TaxLegi 30.04.2026

• The law transposing the EU Directive 2023/2226 (DAC8) has been enacted in Cyprus, enhancing tax transparency and automatic information exchange.
• The law introduces mandatory tax reporting on crypto assets and establishes an automatic exchange framework for certain advance cross-border rulings on high-net-worth individuals.
• The existing obligations of Financial Institutions under the Common Reporting Standard (CRS Law) are extended.

Executive summary

On 27 March 2026, the law (Ν. 38(Ι)/2026, the Law) amending the Law on Administrative Cooperation in the field of Taxation (Law N. 205(I)/2012) was published in the Official Gazette of the Cyprus Republic and entered into force. The Law transposed European Union's (EU) Directive 2023/2226 of 17 October 2023 (referred to as DAC8 or the Directive)^[1] into domestic law. The Law is broadly aligned with the provisions of the Directive.

The main changes introduced relate to the due diligence and reporting duties on Crypto-Asset Service Providers and Crypto-Asset Operators, the extension of the scope of application of the CRS and the introduction of a framework for the automatic exchange of certain advance cross-border rulings granted to high-net-worth individuals.

In addition, the Law amends the domestic legislation on mandatory disclosure rules (MDR) with regard to reportable cross-border arrangements (DAC6/MDR Law)².

Detailed discussion

Automatic exchange of information provided by Crypto-Asset Service Providers

Scope

The Law defines the reporting obligations, due diligence procedures and registration requirements in Cyprus for Reporting Crypto-Asset Service Providers (RCASPs) and provides further details on the specificities of the automatic exchange of information on crypto assets.

RCASPs are either entities licensed in Cyprus by the relevant competent authority under the EU's Markets in Crypto-Assets Regulation (MiCAR) or entities that provide Crypto-Asset Services under MiCAR but are not required to register for MiCAR (Crypto-Asset Operators), provided they have Cyprus nexus, i.e., are either tax residents of Cyprus, incorporated in Cyprus, managed from Cyprus, or have their usual place of business in Cyprus.

The scope of reporting covers crypto-asset services and activities, such as (1) providing custody and administration of crypto-assets on behalf of clients, (2) operation of a trading platform for crypto-assets, (3) execution of orders for crypto-assets on behalf of clients, (4) exchange of crypto-assets for funds or other crypto-assets, or (5) providing advice or portfolio management on crypto-assets. Such services also include staking and lending crypto-assets.

For reporting purposes, a Reportable Crypto-Asset includes any crypto-asset other than a Central Bank Digital Currency, Electronic Money, or any Crypto-Asset for which the Reporting Crypto-Asset Service Provider has adequately determined that it cannot be used for payment or investment purposes.

The definition of crypto-asset is fully aligned with MiCAR, however is broader under the Law, as it additionally includes all types of crypto-assets that may be used for payment or investment purposes.

Reportable transactions involving crypto-assets are those involving exchange transactions in Reportable Crypto-Assets or the transfer of Reportable Crypto-Assets.

Due diligence procedures

All RCASPs are required by the Law to collect and verify the information received on crypto-asset users (i.e., on natural persons, legal entities or arrangements and legal entities or arrangements with controlling persons that may be crypto-asset users) in line with specific due diligence procedures.

These procedures include the obligation for RCASPs to determine, through a valid self-certification of the crypto-asset user (which must always be signed and include specific identification information on the crypto-asset user) to be obtained from them, if users are reportable crypto-asset users, i.e., are residents of an EU Member State for tax purposes or an estate of a decedent that was a resident of any EU Member State, other than Excluded Persons, as defined in the CRS legislation.

All RCASPs should maintain records proving their compliance with their reporting and due diligence obligations under the Law, for a minimum period of 5 years and up to 10 years from the end of the year to which the reporting refers.

Finally, in accordance with the Cypriot legislation on the protection of personal data, the Law clarifies that a Cypriot RCASP or Reportable Crypto-Asset Operator must:

(i)  inform each individual concerned that information relating to that individual will be collected and transferred in accordance with the Law; and

(ii) transmit to each individual concerned all the information that the individual is entitled to receive from the data controller, providing sufficient time for the individual to exercise his/her data protection rights and, in any event, transmitting the information before it is communicated to the Cypriot Tax Authorities (CTA).

Reporting obligations and exchange of information

By the 30^th of June of each year, RCASPs must report information in relation to the previous calendar year to the CTA. Information to be reported includes information on the RCASP, the reportable crypto-asset users (including their controlling persons, if any, if such persons are themselves reportable crypto-asset users) and transactional information on reportable crypto-assets.

The CTA will then share the information with tax authorities of the users' residence within 9 months following the end of the year to which the information relates. The first reporting will take place by 30 June 2027, i.e., will refer to calendar year 2026, with the first exchange of information by 30 September 2027.

Exemptions

For the prevention of multiple reportings, an exemption from due diligence and reporting obligations is provided, if, subject to certain conditions, a RCASP fulfills DAC8 obligations in another EU Member State or a jurisdiction with which Cyprus has concluded an agreement on the exchange of information similar to DAC8.

If a RCASP also qualifies as a Financial Institution within the meaning of the CRS Law, it may rely on the due diligence procedures implemented under that law to meet its due diligence obligations under DAC8 or on any valid self-certification provided for other tax purposes.

Penalties

An administrative fine of up to EUR 5,000 would apply for failure by a RCASP to comply with their obligation of collection and verification of information provided by reportable crypto-asset users, as part of their due diligence obligations.

In addition, the CTA may impose a penalty of up to EUR 10,000 if a RCASP did not meet its record maintenance obligation, as part of its due diligence obligations, or in the case of an incomplete or inaccurate submission of information to the CTA, or for failure by a Crypto-Asset Operator to register in Cyprus.

Amendments to the CRS – CRS 2.0

The DAC8 Law significantly broadens the scope of application of the CRS rules through the following amendments:

The definition of Reporting Financial Institutions is expanded to include electronic money (e‑money) institutions and the definition of Financial Accounts now includes e-money products. It is therefore expressly clarified that e-money institutions will now need to comply with the CRS rules. 

Extension of CRS Reporting Requirements

DAC 8 also enhances the CRS reporting obligations by introducing additional mandatory data points, including in particular:

·    an indication of whether a valid self‑certification is held for the account holder and, where applicable, any controlling person of a Passive Non‑Financial Entity (NFE);

·    whether an account is a joint account and, if so, the number of joint account holders;

·    whether the account is a pre‑existing account or a new account (i.e., opened before, or on/after, 1 January 2016);

·    the type of reportable account (Depository Account, Custodial Account, Cash Value Insurance Contract, Annuity Contract, or Debt or Equity Interest in an Investment Entity);

·    for account holders that are investment entities qualifying as legal arrangements, the capacity in which the reportable person acts (e.g., settlor, trustee, protector, beneficiary or equivalent);

·    the role of controlling persons of Passive NFE account holders (now mandatory rather than optional);

·    the account number type, which remains optional but now includes additional categories, such as “Specified Electronic Money Product”.

Exchange of information on advance cross-border rulings

The Law expands the automatic exchange of information to advance cross-border rulings on high-net-worth individuals issued, amended or renewed from 1 January 2026, if either:

·    The transactions covered by the cross-border ruling exceed EUR 1,500,000 (or the equivalent in another currency).

·    The tax ruling determines whether the individual is a tax resident of Cyprus.

With regard to tax periods beginning on or after 1 January 2028, additional details should also be exchanged for advance cross-border rulings and advance pricing agreements that are subject to exchange of information, i.e., the tax identification number (TIN) issued by the EU Member State(s) of residence of all the relevant parties.

Amendments to the DAC6 Law

The DAC6 Law is amended to reflect the Court of Justice of the European Union's (CJEU) judgment in case C-694/20, dated 8 December 2022. As such,  lawyers bound by legal professional privilege (LPP) are no longer required to notify other intermediaries, but must still inform their own clients/the relevant taxpayers on their reporting obligations.

Entry into force

The Law has entered into retroactive effect as of 1 January 2026 (with few exceptions). The first crypto-asset reporting and exchanges are expected in June 2027 and September 2027, respectively.

Next steps

Affected stakeholders should promptly assess the implications for customer onboarding, client communications, and compliance and operational frameworks, and initiate implementation efforts to ensure alignment with the new legislative and data reporting requirements.

Crypto‑Asset Service Providers, in particular, are encouraged to fully assess the impact of the new rules on their business models, governance arrangements and control environments.

Reporting Financial Institutions should anticipate a significant uplift in CRS data capture and reporting capabilities in order to meet the expanded reporting scope and new data elements. Early engagement will be critical to identify gaps, define remediation roadmaps and mitigate implementation and regulatory risk ahead of the first reporting deadlines.

For additional information with respect to this Alert, please contact the following:

Petros Liassides

Partner, Direct Tax Services

Petros.Liassides@cy.ey

Panayiotis Tziongouros

Partner, International Tax and Transaction Services

Panayiotis.Tziongouros@cy.ey.com

Stavros Karamitros

Senior Manager, International Tax and Transaction Services

Stavros.Karamitros@cy.ey.com

Endnotes

[1] For background on DAC8, see EY Global Tax Alerts, EU finance ministers reach political agreement on updated compromise text for Directive introducing tax transparency rules for crypto assets (DAC8), dated 17 May 2023 and EU adopts Directive introducing tax transparency rules for crypto assets (DAC8), dated 24 October 2023.

2 Law Ν. 41(Ι)/2021 amending the Law on Administrative Cooperation in the field of Taxation, dated 31.03.2021.

• On 9 April 2026, the Cyprus Tax Department published the list of jurisdictions that are considered as low-tax jurisdictions for the purposes of the relevant defensive tax rules.
• The low-tax jurisdictions are determined based on specific criteria and the list will be updated on an annual basis.
• Taxpayers should familiarize themselves with the list and consider the potential impact on their structures and the application of the defensive tax measures.

On 9 April 2026, the Cypriot Tax Department issued a circular listing the jurisdictions considered as low-tax jurisdictions for the purposes of applying the relevant defensive tax measures against low_-tax jurisdictions (i.e., dividend withholding tax and nondeducibility of interest/royalties). These measures are applicable as of 1 January 2026. (For background, see EY Tax Alerts, Cyprus introduces defensive tax measures targeting low-tax and 'blacklisted' jurisdictions, dated 15 April 2025, Cyprus enacts major tax reform legislation, dated 8 January 2026, and Cyprus broadens documentation requirements for certain payments to nonresident companies in low-tax jurisdictions, dated 18 March 2026.)

The jurisdictions on the list (LTJ List) for 2026 are:

• (a)   Anguilla
• (b)   Vanuatu
• (c)   Bermuda
• (d)   British Virgin Islands
• (e)   Guernsey
• (f)     Cayman Islands
• (g)   Turks and Caicos Islands
• (h)   Isle of Man
• (i)     Bahamas
• (j)     Bahrain
• (k)   Jersey

The LTJ List is determined based on specific criteria (not made available by the Cyprus Tax Department) and will be reviewed and updated on an annual basis.

Taxpayers should familiarize themselves with the LTJ List and consider the potential impact on their structures and the application of the defensive tax measures.

For additional information with respect to this Alert, please contact the following:

Petros Krasaris

Partner, Head of International and Transaction Tax Services

Tel: +357 22 209 790 Petros.P.Krasaris@cy.ey.com

Philippos Raptopoulos

Partner, Head of Tax and Legal Services

Tel: +357 25 209 740 Philippos.Raptopoulos@cy.ey.com

Petros Liassides

Partner, Direct Tax Services

Tel: +357 22 209 797 Petros.Liassides@cy.ey.com

Myria Saparilla

Partner, Direct Tax Services

Tel: +357 96 795 037 Myria.Saparilla@cy.ey.com

Elina Papaconstantinou

Senior Manager, International and Transaction Tax Services

Tel: +357 22 209 763 Elina.Papaconstantinou@cy.ey.com

On 27 March 2026, The Council of Ministers has issued two Decrees (R.A.A. 167/2026 and R.A.A. 168/2026), published in the Official Gazette of the Republic amending the Fifth, Sixth and Twelfth Schedules of the Cyprus VAT Law (Law 95(I)/2000).

The Decrees introduce temporary VAT relief measures relating to basic food products and household electricity supply, as outlined below.

R.A.A. 168/2026 – TEMPORARY ZERO (0%) VAT RATE ON ESSENTIAL FOOD PRODUCTS

The Fifth and Sixth Schedules of the Cyprus VAT Law have been amended to provide temporary zero (0%) VAT on specific food products, applicable from 6 April 2026 until 30 September 2026.

The temporary measures apply only to the following essential food products:

Meat Products (fresh, chilled or frozen)

• Bovine meat (classified under CN codes 0201 and CN 0202)
• Swine meat (classified under CN code 0203)
• Sheep or goat meat (classified under CN code 0204)
• Edible offal of bovine animals, swine, sheep and goats, (classified under CN code ex 0206)
• Meat and edible offal of the poultry of heading 0105 (classified under CN code 0207)
• Other meat and edible offal, rabbits and hares (classified under CN code ex 0208)

Fish and seafood (fresh, chilled or frozen)

• Fish (classified under CN codes 0302, 0303 and 0304)
• Cuttle fish, squid and octopus (classified under CN code 0307)

R.A.A. 167/2026 – TEMPORARY REDUCED (5%) VAT ON HOUSEHOLD ELECTRICITY

The Fifth and Twelfth Schedules of the Cyprus VAT Law have been amended to introduce temporary reduced (5%) VAT on household electricity supply, applicable from 1 May 2026 until 31 March 2027.

The relief applies to electricity supplied under the following Electricity Authority of Cyprus tariffs:

• Residential single meter tariff (Code 01)
• Residential dual meter tariff (Code 02)
• Special residential tariff for vulnerable consumers (Code 08)
• Thermal energy storage tariff (Code 56), where linked to tariffs 01, 02 and 08

NEXT STEPS FOR AFFECTED BUSINESSES

Ensure that the reduced (5%) and zero (0%) VAT rates are correctly applied during the relevant periods. 

EY remains at your disposal to assess the implications of the Decrees, ensure the correct application of VAT, and provide assistance with any clarifications or compliance requirements arising from these changes.

George Liasis, Partner, Indirect Tax George.Liasis@cy.ey.com

Maria Raspa, Director, Indirect Tax Services Maria.Raspa@cy.ey.com

Iacovos Kefalas, Director, Indirect Tax Iacovos.Kefalas@cy.ey.com

Margarita Vasiadi, Senior, Indirect Tax Margarita.Vasiadi@cy.ey.com

Iliana Panayotova, Manager , Indirect Tax Iliana.Panayotova@cy.ey.com