(CBC Directive 29 May 2026 , Κ.Δ.Π. 245/2026)
Scope:
• Licensed Electronic Money Institutions (EMIs)
• Payment Service Providers (where EMI-licensed)
• Directors and Senior Management of EMIs
• Compliance Officers of EMIs
• Shareholders and investors in Cyprus-regulated EMIs
Summary:
CBC published the Internal Organisation and Governance of Electronic Money Institutions Directive of 2026 (Κ.Δ.Π. 245/2026) in the Official Gazette on 29 May 2026, with immediate effect on that date. The Directive establishes a structured governance framework for Cyprus-licensed EMIs, requiring a sound governance architecture that ensures effective and prudent management. A key feature is that it incorporates by analogy the Internal Organisation and Governance of Payment Institutions Directive of 2026, which contains detailed provisions on the management body, internal control systems, risk management, regulatory compliance, ICT risk management (including DORA-aligned obligations for non-micro-enterprises), outsourcing, complaints handling, whistleblowing, and reporting to the CBC. EMIs must have appropriate procedures for identifying, managing, monitoring and reporting all material risks, including AML/CFT compliance risks. The Directive moves EMI governance from a general supervisory expectation to a structured, documented compliance obligation with board-level accountability.
Implications:
Affected EMIs and other within scope institutions should:
• Conduct a gap analysis of current governance arrangements against the new Directive and the Payment Institutions Governance Directive of 2026 as applied by analogy.
• Review and update the governance framework: board composition, committee structures, internal reporting lines and terms of reference.
• Establish or strengthen internal control functions: compliance, risk management, internal audit and ICT risk management.
• Review ICT risk management framework for DORA alignment (Regulation (EU) 2022/2554) – separate ICT risk function required unless micro-enterprise exemption applies.
• Review and update AML/CFT internal control mechanisms and compliance monitoring arrangements.
• Review outsourcing arrangements for adequacy of oversight and controls.
• Update complaints handling and whistleblowing procedures.
• Ensure CBC reporting obligations are clearly assigned and documented.
• Update governance policies and manuals to reflect proportionality principle and actual business model.
• Management Body/ Board of Directors to formally assess adequacy of current governance arrangements and approve remediation plan where gaps are identified.
Should you need assistance with conducting a gap analysis and putting in place the necessary infrastructure please feel free to conduct us.