Whistleblower law in Cyprus #
Cyprus implemented Directive (EU) 2019/1937 through Law 6(I)/2022, published on 4 February 2022. The basic private-sector trigger is 50 employees, but Cyprus organises external reporting through a competent-authority structure rather than one universal state inbox.
Applicable law #
Who must establish an internal channel #
Private employers with at least 50 employees must establish an internal reporting channel. Public-sector bodies are also covered by the law and usually publish their own internal-channel instructions.
External reporting authority #
Cyprus uses a list of competent authorities for external reporting, depending on the subject matter and sector. The official central guidance is the government whistleblower explainer , which points to guides for competent authorities rather than one single cross-sector authority.
Data protection authority #
For data-protection complaints relating to report handling, the relevant authority is the Office of the Commissioner for Personal Data Protection . The office has also issued a whistleblower-specific announcement .
Key compliance points #
- Cyprus expects obliged entities to publish both worker-facing guidance and internal handling rules.
- The law also covers anonymous reports where the whistleblower is later identified and suffers retaliation.
- In practice, Cypriot organisations should tell reporters which external authority fits the topic instead of treating “external reporting” as one generic route.
Official sources #
- Law 6(I)/2022 — official text PDF
- Law 6(I)/2022 — consolidated text
- Government whistleblower explainer
- Office of the Commissioner for Personal Data Protection — home page
- Office of the Commissioner for Personal Data Protection — whistleblower announcement
Deploy your reporting channel →
Last updated: