have in order to be sustainable and functioning as an institution of integrity.
Electronic Money Institution (EMI) Licence (3.2).
Based on the premise of a Payment Institution (PI), an Electronic Money Institution (EMI) licence supplements the regulatory rights of a firm by enabling it to issue and process electronic money (stored value), to provide services related to payment. Simply put, although a PI is able to process and pay out money, an EMI is also able to issue and maintain customer balances, thereby adding to the prudential and protection duties.
Authorisation for EMIs is granted by the Central Bank of Cyprus (CBC) under the Electronic Money Law of 2012 (Law 81(I)/2012), read together with the Payment Services Law of 2018 (Law 31(I)/2018) for overlapping activities. As with PIs, only a Cyprus-incorporated legal entity with both its registered and head office located in the Republic is eligible for authorisation.
The minimum start up capital needed to open an EMI is 350,000 euros, which is its increased risk profile, specifically the requirement to secure the funds of the customers who are using the e-money issued. EMIs must also have tighter governance, risk control and internal control structures in place where e-money issuance, redemption and record keeping systems need to be secure and transparent.
Practically, the EMI regime is more liberal on commercial flexibility, but requires a greater level of operational stability and regulation. Companies seeking this licence should be ready to demonstrate an increased degree of prudential soundness, IT and protecting infrastructure, and the ability to comply, which is in line with the expectations of the CBC towards those institutions that hold client funds as stored electronic value.
3.3 Comparative Summary
The table below provides an overview of the main licence types available under the Cypriot regulatory framework for payment and e-money institutions, including the scope of permitted services and corresponding minimum initial capital requirements.
| Licence Type | Permitted Services | Minimum Initial Capital* |
| Money Remittance Only | Transfers of funds without maintaining payment accounts | €20,000 |
| Payment Initiation Service Provider (PISP) | Initiation of payment orders without holding client funds | €50,000 |
| Full Payment Institution (PI) | Execution of payments, acquiring, and issuing of payment instruments | €125,000 |
| Electronic Money Institution (EMI) | Issuance of electronic money and provision of payment services | €350,000 (industry reference) |
* These figures reflect widely-cited benchmarks in the Cyprus market and refer to initial capital. In all cases, the CBC will assess the business model and may require higher amounts or additional own funds based on risk, complexity, payment volumes or e-money issuance.
4. Scope of Services and Qualifying Boundaries
4.1 What the Licence Enables
A licensed PI or EMI may, subject to authorisation letter and programme of operations, carry on regulated payment services as defined in the national law (i.e., Law 31(I)/2018, Article 4; Annex I). These include:
- Acceptance of funds and fund transfers
- Payment accounts operations
- Execution of payment transactions via card or similar device
- Money-remittance
- Payment initiation and account information services (in the PI context)
For an EMI, the additional service of issuing electronic money is central: stored value that is accepted by other parties as payment and which is redeemable at par.
4.2 What the Licence Does Not Cover
Importantly, the licence does not permit deposit-taking (i.e., accepting deposits as a credit institution) unless the firm separately obtains banking authorisation. Under Law 31(I)/2018, “payment services” do not include deposit taking or credit provision except where ancillary and tightly controlled (Article 18(3) PSD2).
Also, asset-management, securities broking or investment services fall outside this regime and are supervised by Cyprus Securities and Exchange Commission (CySEC) rather than the CBC.
With the changing payment environment, a few companies are implementing a hybrid model of businesses consisting of traditional payment solutions, e-money issuance, and, in a few instances, crypto-asset or other digital-asset solutions. Although a form of diversification can bring about innovation and provision of new markets, it also exposes the supervisor to higher complexity.
In this context, the Central Bank of Cyprus (CBC) places strong emphasis on clarity and control. Firms are expected to clearly define the boundaries between each regulated activity—such as distinguishing payment services from e-money issuance or digital-asset operations. They should also ensure that they have strong governance structures of administration of stored-value businesses and that client money and e-money floats are completely secured in accordance with the regulation provision.
Further, the existing supervisory approach of the CBC highlights two continuing priorities:
1. Digital operational resilience – making sure that companies are able to mitigate, withstand, and recuperate cyber and system disruptions; and
2. Cross-border risk management – ensuring good management in areas where service or infrastructures are provided in more than one jurisdiction.
A combination of these demands indicates that the CBC is determined to make sure that the process of innovation in payments and digital finance remains a robust operation with good governance and consumer protection in the center stage.
5. Key Operational & Supervisory Challenges
For firms seeking authorisation (or operating under one) in Cyprus, several practical and supervisory issues deserve attention:
5.1 Corporate Substance and Local Presence
The CBC insists on a genuine operational presence in Cyprus: a registered and head office in the Republic, parts of business activities carried out locally, and senior management engaged from Cyprus. This is consistent with EU AML/CTF and banking-equivalence best practice. Failure to evidence clear local presence is a recurrent cause of application delay.
5.2 Capital, Safeguarding and Banking Access
Beyond meeting the minimum capital thresholds, applicants must show robust safeguarding arrangements for client funds (or e-money float). Under the law, payment institutions must ensure safeguarding of funds by either segregation with a credit institution or comparable guarantee/insurance. The CBC expects audited safeguarding reconciliation procedures and oversight. Banking access (for safeguarding accounts) is a known obstacle for new entrants in Cyprus and across EU jurisdictions.
5.3 Governance, Risk Management and Supervision Depth
Applicants must demonstrate strong governance: fit and proper board members and key function holders (compliance, risk, internal audit, MLRO). They must present a programme of operations with business-plan, financial forecasts, internal policies (including AML/CFT, outsourcing, ICT/operational resilience), and a recovery/wind-down plan. The CBC will apply EBA guidelines (e.g., EBA/GL/2017/09 for authorisation) when assessing the application.
On an ongoing basis, supervision is not purely periodic; the CBC’s strategy indicates a move towards thematic reviews (ICT risk, outsourcing, cyber-security) and increased cooperation with the EBA.
5.4 Cross-border and EU Passporting Considerations
One of the principal advantages of a Cyprus-based licence is the ability, once authorised, to benefit from freedom of establishment or provision under PSD2 (via the CBC’s notification to other competent authorities). Firms must plan for cross-border service provision: local host-state requirements (e.g., local contact person, complaints handling) still apply.
5.5 Emerging Regulatory Pressures
The European payments environment is in a new period of regulatory change, and this time around it is dictated by the upcoming EU Payment Services Regulation (PSR) and the revised Payment Services Directive (PSD3). As a preview of these developments, the Central Bank of Cyprus (CBC) has stated that the level of its supervisory expectations will be tightened.
Firms in operation in or seeking authorisation in Cyprus need to be ready to face an increasingly demanding compliance environment, including:
- Increased prudential and capital standards, especially to those which hold client funds or issue stored value;
- Tighter ICT and operational resilience requirements, as per the Digital Operational Resilience Act (DORA);
- Greater anti-money laundering (AML) and counter-terrorist financing (CTF) regulation, including through governance, transaction oversight and beneficial ownership disclosure; and
There is also a stronger consumer protection and disclosure requirements, which provide a high level of transparency regarding pricing, execution time, and redress rights.
All of this points to an apparent way forward in regulation: not only are firms expected to operate up to the current standards, but they must also develop the resilience, governance, and capital capacity to conduct operations in a sustainable way in the next generation of EU payments regulation.
6. Strategic Implications for Prospective Applicants
Understanding the “what” of the licence is essential for strategic planning:
- Determine the business model and select licence type accordingly. Mis-classification can lead to remediation or refusal.
- Early engagement with legal, compliance and banking-access advisors is critical — particularly for safeguarding structure, banking relationships and due-diligence filings.
- Invest in robust organisational infrastructure (governance, risk management, IT/operational resilience) even pre-application; the CBC expects “business-as-usual” readiness, not aspirational promises.
- Remain aware of shift away from “regulatory lowest-cost entry” towards “substance and resilience” in the CBC’s supervisory posture.
- Plan for cross-border expansion: a Cyprus licence offers EU and EEA footprint, but host-state requirements, passporting logistics and local payments schemes must be factored in.
- Monitor regulatory developments – e.g., the PSR, PSD3 and DORA – and build flexibility in your licence model to absorb higher scrutiny or expanded obligations.
7. The PSP Licence in Cyprus: Key Takeaways and Next Moves
The process of obtaining a licence of a payment services in Cyprus is not only a regulatory milestone but a strategic entry point to the EU payment and e-money market. Regulated by the Central Bank of Cyprus (CBC) and in line with EU law (PSD2) and national law (Law 31(I)/2018), the regime offers an effective framework of authorising Payment Institutions (PIs) and Electronic Money Institutions (EMIs), each having a defined set of prudential, governance and safeguarding standards.
With the changing regulatory environment, the CBC has been focusing on substance, operational resilience and cross-border risk management. It is now necessary to do more than just comply technically in achieving and maintaining authorisation, it now requires good leadership, good systems and good culture of good risk management that will not be subject to future supervisory demands.
Cyprus can be credible, accessible, and offer an opportunity to firms that are willing to invest in real regulatory competence and sustainable operation to establish and expansion in the EU. Individuals that plan well in advance, design well, and create solid frameworks will be in a good position to succeed in the new generation of European payments regulation.
At CX Financia, we work closely with each client to turn regulatory complexity into clarity — providing tailored licensing guidance, practical compliance support, and strategic insight throughout the authorisation journey. Whether you are preparing your first application or expanding an existing operation, our team can help you navigate the process efficiently and position your firm for long-term success.
Get in touch with us to discuss your licensing goals: www.cxfinancia.com/contact