1 Legal and enforcement framework

1.1 What general regulatory regimes and issues should blockchain developers consider when building the governance framework for the operation of blockchain/distributed ledger technology protocols?

Cyprus is currently drafting legislation that will regulate distributed ledger technology (DLT) business ventures. The draft legislation is a direct result of the Cypriot National Strategy on DLT. Once enacted, the new legislation will facilitate DLT implementations through several state registers and processes.

DLT protocols usually comprise a set of rules that determine how the DLT system operates. For example, DLT protocols can determine:

  • how nodes interact with each other;
  • how data is routed from one node to the next;
  • the conditions for validity of on-chain transactions;
  • how consensus is achieved;
  • the maintenance of the ledger;
  • the conditions for making changes to the system; and
  • how errors are dealt with.

In preparation for the enactment of the Cypriot blockchain legislation, developers building governance for DLT protocols should take into account the existing regulatory frameworks relating to financial services, public offerings, electronic communications, data protection, tax and contract law.

The framework regulating due diligence procedures in the context of anti-money laundering (AML) applies to several blockchain applications. Depending on the sector or domain in which a specific DLT protocol is implemented, further regulatory regimes might need to be considered, such as corporate law.

One key domain in which regulatory regimes are particularly relevant to DLT ventures is that of cryptographic (or digital) assets. Where crypto-assets qualify as transferable securities or other types of financial instruments, the Cypriot regime regulating public offerings of securities, financial services and settlements might apply. This regime – which transposes EU legal instruments such as the Prospectus Directive, the Transparency Directive, the Second Markets in Financial Instruments Directive (MiFID II) and the Market Abuse Directive – is likely to apply to firms offering crypto-assets that are deemed to be issuers or providers of investment services.

1.2 How do the foregoing considerations differ for public and private blockchains?

In principle, public blockchains (particularly permissionless blockchains) will expose the protocol to a wider range of applicable frameworks, due to their public nature. As such, in a public blockchain system, it is important to consider what law might apply to on-chain transactions and consider appropriate risk assessment regarding the protocol design itself. Nevertheless, from a liability perspective, in a plethora of permissionless public blockchains, developers may be understood to have limited their regulatory and legal exposure where the protocol allocates full control to network participants in a manner that could shift any liability to those participants.

Depending on their precise functions, private blockchains might allow developers to operate within specific legal frameworks. However, a number of private blockchains assessed through the prism of current regulatory regimes might lead to certain operators in such blockchains being regarded as accountable aspects of the system's operation. While all developers should assess their position, private blockchain developers should seek legal advice as to their involvement in the lifecycle of the system.

1.3 What general regulatory issues should users of a blockchain application consider when using a particular blockchain/distributed ledger protocol?

Crypto-assets are a common application of DLT at present. When dealing in crypto-assets, users will want to ensure that their investment is protected. The European Securities and Markets Authority (ESMA) has identified the most significant risks as being fraud, cyber-attacks, money laundering and market manipulation. Meanwhile, there could be benefits associated with initial coin offerings, provided that the appropriate safeguards are in place.

Depending on the protocol used, the processing of investors' personal data might also prove a consideration for blockchain developers.

Moreover, in public blockchain systems, where there is a clear contractual framework between the participants which may expressly or impliedly allocate liability and accountability to the participants, this might give rise to legal exposure to users.

1.4 Which administrative bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The Cyprus Securities and Exchange Commission (CySEC) is responsible for enforcing the legislation governing financial services. A key consideration for CySEC is the legal status of crypto-assets, as this determines whether the financial services legislation is likely to apply.

CySEC is also competent to regulate security tokens, which qualify as transferable securities. As ESMA noted in its 2019 Advice on Initial Coin Offerings and Crypto-Assets, the actual classification of a crypto-asset as a financial instrument is the responsibility of the individual national regulators, and will depend on the specific national implementation of EU law and the information and evidence provided to the regulator.

Where crypto-assets qualify as transferable securities or other types of MiFID financial instruments, the full set of EU financial rules – including the Prospectus Directive, the Transparency Directive, MiFID II, the Market Abuse Directive, the Short Selling Regulation, the Central Securities Depositories Regulation and the Settlement Finality Directive – is likely to apply to their issuers and/or firms providing investment services/activities relating to those instruments.

In some cases, the e-money framework may apply, depending on the nature of the crypto-assets, which might result in the Central Bank of Cyprus having competence over such crypto-assets.

The framework regulating the due diligence procedures in the AML context will also apply to a number of blockchain applications, particularly those relating to crypto-assets. In the AML context, the Cypriot legal order designates respective authorities (eg, CySEC) as competent to implement the AML framework, depending on the activity concerned. The AML Unit at the Attorney General's Office has wide-ranging powers in investigating AML offences.

Other authorities might also be competent to determine the application of regulatory regimes, depending on the nature and function of the blockchain. For example, the Commissioner for the Protection of Personal Data might be competent where on-chain acts involve the processing of personal data; while the Tax Department will have the power to tax any activity that generates taxable income under Cyprus law. Generally – and particularly ahead of the introduction of specific Cypriot legislation – an overall legal assessment is required for any blockchain venture.

1.5 What is the regulators' general approach to blockchain?

CySEC encourages the development of responsible blockchain applications, which can be accommodated under the existing regulatory regimes.

CySEC itself is exploring the DLT space and is participating in a number of initiatives, such as the Blockchain Technology for Algorithmic Regulation and Compliance project, which is run by University College London Blockchain Technologies. CySEC has also launched an innovation hub to explore innovative fintech applications, including those based on DLT.

1.6 Are any industry or trade associations influential in the blockchain space?

Several associations are active in the promotion of blockchain technology, ranging from financial services professional associations to academic groups.

2 Blockchain market

2.1 Which blockchain applications and protocols have become most embedded in your jurisdiction?

Cyprus hosts a plethora of blockchain-driven businesses, using a wide range of protocols. Ethereum appears to be the most widely used platform for blockchain implementations other than cryptocurrencies. Several cryptocurrency exchanges are operating out of Cyprus.

2.2 What potential new applications/protocols are most actively being explored?

Applications relating to record-keeping and ‘know your client' processes are actively being explored in Cyprus.

2.3 Which industries within your jurisdiction are making material investments within the blockchain space?

A number of financial services firms are developing and investing in blockchain implementations. The private tertiary education sector is also demonstrating increased investment appetite in the blockchain space.

2.4 Are any initiatives or governmental programmes in place to incentivise blockchain development in your jurisdiction?

The government and Parliament of Cyprus worked jointly to produce the National Strategy on Distributed Ledger Technology (DLT). The National Strategy was published in 2019 and sets out how Cyprus intends to develop blockchain technology.

Cyprus has joined the European Blockchain Partnership, which unites EU and European Economic Area member states in realising the potential of blockchain-based services for the benefit of citizens, society and economy. The partnership is building a European Blockchain Services Infrastructure to deliver EU-wide cross-border public services using blockchain technology.

Cyprus has also signed the Declaration of the Southern Mediterranean Countries on DLTs, with a view to enhancing inter-governmental cooperation on emerging technologies such as DLT. The National Strategy seeks to build on these efforts.

Cyprus intends to introduce legislation regulating DLT in respect of both financial services and outside financial services. The legislation is currently being drafted with input from national and international experts on DLT.

3 Cryptocurrencies

3.1 How are cryptocurrencies and/or virtual currencies defined and regulated in your jurisdiction?

The National Strategy on Distributed Ledger Technology (DLT) classifies crypto-assets into:

  • security tokens, which have security-like characteristics and qualify as ‘transferable securities' within the meaning of Section 2 of the Investment Services and Activities and Regulated Markets Law of 2017 (which transposes MiFID II); and
  • non-security tokens, such as:
    • utility tokens, which are considered to be a promise for the provision of a service or a product that is prepaid in advance with the token concerned; and
    • payment tokens, which are intended only as means of payment for acquiring goods or services.

Where crypto-assets qualify as transferable securities or other types of MiFID financial instruments, the full set of EU financial rules – including the Prospectus Directive, the Transparency Directive, MiFID II, the Market Abuse Directive, the Short Selling Regulation, the Central Securities Depositories Regulation and the Settlement Finality Directive – is likely to apply to their issuers and/or firms providing investment services or activities relating to those instruments.

3.2 What anti-money laundering provisions apply to cryptocurrencies?

Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (AMLD5), aims to address AML risks relating to cryptocurrencies, among other things.

AMLD5 brings under its ambit entities that provide services that are responsible for holding, storing and transferring cryptocurrencies. These actors must identify their customers and report any suspicious activities to the competent authorities.

Cyprus is considering ‘gold-plating' AMLD5 in order to bring additional crypto-asset activities under the AML/counter terrorist financing obligations and address risks emanating from crypto-assets.

3.3 What consumer protection provisions apply to cryptocurrencies?

In the context of crypto-assets which are treated as financial instruments, investors are afforded all relevant protections available to investors in such instruments.

3.4 How are cryptocurrencies treated from a tax perspective?

Legislation is being drafted to regulate the taxation of cryptocurrencies. The National Strategy on DLT envisages that payment tokens could be taxed on net profits at the standard tax rate (12.5% on profit), or at a lower tax rate if incentives become available. The same rate on net profits would apply to utility tokens where the token concerned was used in exchange for the promised product or service, without any tax liability at issuance.

The National Strategy also foresees the tax treatment of transactions involving payment tokens as identical to that of transactions involving fiat currency. Payment tokens will fall outside the scope of capital gains tax.

Security tokens are expected to be taxed in the same way, such as payments for dividends according to the existing rules, so that the taxation of securities is broadened to encompass security tokens. Profits from trading in utility tokens should be taxed as trading income in terms of the ordinary income tax rules.

3.5 What regulatory requirements apply to a cryptocurrency trader/exchange?

There is no specific set of regulatory requirements for exchanges at present.

3.6 How are initial coin offerings and securities token offerings defined and regulated in your jurisdiction?

Generally, the Cyprus Securities and Exchange Commission is competent to regulate security tokens that qualify as transferable securities. Where crypto-assets qualify as transferable securities or other types of MiFID financial instruments, the full set of EU financial rules – including the Prospectus Directive, the Transparency Directive, MiFID II, the Market Abuse Directive, the Short Selling Regulation, the Central Securities Depositories Regulation and the Settlement Finality Directive – is likely to apply to their issuer sand/or firms providing investment services or activities relating to those instruments.

4 Smart contracts

4.1 Can a smart contract satisfy the legal requirements of a legal contract under the laws of your jurisdiction? What will be considered when making this determination?

At present, there is no specific regime regulating smart contracts. In the blockchain context, the term ‘smart contract' generally refers to code that is stored on a blockchain and can be accessed by one or more parties. These programs are often self-executing and make use of blockchain properties to achieve their objective.

The National Strategy on Distributed Ledger Technology (DLT) discusses smart contracts that are concluded and executed via DLT systems with the terms of the agreement written into code, which can execute and validate trusted transactions without the need for a central authority or an external enforcement mechanism.

4.2 Are there any regulatory or governmental guidelines or policies within your jurisdiction which provide guidance on regulating/defining smart contracts?

The National Strategy envisages recognition of the legal effects of smart contracts in Cypriot private law. Such recognition is anticipated to afford legal certainty by providing for the recognition and binding effect of smart contracts, provided that they are governed by Cypriot law. The legislation may further provide for the jurisdiction of Cypriot courts over claims arising under or in connection with DLT systems, which would need to take into account private international law rules.

4.3 What parts of traditional contract might smart contracts be able to replace?

Smart contracts could be used to automate business processes that can be shared and executed among the parties, offering increased trust and reliability in the process. Smart contracts could also be employed for asset transfers or other transactions, such as custody or escrow arrangements and payment against delivery. Gradually, the element of autonomy in smart contracts might evolve these programs into autonomous decision makers that are far more dynamic in execution and use than currently envisaged.

4.4 What parts of traditional contracts might smart contracts be unable to replace?

We anticipate that complex contractual arrangements that are heavily negotiated and establish sophisticated liability regimes will not be replaced by smart contracts.

4.5 What issues might present themselves in your jurisdiction with regard to judicial enforcement of smart contracts?

The enforcement of smart contracts is an unknown factor, both vis-à-vis smart contracts that may claim to establish contractual relationships and those which purport to have legal effects. In that sense, there is considerable legal uncertainty with regard to the enforcement of smart contracts.

Nevertheless, Cyprus is a common law jurisdiction and English judgments carry persuasive authority; while a considerable part of contract law is codified in the Cypriot legal order. The constantly evolving body of common law thus affords a considerable degree of certainty. Conclusive certainty is expected later in 2020, as the National Strategy envisages the recognition of the legal effects of smart contracts in Cypriot private law.

4.6 What are some practical considerations that parties should consider when drafting a smart contract?

The type of smart contract must be determined from the outset, to navigate the potentially applicable regulatory frameworks with precision. The EU Blockchain Observatory and Forum distinguishes between:

  • smart legal contracts, which are smart contracts on a blockchain that represent – or that aim to represent – a legal contract; and
  • smart contracts with legal implications, which are artefacts/constructs based on smart technology that result in legal implications.

In the former case, contract validity issues will be paramount, given that the intention is to establish a binding legal contract. In the latter case, the subject matter of the smart contract and the ability to create legal effects with regard to this subject matter will be the crucial issues to consider.

4.7 How will the foregoing considerations differ when smart contracts are running on a private versus public blockchain?

Issues of liability and enforceability will vary depending on whether smart contracts are running on a private or public blockchain. Contract audits might be a new form of assessment that attaches to smart contracts in order for these to gain recognition and acceptance.

Overall, if the results of blockchain transactions cannot be manifested and protected in the real world, their potential is significantly diminished. The act of transacting – even if devoid of any element of trust – must result in an enforceable change over rights attaching to or deriving from the asset concerned, whether this is a token or is represented by a token.

5 Data and privacy

5.1 What specific challenges or concerns does blockchain present from a data protection/privacy perspective?

The EU General Data Protection Regulation and blockchain technology inevitably clash in certain respects. The areas of friction largely concern:

  • the identification of controllers and processors in a blockchain context;
  • the anonymisation of personal data so that the resulting output can be stored on a blockchain; and
  • the exercise of data subjects' rights (eg, the right to be forgotten, given blockchain's premise of immutability).

5.2 What potential advantages can blockchain offer in the data protection/privacy context?

The decentralisation element at the core of blockchain technology carries the promise of a user interaction that maximises privacy and theoretically removes the notion of the central processing of personal data. This architectural norm is also promising from a security perspective, given that the absence of a central location of data processing mitigates the risk of data loss or fraudulent use of personal data. Lastly, distributed ledger technology systems purport to enhance self-sufficiency in terms of managing online identities, shifting the management of identities from a central operator to the users themselves.

6 Cybersecurity

6.1 What specific challenges or concerns does blockchain present from a cybersecurity perspective?

Blockchain is vulnerable to cybersecurity risks at both platform and end-user level. Emerging technologies, such as quantum computing, may render current encryption techniques insufficiently secure in the future. A blockchain's integrity is contingent on its governance model and the methods it uses to validate on-chain transactions. Controlling blockchain network access is fundamental to secure data access in private blockchains.

6.2 What potential advantages can blockchain offer in the cybersecurity context?

Blockchains could potentially prove impenetrable platforms, securing data and preventing fraud through consensus mechanisms. Any tampering with data could be detected through the unique characteristics of distributed ledger technology, such as immutability and operational resilience (no single point of failure).

6.3 What tools and measures could be implemented to mitigate cybersecurity risk?

Blockchain security measures vary according to each individual application. Full encryption of on-chain data to make it inaccessible by unauthorised parties while the data is in transit would be a major step towards mitigating cybersecurity risk.

Organisations that deploy blockchain will also want to implement private key management procedures and governance practices internally, as fundamental components to the security of the network.

Moreover, transaction data integrity protection within blocks using cryptographic hashes chronologically records data blocks by securely tying each block to the preceding and following blocks.

7 Intellectual property

7.1 What specific challenges or concerns does blockchain present from an IP perspective?

Many of the most widely used blockchain implementations are open source. One major challenge is that the major players in the blockchain industry will pursue brand recognition for their innovations, irrespective of whether they are harnessing open source technology.

7.2 What type of IP protection can blockchain developers obtain?

Copyright may be applicable to blockchain implementations, depending on the particular facts. Moreover, certain blockchains may be eligible for registration as patents.

7.3 What are the best open-source platforms that could be used to protect developers' innovations?

In terms of protecting developers' innovations, from a Cypriot law perspective, it would rather be a matter of how developers use open-source platforms. Whether an application developed on an open-source platform can generate intellectual property rights would be a matter assessed and determined on a case-to-case basis, drawing on the extent of original work in developing such application.

7.4 What potential advantages can blockchain offer in the IP context?

The use of blockchain in the IP context can reduce intermediation. The primary example of how blockchain can be used advantageously in the IP context is to prove the existence of an IP right. Tracking IP rights on a blockchain provides immutable evidence of ownership and can limit costs and inefficiencies in proving IP right ownership and infringement.

8 Trends and predictions

8.1 How do you think the regulatory landscape in your jurisdiction will evolve in the blockchain space over the next two years? Are any pending changes currently being considered?

As discussed above, the National Strategy on Distributed Ledger Technology has been introduced and legislation is now being drafted to facilitate the use of blockchain technology in Cyprus.

8.2 What regulatory changes would you like your jurisdiction to implement to further advance the blockchain industry?

The National Strategy lays out the direction that Cyprus is taking to advance the blockchain industry. Having provided input on the strategy, we feel that Cyprus is on track to become a leading player on the global blockchain scene, for all the right reasons.

8.3 What is the largest impediment within your jurisdiction to the adoption of blockchain technology?

Cyprus has championed a structured, gradual and responsible adoption of blockchain technology, resisting a plethora of toxic implementations that have appeared in other jurisdictions. This is largely the result of its rigorous regulatory landscape, which also provides legal certainty and security for blockchain-driven businesses and users alike.

9 Tips and traps

9.1 What are your top tips for effective use of blockchain technologies in your jurisdiction and what potential sticking points would you highlight?

Effective deployment of a blockchain implementation in Cyprus depends on the precise nature of the venture. With regard to crypto-assets, the first step is to assess whether the financial services framework applies. If this is not the case, it should be ensured that the implementation is developed and released in alignment with upcoming legislative developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.