AI consulting

The EU AI Act in Cyprus: what businesses must actually do before August 2026

Vincent Wahidi
Vincent Wahidi · 7 min read
The EU AI Act in Cyprus: what businesses must actually do before August 2026

The EU AI Act is not an abstract Brussels problem for Cyprus businesses. The country has a named national coordinator, a taskforce that has been meeting since 2025, and a public commitment to run a national AI regulatory sandbox by August 2026, the same month the high-risk obligations and their penalties switch on. If you build, buy, or deploy AI that touches people, that date is close enough to plan around now, not later.

Who is actually in scope, in plain terms

The Act sorts every AI system into four risk tiers, and only two of them require real work. Unacceptable-risk practices, such as government social scoring and manipulative systems that cause harm, have been banned outright since 2 February 2025. Minimal-risk software, which covers most ordinary business tools, carries no new obligations at all.

The tiers that matter sit in between. Limited-risk systems, most chatbots and recommendation tools among them, carry a transparency duty: tell people when they are talking to a bot. High-risk systems carry the heavy obligations, documentation, logging, human oversight, and a conformity assessment before going live, and this is where the compliance budget goes. A system is high-risk if it is a safety component of an already-regulated product, or if it operates in an area Annex III lists: hiring, access to education, credit scoring and essential financial services, essential public services, law enforcement, migration, or the administration of justice. We covered the tiers and the fine structure in more depth in the EU AI Act: what it actually means for businesses shipping AI; this piece focuses on what a Cyprus business specifically needs to do about it.

The Cyprus institutions now handling this

Cyprus has assigned a national coordinator for the AI Act: the Deputy Ministry of Research, Innovation and Digital Policy. That is the body a Cyprus business will ultimately answer to on national implementation questions, and the one to watch for local guidance as the August 2026 deadline approaches (Mondaq).

A National AI Taskforce was established in 2025, chaired by Chief Scientist Demetris Skourides, to coordinate the country's approach across ministries. Cyprus has also committed to standing up a national AI regulatory sandbox by August 2026, a supervised environment where businesses, particularly smaller ones without in-house legal teams, can test an AI system against the Act's requirements before committing to a full build (Chambers and Co; Global Legal Insights, Cyprus AI chapter). None of this changes the underlying EU law, but it means a Cyprus business has a specific local coordinator and, in time, a sandbox route to test compliance rather than guessing in isolation.

A practical compliance sequence

Skip the compliance-binder approach. Run this sequence instead, in order, because each step depends on the one before it.

  1. Inventory every AI system you build or buy. Include the obvious ones (a chatbot, a scoring tool) and the quiet ones, features a vendor added to your CRM, accounting platform, or HR software that now make an automated recommendation. You cannot classify what you have not listed. Walk department by department rather than relying on IT's own list, because the marketing team's new personalisation tool or the finance team's new invoice-matching feature rarely gets flagged as "AI" internally, even though the Act does not care what your team calls it.
  2. Classify each system by risk tier. Be strict about Annex III. If a system helps decide who gets hired, who gets credit, or who gets a benefit, treat it as high-risk until you can show otherwise. Where a system's purpose is genuinely ambiguous, get a written opinion rather than guessing; the cost of a short legal review is small next to the cost of guessing wrong.
  3. Document what you find. For anything high-risk, this means technical documentation, data governance records showing what the training and input data is and where it came from, and logging that lets you reconstruct how a decision was reached. Write this down as you build, not after a regulator asks for it. Retrofitting documentation onto a system that has been live for a year is slower and less accurate than a colleague's memory of how it was built.
  4. Build in human oversight. A named person needs to be able to understand, override, and stop the system. This has to be a real capability built into the product, not a checkbox added at the end. If your team cannot describe, in plain terms, how someone would actually intervene when the system is wrong, the oversight is not real yet.
  5. Assign an owner. Every high-risk system needs one accountable person. Compliance with no owner does not happen; it drifts until an audit or an incident forces the question. The owner does not need to be a lawyer; they need to be the person who would actually notice if the system started behaving badly.
  6. Prepare for conformity assessment and registration. A high-risk system needs a conformity assessment and an entry in the EU database before it goes live. Build the timeline for this into your project plan now rather than treating it as a final-week formality; for a system already in production, plan the assessment as its own piece of work, not an afterthought bolted onto the next feature release.

What Cyprus SMEs should do this quarter

Most Cyprus businesses are not running high-risk AI, and the honest first step is confirming that, not assuming it. This quarter, a Cyprus SME should:

  • Run the inventory step above properly, including AI features embedded in third-party software you already pay for.
  • Read the terms of any AI vendor you rely on. Their obligations under the Act do not remove yours as the deployer.
  • Watch for guidance from the Deputy Ministry of Research, Innovation and Digital Policy as the national coordinator, and for the sandbox opening, since it is aimed partly at businesses your size.
  • Treat 2 August 2026 as a working deadline for anything that lands in the high-risk tier, and start the documentation now while the system is still small and the retrofit is cheap.

For businesses with no high-risk exposure, this is a light quarter's work. For the ones with a system touching hiring, credit, or a regulated sector, it is real, and starting early is the difference between a documentation exercise and a scramble.

Where engineering and consulting help

Mapping your systems to the Act's risk tiers, building the documentation a high-risk system needs, and putting a working human-oversight path into the product itself is exactly the kind of work our AI consulting practice does in Cyprus. It is easier to build this in from the start than to bolt it onto a system that is already live.

Why a small local market does not mean less exposure

It is tempting to assume that a small Cyprus business, far from Brussels and without a household name, sits outside the Act's real attention. That is a misreading of how the obligations attach. The Act applies by what a system does, not by the size of the company running it. A ten-person Limassol firm using a third-party recruitment tool that screens CVs is deploying a high-risk system just as much as a multinational would be, and carries deployer obligations regardless of headcount. Cyprus's small size cuts the other way too: a national coordinator, a taskforce, and a forthcoming sandbox mean local guidance is more reachable here than in a larger member state where a small business would struggle to get anyone's attention at all. Use that access rather than assuming it does not apply to you.

The takeaway

Cyprus is not waiting for Brussels to hand down instructions with no local layer. There is a named coordinator, a taskforce, and a sandbox commitment, all pointed at the same August 2026 date as the rest of the EU. Inventory what you run, classify it honestly against Annex III, and document the systems that land in the high-risk tier. For most businesses that is a contained piece of work. For the ones it is not, the sooner it starts, the less it costs.

Vincent Wahidi

Author

Vincent Wahidi is the director of Encelyte, a computer engineer who builds production AI, automation, and custom software for enterprises across Cyprus and the wider region. He writes the strategy, cost and decision-maker pieces himself; the practical how-to guides are curated under the five mission-cat bylines below.

Frequently asked questions

Is my chatbot high-risk under the AI Act?

Usually not. A chatbot that answers product questions or handles support tickets sits in the limited-risk tier, where the only duty is telling people they are talking to a bot. The same chatbot becomes high-risk if it is repurposed to screen job applicants, assess creditworthiness, or make a decision in one of the areas listed in Annex III. Check what the system decides, not what it is called.

What is the actual deadline for the EU AI Act in Cyprus?

Prohibited practices have been banned since 2 February 2025, and general-purpose AI model obligations applied from 2 August 2025. The date that matters for most Cyprus businesses is 2 August 2026, when high-risk obligations and their penalties switch on. High-risk AI embedded in already-regulated products (medical devices, machinery) gets until 2 August 2027.

What are the penalties for non-compliance?

Using a prohibited AI system can cost up to 35 million euros or 7 percent of global annual turnover, whichever is higher. Breaching high-risk obligations can reach 15 million euros or 3 percent of turnover. Supplying regulators with incorrect or misleading information can reach 7.5 million euros or 1 percent. These are ceilings scaled to the violation, not a flat fee.

Do I need to hire a dedicated AI compliance officer?

Not necessarily a new hire, but you do need a named owner for each high-risk system, someone accountable for its documentation, monitoring, and human-oversight path. For a small or mid-sized Cyprus business, this is often an existing operations, legal, or technical lead who takes on the role, not a new department.

Read next

Government grants for digitalisation and AI in Cyprus: the 2026 guide

Have a problem worth solving?

Tell us what you're building or fixing. We'll reply within one business day with a clear next step.