EMI License in Cyprus

The Central Bank of Cyprus (CBC) is the sole licensing and supervisory authority for electronic money institutions in Cyprus. Applications are filed through the CBC eLicensing platform; physical and hybrid submissions have been discontinued. The CBC must take its decision within 3 months from receipt of a duly completed application under Cyprus Electronic Money Law 81(I)/2012, mirroring EMD2 Article 3. In practice, the clock only starts once the file is accepted as complete, which is why well-prepared applicants still see 9–12 months end-to-end.

MOKAS, the Cyprus FIU, receives AML reporting from licensed EMIs as obliged entities. The CBC publishes the full EMI authorisation process on its EMI licensing and supervision page; fee figures appear in the dedicated CBC Fees section below.

A Cyprus EMI license permits the issuance, distribution and redemption of electronic money, plus the full range of payment services listed in PSD2 Annex I when requested in the authorisation. In practice this covers:

• E-money issuance and redemption — issuing prepaid balances, e-wallets and stored-value accounts backed 100% by safeguarded client funds.
• Payment accounts and IBANs — opening accounts, executing SEPA credit transfers, direct debits and standing orders.
• Card issuing and merchant acquiring — principal membership of Visa or Mastercard schemes, subject to scheme approval.
• Money remittance and FX — cross-border transfers and currency conversion incidental to a payment.
• PSD2 open-banking services — payment initiation (PISP) and account information (AISP).

The Cyprus EMI license does not cover virtual-asset services. Issuing or custodying crypto-assets requires a separate CySEC MiCA-CASP authorisation, and EMIs issuing e-money tokens must also hold a MiCA authorisation as an EMT issuer. Investing safeguarded client funds in low-risk liquid assets does not by itself trigger a CySEC license; a CIF/MiFID authorisation is only required when the firm provides MiFID investment services.

Cyprus offers three core advantages over other EU EMI venues: a statutory 3-month CBC decision window, EU/EEA passporting to 30 states, and a corporate tax regime aligned with OECD Pillar Two. English-language CBC correspondence and an ICPAC-registered auditor pool round out a mature payments ecosystem built around CySEC-regulated CIFs. The trade-off is governance substance: the CBC expects local executive directors and an in-house AML officer, not a virtual setup.

The CBC is the sole competent authority for EMI authorisation and ongoing supervision in Cyprus. It receives applications through its eLicensing platform, assesses fit-and-proper for shareholders, directors and key function holders, approves outsourcing arrangements, and exercises prudential and conduct supervision over authorised firms. The statutory decision window under Cyprus Electronic Money Law 81(I)/2012 is three months from receipt of a duly completed application, in line with EMD2 Article 3.

The Cyprus Electronic Money Laws of 2012 to 2018 transpose Directive 2009/110/EC (EMD2), which sets the EMI initial-capital, own-funds and safeguarding regime, and integrate Directive (EU) 2015/2366 (PSD2) for the payment-services side of EMI activity, including Strong Customer Authentication. PSD3 and the Payment Services Regulation have been politically agreed (COREPER endorsement 22 April 2026, ECON vote 5 May 2026) but have not yet been published in the OJEU; PSD2 therefore remains in force for Cyprus EMIs through 2026.

In 2025 the CBC issued a package of directives reshaping how EMIs are licensed, governed and supervised. The new Electronic Money Institutions Directive of 2025 tightens the capital-adequacy methodology, raises the bar on governance and internal control, and restates the licensing dossier expectations. The CBC’s new AML/CFT Directive (published 2 May 2025, in force from 2 June 2025) prohibits full outsourcing of the AML compliance officer function. You must budget for an in-house AML lead rather than a fully outsourced model.

DORA (Regulation (EU) 2022/2554) has been directly binding on Cyprus EMIs since 17 January 2025, with the CBC as competent authority. It replaces the prior patchwork of EBA ICT and security-risk guidelines with a single, uniform regime covering ICT risk management, incident classification and reporting, digital-resilience testing, and third-party ICT-provider oversight. MiCA (Regulation (EU) 2023/1114) has been fully applicable since 30 December 2024. For Cyprus fintechs combining e-money and crypto rails, the split is precise: CySEC authorises Crypto-Asset Service Providers (CASPs), while the CBC remains competent for EMI authorisation and for issuers of e-money tokens (EMTs).

A CySEC licence is triggered by MiFID investment services (portfolio management, dealing in financial instruments), not by investing safeguarded client funds in low-risk liquid assets, which CBC safeguarding rules permit without a CySEC licence.

EMD2 Article 4, transposed into the Cyprus Electronic Money Laws, fixes the initial capital for a Cyprus EMI at €350,000. There is no reduced threshold: the CBC has not adopted the optional EMD2 Article 9 “small EMI” exemption, so every applicant funds the full amount.

The CBC treats “initial capital” literally: the €350,000 must be fully paid-up at the time of application, deposited in a Cyprus credit institution before the file is lodged via the CBC eLicensing platform. A bank confirmation of the deposit is submitted inside the application bundle; promises of future capital injections do not satisfy the test. The funds become the entity's opening regulatory capital once authorisation is granted. Source-of-wealth evidence for the underlying shareholders accompanies the bank letter.

Once licensed, the EMI must maintain ongoing own funds equal to at least 2% of average outstanding e-money under EMD2 Article 5(3) Method D. The calculation is run on the first calendar day of each month, using the preceding six months of daily outstanding e-money as the averaging window. The result is the floor own-funds figure the EMI must hold throughout that month.

The 2% figure is a floor on top of a floor: own funds may never fall below the €350,000 initial-capital threshold, regardless of how small the e-money book is. Early-stage EMIs therefore live at the €350,000 line until 2% of average outstanding e-money overtakes it, at roughly €17.5m of average outstanding e-money in circulation. The CBC reviews the calculation through periodic regulatory returns and during the annual ICAAP-style supervisory dialogue.

Client e-money is not the EMI’s money. EMD2 Article 7 and the Cyprus Electronic Money Laws require 100% safeguarding of every unit issued. The CBC accepts three methods, alone or in combination:

• Segregation at a credit institution — client funds held in dedicated safeguarding accounts at an EU/EEA bank, ring-fenced from the EMI’s own assets and from insolvency creditors.
• Investment in low-risk, liquid assets — funds placed in secure, liquid, low-risk instruments approved by the CBC. This does not require a CySEC investment-services licence: it is permitted under CBC safeguarding rules. A CIF/MiFID licence is only triggered if the EMI provides separate MiFID investment services to clients.
• Insurance or comparable guarantee — an insurance policy or guarantee from a third-party insurer/bank that pays out if the EMI fails to repay client funds.

The CBC application fee schedule is fixed and public on the CBC EMI licensing page and in CBC Directive 241/2012. The fee is paid into the CBC “APPLICATION FEES” account before submission, with the bank receipt attached to the eLicensing file.

The annual supervisory fee is set under the CBC Directive on Supervisory Fees of 2018. The exact figure is risk-based and depends on the size and activity profile of the EMI; we model it for each applicant against the current CBC schedule rather than quoting a single headline number.

The Cyprus corporate tax 2026 headline rate is 15%, applied to a Cyprus tax-resident company's worldwide profits. The previous 12.5% rate ceased to apply on 31 December 2025; any EMI projection model citing 12.5% as the current rate is out of date. The increase brings Cyprus in line with the OECD Pillar Two minimum effective tax rate for in-scope multinational groups while keeping it a low-tax EU jurisdiction. Tax residency is determined by management and control: an EMI managed and controlled from Cyprus, with executive directors resident locally and board meetings held on the island, falls within the 15% regime on its worldwide income.

Under the Cyprus IP Box nexus approach, qualifying profits from qualifying intangibles (patents and software being the most relevant for EMIs) benefit from an 80% deemed deduction. Against the new 15% headline, that drives the effective tax rate on qualifying IP income down to ~3%. For an EMI that owns its core ledger, scoring engine, KYC orchestration or proprietary payment-routing software through a Cyprus entity, properly documented R&D expenditure and nexus tracking can move a share of profit into the IP Box envelope.

Cyprus does not impose capital gains tax on disposals of shares, securities or foreign property. The 20% CGT applies only to gains from Cyprus-situated immovable property and shares in companies whose value derives, directly or indirectly, 20% or more from such property (threshold lowered from 50% under the 2026 reform). For a fintech holding structure on top of a Cyprus EMI, exit-stage share disposals therefore sit outside the CGT net.

The Cyprus DTT network covers over 65 jurisdictions, supporting cross-border payment flows and reducing withholding-tax leakage on royalties, interest and intra-group fees. The authoritative list is maintained by the Ministry of Finance Double Taxation Agreements register.

The 2026 reform also extends tax loss carry-forward from five years to seven years. For early-stage EMIs that absorb authorisation, build and customer-acquisition losses in years one and two, the longer window improves the cash value of those losses once the business reaches profitability. The reform additionally abolishes the Deemed Dividend Distribution (DDD) on post-2026 profits, removing the automatic Special Defence Contribution (SDC) charge that previously applied where Cyprus tax-resident companies did not distribute at least 70% of after-tax profits within two years. This relieves non-dom holding structures that retain earnings inside the EMI.

New for 2026: gains realised on disposals of crypto-assets by Cyprus tax residents are taxed at a flat 8%, separately from the corporate and personal income tax schedules. The Cyprus crypto tax 8% regime applies to EMIs with crypto flows, whether as issuers of e-money tokens under MiCA, partners to CASPs handling EMT custody after the EBA transitional relief expires on 2 March 2026, or on/off-ramp operators converting between fiat and crypto. Which entity in the group realises the disposal (the Cyprus EMI, a Cyprus holding, or a non-resident affiliate) determines how the 8% applies.

Cyprus Electronic Money Law does not prescribe a fixed number of directors. In practice, the CBC governance expectation is a board of at least four directors (typically two executive and two non-executive), and often five for larger or more complex EMIs. The non-executive seats are expected to include genuinely independent directors capable of challenging management.

Local substance is where the residency expectation bites. The CBC expects at least two executive directors to reside in Cyprus, and a majority of the board to be Cyprus-resident in most cases. These expectations flow from EBA local-substance guidance and the “effective management in the home Member State” principle; they are supervisory benchmarks, not text lifted from statute. Applicants are assessed on whether the proposed board composition can actually run the institution from Cyprus, not whether it ticks a numerical box.

Every director, senior manager and key function holder must clear the CBC fit-and-proper assessment. The test covers four pillars: reputation and integrity, knowledge and experience, independence of mind, and time commitment. Each candidate files a fit-and-proper questionnaire, a clean criminal record, regulatory references and a CV that maps prior roles to the role applied for.

The widely quoted ~3 years of payments or banking experience for executive directors and key function holders is a benchmark drawn from the EBA Guidelines on the assessment of the suitability of members of the management body and key function holders, not a statutory minimum. The CBC reads it as “experience proportionate to the role and the institution’s risk profile.” A first-time CEO of a complex multi-product EMI will face a higher bar than the head of internal audit at a small single-product issuer.

The CBC requires functional coverage rather than a fixed in-house headcount. Risk management, internal audit, MLRO/compliance, accounting, legal support and the external audit function must all be operating from day one. Several of these (internal audit, parts of the legal function, certain operational support) may be outsourced to qualified providers, subject to CBC approval and a written outsourcing policy that keeps board accountability intact.

The statutory auditor must be an ICPAC statutory auditor: a CBC-approved firm registered with the Institute of Certified Public Accountants of Cyprus, the Recognised Body of Auditors under the Auditors Law. The external auditor is, by definition, outside the EMI’s staff and is engaged under a separate audit-services agreement.

Cyprus does not require a minimum of two shareholders, despite the claim circulating on competitor pages. Cypriot company law permits a single-shareholder private limited company, and the CBC licenses EMIs structured that way. The number of shareholders is not the test; who they are and where their money comes from is.

The CBC requires proof of funds and source-of-wealth documentation for every shareholder and UBO holding 10% or more of the EMI, directly or indirectly. Acceptable evidence includes audited financial statements, tax returns, sale-of-business documents, dividend records, employment income trails and bank confirmations. Where shareholders are corporate, the chain is traced up to the natural-person UBO. Applicants with politically exposed persons in the ownership chain face enhanced due diligence, and any opaque tier in the structure will trigger an RFI that can add months to the timeline.

The CBC tests local substance as “effective management from Cyprus.” That means an appropriate physical presence in Cyprus, proportionate to the scale and complexity of the EMI’s activities: a real office with secure access controls, dedicated workstations for the in-house functions (compliance, risk, accounting) and the ability to host CBC on-site inspections. There is no codified square-metre minimum; the CBC assesses whether the premises actually support the proposed operating model.

Substance also reaches into data governance. EMIs must appoint a Data Protection Officer under GDPR Article 37 and Cyprus Law 125(I)/2018, whose contact details are published and registered with the Cyprus Data Protection Commissioner. The DPO can be in-house or outsourced, but must be independent of the functions they monitor.

Note that GDPR does not impose a Cyprus or EU data-residency rule. Third-country processing is permitted where it relies on the Chapter V transfer mechanisms: an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or an applicable derogation, supported by a Transfer Impact Assessment. “Preferably Cyprus” data-residency framing seen on competitor pages is not grounded in either GDPR or CBC rules.

1. Certificate of incorporation + M&AA + register of members — full Cyprus Registrar pack proving the applicant is a duly incorporated Cyprus private limited company.
2. Bank confirmation of the €350,000 paid-up initial capital — deposit receipt from a Cyprus credit institution showing the capital is in place before the file is lodged.

3. Business plan + 3-year financial projections with stress tests — base, downside and stressed scenarios with capital-adequacy implications.
4. Programme of Operations covering each requested payment service — transaction flows, customer journeys and target volumes for every PSD2 service the firm intends to offer.

5. Internal organisational structure & governance arrangements — org chart, board composition and committee terms of reference (board size, residency and four-eyes detail in the Governance & Personnel section).
6. Internal control mechanisms (compliance, risk, internal audit) — three-lines-of-defence model with charters, escalation matrices and independence safeguards for each function.

7. AML/CFT manual aligned with the 2025 CBC Directive (in force 2 June 2025) + AML compliance officer appointment letter + direct-board reporting line — AMLCO mandate detail in the Ongoing Compliance section.
8. Safeguarding plan — one or a combination of the three EMD2 Article 7 methods, documented with bank letters or insurer commitments (methods and cover rules in the Capital & Safeguarding section).
9. ICT risk-management framework aligned with EBA Guidelines on ICT and security risk management AND DORA — ICT governance, incident reporting, resilience testing and third-party risk controls binding on Cyprus EMIs since 17 January 2025.
10. Business continuity and disaster recovery plan — tested BCP/DRP with recovery-time and recovery-point objectives mapped to each critical payment service.
11. Security policy and incident handling, including PSD2 SCA arrangements — information security policy, incident-response runbooks and strong customer authentication design for in-scope electronic payment transactions.
12. Outsourcing register + material-outsourcing CBC approval requests — complete register with criticality assessment; material arrangements (including cloud) submitted for prior CBC review.

13. GDPR documentation + DPO appointment — record of processing activities, privacy notices, transfer impact assessments and the DPO appointment registered with the Cyprus Data Protection Commissioner.
14. Fit-and-proper questionnaires for directors, shareholders ≥10% and UBOs, with source-of-wealth evidence — CBC questionnaires, CVs, certified IDs, criminal-record extracts and documentary proof of how the invested funds were generated.
15. Capital adequacy methodology (typically Method D under EMD2 Art. 5(3)) — written methodology with the rolling six-month calculation logic for the 2% own-funds floor.

The CBC published a new AML/CFT Directive on 2 May 2025, with entry into force on 2 June 2025. It applies to all CBC-supervised obliged entities (banks, payment institutions and EMIs) and recalibrates the governance expectations the CBC tests at licensing and at every subsequent inspection.

The AML compliance officer (AMLCO) must be appointed by the board, report directly to the board, and the governance arrangements must protect the role’s independence and seniority. The directive also enables risk-based, proportional reviews (smaller EMIs are not held to the same review cadence as systemic banks) and clarifies the boundary between first-line and second-line responsibilities.

Cyprus’s Financial Intelligence Unit is MOKAS (the Unit for Combating Money Laundering). EMIs as obliged entities must file suspicious transaction and suspicious activity reports (STRs/SARs) directly to MOKAS, without tipping off the customer, whenever the AMLCO concludes that the statutory threshold is met (MOKAS official page).

Customer identification records, transaction documentation and supporting AML evidence must be retained for a minimum of 5 years from the end of the business relationship or the completion of the transaction, under Cyprus AML Law 188(I)/2007 as amended. If MOKAS opens an investigation, the retention period is extended until MOKAS confirms closure of the file. Records may be kept in electronic form, provided they can be retrieved without delay on regulator request.

Regulation (EU) 2022/2554 (DORA) has been directly binding on Cyprus EMIs since 17 January 2025. DORA replaces and extends the prior EBA Guidelines on ICT and security risk management with an EU-wide framework. For EMIs, the obligations fall into five blocks: an ICT risk-management framework approved by the board; a major ICT-related incident reporting regime with strict notification deadlines to the CBC; digital operational resilience testing (including, for significant firms, threat-led penetration testing); a third-party ICT risk register mapping every critical provider; and participation in information-sharing arrangements (ESMA DORA hub, EBA ICT & security risk management guidelines).

Where applicants previously relied on ISO 27001 or PCI DSS as licensing evidence, the framing has changed: neither is a Cyprus statutory licensing condition. PCI DSS remains contractually required when cardholder data is in scope, and ISO 27001 is one accepted means of evidencing the DORA / EBA-aligned controls, but the CBC assesses compliance against DORA itself, not the certificates.

Strong Customer Authentication (SCA) under PSD2 is mandatory for in-scope electronic payment transactions executed by Cyprus EMIs. SCA requires authentication based on two of the three independent factors (knowledge, possession and inherence) and binds the authentication code dynamically to the amount and payee. PSD2 carves out exemptions for low-value and low-risk transactions (contactless, trusted beneficiaries, transaction risk analysis), which the EMI must apply and document on a per-flow basis (European Commission SCA explainer).

Beyond AML and operational resilience, the CBC requires periodic prudential and statistical reporting, including data on e-money in circulation, own funds against the 2% Method D ratio, and safeguarding arrangements. Reporting cadence and templates are set by CBC directive; map the current reporting calendar during pre-launch readiness and build automated extractions from the core ledger rather than relying on manual quarter-end compilation.

EEA passporting for EMIs rests on two directives: Directive 2009/110/EC (EMD2) for e-money issuance and Directive (EU) 2015/2366 (PSD2) for payment services. The home-state authorisation principle means the CBC’s decision binds every other EEA competent authority. In practice, this covers card issuance, e-wallets, SEPA credit transfers, direct debits, IBAN provisioning and account-information services across all 30 states under one licence and one supervisor. Host regulators receive a notification, not an application (Invest Cyprus).

The EMI files a passport notification with the CBC, which then forwards it to the host competent authority. No separate host-state licence is required. The notification distinguishes two modes: a branch under the freedom of establishment EMI route (local physical presence in the host state) and cross-border services under the freedom of services route (remote, digital-only delivery into the host state). Under PSD2 Article 28, the CBC transmits the file to the host competent authority within one month of receiving a complete notification; the host authority then has one month to send back observations on AML, consumer protection or local market specifics. The CBC must communicate its final decision within three months of receiving the complete notification, and the institution may begin host-state activity only once the entry is made in the CBC’s public payment-institution / EMI register under PSD2 Article 14.

Passporting unlocks SEPA reach but does not by itself confer SEPA scheme membership. A Cyprus EMI typically accesses the Single Euro Payments Area through a correspondent bank or sponsor PSP in the early phase, then migrates to direct membership at ECB TARGET2/TIPS or EBA Clearing (STEP2 and RT1) once volumes and operational maturity justify it. Host-state considerations still apply: local AML rules, consumer-disclosure language, complaint-handling channels and dispute-resolution bodies must be respected in each market the EMI services. The CBC retains prudential supervision; the host authority polices conduct within its territory.

A PI licence is the right tool when your business model is purely transactional: you move money between payer and payee but never issue a stored-value claim that customers redeem on demand. Acquiring, account information services, payment initiation, money remittance and merchant settlement all sit cleanly inside the PI perimeter. The PI minimum capital scales with the services requested under PSD2 Article 7 (€20,000 for money remittance, €50,000 for payment initiation, €125,000 for the full account-servicing bundle), which is cheaper to launch than the €350,000 EMI floor. If you want to issue prepaid balances, IBAN-attached e-wallets, or stablecoin-style EMTs, only the EMI licence covers that; PIs are barred from issuing electronic money under the Cyprus Payment Services Law transposing PSD2. The decision reduces to one question: do you hold a redeemable monetary claim against the customer’s balance, or do you only route a transaction?

If your firm provides crypto-asset services (custody, exchange of crypto for fiat or for other crypto, execution of orders, placing, reception and transmission, advice, or portfolio management), the relevant authorisation is the MiCA CASP licence issued by CySEC, not the CBC EMI. MiCA Annex IV sets three CASP capital tiers: Class 1 (€50,000) for advice, reception/transmission and transfer services; Class 2 (€125,000) for exchange of crypto-assets for funds or other crypto-assets and for custody and administration of crypto-assets on behalf of clients; and Class 3 (€150,000) for operating a trading platform for crypto-assets. The Cyprus filing deadline for legacy CASPs under the CySEC transitional regime closed on 27 February 2026; the EU-wide MiCA transitional period under Article 143 ends 1 July 2026, after which every CASP must hold a full MiCA authorisation to continue serving EU clients. The CASP and EMI authorisations are not mutually exclusive: a firm that both custodies Bitcoin and issues a euro-backed EMT will need both, with the CASP licence from CySEC covering the crypto services and an EMI licence from the CBC covering the EMT issuance. See ESMA’s MiCA hub for the consolidated CASP framework.

Single-licence shortcuts no longer work for EMT issuers. A Cyprus EMI that wants to mint a euro-pegged EMT must run a parallel MiCA filing with CySEC; a CySEC-authorised CASP that wants to safekeep its clients’ EMT balances or move them between wallets must either become a CBC-licensed PI/EMI or contract with one. We typically scope this dual-licence path at the structuring stage so capital, governance and ICT (DORA) controls are built once for both regulators rather than retrofitted after CBC or CySEC raise it in an RFI.