Cyprus -- Securities Classification Regulatory Overview

Cyprus, like other EU member states, classifies cryptocurrency tokens as securities primarily by applying existing financial legislation, notably the Markets in Financial Instruments Directive II (MiFID II), which has been transposed into Cypriot law as the Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(I)/2017). The Cyprus Securities and Exchange Commission (CySEC) is the primary regulatory authority responsible for this classification and oversight.

CySEC adopts a "substance over form" approach, meaning the actual characteristics and rights conferred by a token, rather than its label, determine its regulatory classification. There isn't a direct "Howey test equivalent" as used in the US; instead, the assessment focuses on whether a token fits within the definitions of "financial instruments" under MiFID II.

1. Legal Test Used (MiFID II Framework)

Cyprus does not employ a distinct "Howey test" for classifying tokens. Instead, the legal test involves assessing whether a token falls under one of the categories of "financial instruments" as defined in Annex I, Section C of MiFID II (Directive 2014/65/EU). These categories include:

1. Transferable securities: Shares, bonds, other forms of securitised debt, and other instruments giving a right to acquire or dispose of transferable securities.
2. Money-market instruments.
3. Units in collective investment undertakings.
4. Options, futures, swaps, forward rate agreements, and any other derivative contracts relating to securities, currencies, interest rates or yields, emission allowances or other indices or financial indicators, which may be settled physically or in cash.
5. Derivative instruments for the transfer of credit risk.
6. Financial contracts for differences.
7. Derivatives relating to commodities that can be physically settled or cash settled.

Key considerations for a token to be classified as a security (transferable security) often include:

• Investment expectation: Is there an expectation of profit from the efforts of others (issuer/third party)?
• Rights conferred: Does the token represent ownership rights (like shares), debt claims (like bonds), voting rights, rights to dividends or profits, or rights to acquire other securities?
• Transferability and Divisibility: Is the token freely transferable and divisible?

If a token possesses the characteristics of any of these MiFID II financial instruments, it is considered a security in Cyprus.

2. Which Tokens are Considered Securities

Based on the MiFID II framework, the following types of tokens are generally considered securities in Cyprus:

• Security Tokens: These are tokens explicitly designed to represent traditional financial instruments, such as:
  • Equity Tokens: Tokens that grant ownership rights in a company, similar to shares, often conferring voting rights, dividend entitlements, or a share in profits.
  • Debt Tokens: Tokens representing a loan or debt, similar to bonds, entitling the holder to interest payments and principal repayment.
  • Asset-backed Tokens: Tokens representing a claim on underlying physical assets (e.g., real estate, commodities) or financial assets (e.g., fund units), where the holder expects a return.
  • Tokens representing units in collective investment undertakings.
• Certain Derivatives on Crypto-Assets: If structured in a way that aligns with the MiFID II definitions of derivative contracts (e.g., options, futures, swaps on cryptocurrencies).

Tokens NOT typically considered securities (but may be regulated under other frameworks):

• Utility Tokens: Tokens designed solely to provide access to a specific product or service within a platform or network, without conveying investment rights or an expectation of profit from the efforts of others. However, if their primary purpose or marketing shifts to investment, they could be reclassified.
• Payment/Exchange Tokens (Cryptocurrencies): Tokens intended to function as a medium of exchange, unit of account, or store of value (e.g., Bitcoin, Ether). CySEC, in line with the EU approach, generally views these as "crypto-assets" but not "financial instruments" unless they display characteristics that qualify them as such (e.g., if Ether's original ICO was assessed under MiFID II principles, it might have been treated differently due to the investment expectation). These are primarily regulated under Anti-Money Laundering (AML) laws.
• E-money Tokens: Tokens that meet the definition of electronic money under the Electronic Money Directive 2009/110/EC (transposed in Cyprus). These represent a claim on the issuer for a fixed monetary value and are regulated as e-money, not financial instruments.

3. Registration/Exemption Requirements for Token Issuers

If a token is classified as a security:

• Prospectus Requirement: Public offerings of transferable securities in Cyprus generally require the publication of a prospectus approved by CySEC, in accordance with the Prospectus Regulation (EU) 2017/1129. This regulation harmonises the requirements for the format, content, and approval of prospectuses published when securities are offered to the public or admitted to trading on a regulated market.
• Exemptions: The Prospectus Regulation provides for certain exemptions from the prospectus requirement, including:
  • Offers to qualified investors only.
  • Offers addressed to fewer than 150 natural or legal persons per Member State, other than qualified investors.
  • Offers where the total consideration in the EU is less than €1 million over a 12-month period.
  • Offers where the denomination per unit is at least €100,000.
  • Offers of non-equity securities issued by a Member State or local authority.
• Issuer Authorisation: The issuer of the security token itself typically does not need to be authorised by CySEC unless it is also engaging in MiFID II regulated activities, such as providing investment advice, operating a trading platform, or managing portfolios of these security tokens. In such cases, the entity would need to be authorised as a Cyprus Investment Firm (CIF).

For tokens NOT classified as securities (but as crypto-assets):

• Issuers of non-security crypto-assets and firms providing services related to them (e.g., exchange, custody, transfer, portfolio management, advice) must register with CySEC as Crypto Asset Service Providers (CASPs) under the Law for the Prevention and Suppression of Money Laundering and Terrorist Financing (L.188(I)/2007), as amended by L.13(I)/2021. This registration focuses primarily on AML/CFT compliance.

4. Secondary Trading Rules

If a token is classified as a security (financial instrument):

• Trading Venues: Secondary trading of such tokens must take place on regulated markets (RMs), multilateral trading facilities (MTFs), or organised trading facilities (OTFs) which are regulated under MiFID II and overseen by CySEC.
• Post-Trade Transparency & Transaction Reporting: Transactions are subject to the reporting and transparency requirements of MiFID II and the Markets in Financial Instruments Regulation (MiFIR) (Regulation (EU) No 600/2014).
• Market Abuse Rules: The Market Abuse Regulation (EU) No 596/2014 (MAR) applies, prohibiting insider trading, market manipulation, and requiring disclosure of inside information for security tokens admitted to trading on regulated venues.

For tokens NOT classified as securities:

• Currently, there are no specific EU-wide secondary trading rules for non-security crypto-assets. However, entities facilitating the secondary trading of such tokens in Cyprus are typically considered CASPs and must be registered with CySEC under the AML Law. The upcoming Markets in Crypto-Assets (MiCA) Regulation will introduce comprehensive rules for crypto-asset service providers (CASPs) and issuers of non-security crypto-assets, including specific requirements for operating trading platforms, which will significantly alter this landscape.

5. Enforcement Examples

CySEC's enforcement actions in the crypto space have largely focused on:

• Unauthorised CASPs: Issuing warnings or imposing administrative fines on entities offering crypto-asset services in Cyprus without proper CySEC registration under the AML Law.
• AML/CFT Deficiencies: Penalising CASPs for failing to comply with their anti-money laundering and counter-terrorist financing obligations (e.g., insufficient customer due diligence, inadequate risk assessments, poor transaction monitoring).
• Misleading Marketing: Addressing misleading advertisements or promotions related to crypto-asset services.

While CySEC has been active in regulating CASPs, there are fewer publicly documented enforcement cases specifically targeting the unregistered public offering of security tokens in Cyprus. This is partly because such offerings may be less common, or enforcement actions are handled more discreetly under the existing securities laws. However, any issuer offering a token deemed a financial instrument without a valid prospectus or necessary authorisations would be subject to significant penalties under the Investment Services Law and the Prospectus Regulation.

Specific Legislation and Regulatory Guidance URLs

• Cyprus Securities and Exchange Commission (CySEC) Official Website:

  • https://www.cysec.gov.cy/

• CySEC Policy Statement on the Registration of Crypto Asset Service Providers (CASPs) and its Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing:

  • (Often updated, search on CySEC website for "AML Directive" or "CASP Policy Statement")
  • A relevant link to the Legal Framework section on CASPs: https://www.cysec.gov.cy/en-GB/entities/crypto-asset-service-providers-casps/legal-framework/

• Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(I)/2017):

  • This is the national transposition of MiFID II. Finding a direct public URL for the latest consolidated version might require searching legal databases (e.g., Cyprus Bar Association, legislation portals).
  • An older but relevant link detailing the law: https://www.cysec.gov.cy/en-GB/legislative-framework/investment-services-law/

• Prospectus Regulation (EU) 2017/1129:

  • https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32017R1129

• MiFID II (Directive 2014/65/EU):

  • https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014L0065

• Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114 (Future Framework):

  • https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

It's crucial to note that with the full implementation of the MiCA Regulation in the EU (expected by late 2024/early 2025 for most provisions), the regulatory landscape for non-security crypto-assets will significantly change, introducing a harmonized EU framework, including for whitepaper requirements and CASP authorisation. However, MiCA explicitly states it does not apply to crypto-assets that qualify as MiFID II financial instruments; those will continue to be regulated under existing securities laws.