top of page

New CBC Governance Directives for Payment and Electronic Money Institutions: What Firms Should Do Now

  • Elena Niki Karletidi
  • May 29
  • 6 min read


The Central Bank of Cyprus has issued new 2026 Directives (Κ.Δ.Π 245/2026 and Κ.Δ.Π 246/2026),on the internal organisation and governance of Payment Institutions and Electronic Money Institutions, introducing a more detailed and structured governance framework for the payments and e-money sector in Cyprus.


The new framework marks an important supervisory development. It moves beyond general governance expectations and sets out more concrete requirements on board composition, internal organisation, committees, internal controls, risk management, compliance, internal audit, outsourcing, ICT risk, reporting and transparency.


For Payment Institutions and Electronic Money Institutions, this should not be treated as a simple policy update. It requires a practical review of how the institution is organised, how responsibilities are allocated, how risks are monitored, and how the Board exercises effective oversight.


The Big Picture: Governance Becomes More Structured

The new Directives are based on the principle that institutions must maintain an effective governance framework that is proportionate to their size, risk profile, nature, scale and complexity of activities.

This means that firms are not expected to apply a one-size-fits-all model. However, they must be able to demonstrate that their governance arrangements are appropriate, documented, operationally effective and aligned with their business model and risk profile.

The Central Bank’s expectations are clearly focused on substance. Institutions must not only have policies and procedures in place; they must also be able to evidence that these arrangements are understood, implemented, monitored and regularly reviewed.


Enforcement and Supervisory Expectations

The deadlines create a clear supervisory expectation. Institutions should be ready to demonstrate to the Central Bank that they have:

  1. assessed their current governance framework;

  2. identified gaps against the new requirements;

  3. prepared and submitted a clear action plan within the required timeframe;

  4. assigned responsibility for implementation;

  5. updated relevant policies, procedures and terms of reference;

  6. strengthened reporting lines and Board oversight; and

  7. achieved full implementation within the nine-month compliance period.


Failure to take timely and structured action may expose institutions to supervisory scrutiny, particularly where governance weaknesses affect internal controls, risk management, outsourcing oversight, ICT risk, compliance or Board effectiveness.


Key Areas Covered by the New Framework

The Directives cover a wide range of governance and internal organisation requirements. The most important areas for firms to assess include the following.


1. Board Responsibility and Oversight

The administrative body has ultimate responsibility for the internal governance of the institution. This includes approving and overseeing the governance framework, business strategy, risk management arrangements, internal control system and compliance framework.


The Board must be able to demonstrate active and informed oversight. This includes regular review of policies, risks, internal controls, outsourcing arrangements, ICT risk and the effectiveness of the institution’s governance structure.


2. Board Composition and Independence

Institutions should review whether the Board has the appropriate size, composition, knowledge, experience and independence to exercise effective oversight and challenge.

This is particularly important for institutions with founder-led, operationally driven or informal governance structures, where Board responsibilities may not have been sufficiently documented or separated from day-to-day management.


3. Committees and Governance Structure

The Directives refer to the establishment and operation of Board committees, including risk and audit-related governance arrangements, subject to proportionality.


Institutions should assess whether their committees are properly documented, whether their terms of reference are clear, whether their reporting lines are effective and whether they have access to the information and resources needed to discharge their responsibilities.


Where committees are not established due to proportionality considerations, the institution should still be able to evidence how the relevant oversight responsibilities are carried out.


4. Internal Control Framework

A central part of the new framework is the requirement for a sound internal control framework. This includes a clear organisational structure, transparent reporting lines, proper segregation of duties, documented responsibilities and effective control mechanisms.


The internal control framework should cover the whole institution, including the Board, senior management, operational departments, internal control functions and outsourced activities.


Institutions should therefore review whether their internal governance documents reflect how the business actually operates in practice.


5. Risk Management, Compliance and Internal Audit

The Directives place significant emphasis on the key internal control functions.

The risk management function should identify, assess, monitor and report the risks to which the institution is exposed. The compliance function should support and monitor compliance with applicable laws, regulatory requirements and internal policies. The internal audit function should provide independent assurance on the adequacy and effectiveness of the internal control framework.


Institutions should assess whether these functions are clearly assigned, sufficiently independent, properly resourced and supported by appropriate reporting to the Board.


6. ICT Risk and Operational Resilience

ICT risk is expressly integrated into the governance framework. Institutions are expected to have appropriate arrangements for managing ICT-related risks, including alignment with the broader EU operational resilience framework.


This requires more than maintaining IT policies. Institutions should be able to demonstrate that ICT risk is identified, monitored, reported and incorporated into the wider risk management and internal control framework.


7. Outsourcing and Third-Party Arrangements

The Directives place strong emphasis on outsourcing governance. Institutions remain fully responsible for outsourced activities and must ensure that outsourcing arrangements do not weaken their governance, internal controls, regulatory compliance or ability to serve customers.


Institutions should review their outsourcing policy, outsourcing register, oversight arrangements, reporting lines, contractual protections and escalation mechanisms. Particular attention should be given to critical or important outsourced functions, ICT service providers and arrangements supporting core operational processes.


8. Complaints, Whistleblowing and Conduct

The new framework also addresses complaints handling, internal reporting and whistleblowing arrangements, corporate values and codes of conduct.

This reflects the expectation that governance is not only a matter of structure, but also of culture. Institutions should ensure that staff understand expected standards of conduct, escalation channels, internal reporting procedures and the consequences of non-compliance.


What PIs and EMIs Should Do Now

Payment Institutions and Electronic Money Institutions should move quickly and carry out a practical gap analysis against the new requirements.

Key areas to review include:

  1. Board composition, independence, responsibilities and reporting arrangements;

  2. terms of reference and operation of Board committees;

  3. governance framework, organisational structure and allocation of responsibilities;

  4. internal control framework and segregation of duties;

  5. risk management, compliance and internal audit arrangements;

  6. ICT risk governance and operational resilience arrangements;

  7. outsourcing policy, outsourcing register and third-party oversight;

  8. complaints handling, whistleblowing and conduct standards;

  9. reporting to the Central Bank of Cyprus; and

  10. evidence demonstrating that governance arrangements operate effectively in practice.


The immediate priority should be to prepare a structured gap analysis and action plan within the three-month deadline, followed by full implementation within the nine-month compliance period.


Why This Matters

For many institutions, the main challenge will not be the complete absence of policies, but whether existing policies, governance arrangements and reporting lines are sufficiently specific, operational and aligned with the actual business model.


The Central Bank’s expectations are increasingly focused on effective implementation. Institutions should be ready to demonstrate that their governance framework is not only documented, but also embedded, monitored and capable of withstanding supervisory review.


This creates a clear need for Payment Institutions and Electronic Money Institutions to move from general governance documentation to a more structured, risk-based and supervisory-ready framework.


Deadlines for Compliance

The Directives introduce specific implementation deadlines which institutions should treat as immediate regulatory priorities.


Within 3 months

Institutions must submit to the Central Bank of Cyprus an action plan for achieving full compliance with the provisions of the relevant Directive.


This action plan should be based on a proper gap analysis and should identify the actions required, responsible persons, timelines and areas where existing arrangements need to be updated or strengthened.


Within 9 months

Institutions must achieve full compliance with the relevant Directive within nine months from the date the Directive enters into force.


This means that the implementation period should not be used only for drafting documents. Institutions should ensure that the revised governance framework is properly approved, embedded and capable of being evidenced in practice.


How ENAH Services Ltd Can Support

ENAH Services Ltd can support Payment Institutions and Electronic Money Institutions in assessing and implementing the requirements of the new CBC Governance Directives.


Our support can include a regulatory gap analysis, preparation of the required action plan, review of governance and internal control arrangements, assessment of Board and committee documentation, review of risk management, compliance and internal audit frameworks, outsourcing governance review, ICT risk governance alignment and preparation of practical remediation actions.


We combine legal, regulatory and practical implementation experience, helping institutions translate supervisory requirements into workable governance arrangements that reflect their actual operating model.


The new Directives should be seen as an opportunity for institutions to strengthen their governance framework, enhance supervisory readiness and build a more resilient and well-controlled organisation.

 
 

The material reflected in our website, including Blog material, is for informational purposes only and does not constitute legal advice, consulting, or any other professional advice. Please seek independent professional guidance for your specific needs.

All rights reserved. No part of this work may be reproduced, stored in a retrieval system of any nature, or transmitted, in any form or by any means including photocopying and recording, without the prior written permission of the ENAH Services Ltd. The reproduction or transmission of all or part of the work, whether by photocopying or storing in any medium by electronic means or otherwise without the written permission of the owner is strictly prohibited and the commission of any unauthorised act in relation to the work will result in civil and/or criminal actions. 

bottom of page