For the first time in EU history, anti-money laundering law will be a directly applicable Regulation, not a Directive requiring national transposition. That distinction matters. It means there is no longer a national version of the rules. There is one version, binding equally across all member states, interpreted by a single authority, and enforced through a supervisory college that includes Cyprus's own regulators.
What AMLA is, and what it is not
The European Anti-Money Laundering Authority (AMLA) was established by Regulation (EU) 2024/1620 and is headquartered in Frankfurt. It is not a replacement for CySEC, ICPAC, or the Central Bank of Cyprus. It is a new layer sitting above national supervisors, setting the standards they must enforce, and directly supervising the highest-risk entities itself.
Under the previous Directive-based system, national regulators had discretion in how they transposed and applied EU rules. Under the new setup, the rules are a directly applicable Regulation. There is no national version, no margin for softer implementation, and no room to argue that local practice differs from EU expectation.
AMLA does not replace your current regulator. It raises the floor that your current regulator must now enforce. In practice, Cyprus-regulated entities will be assessed against a standard that is considerably higher than what inspection has typically required.
For most Cyprus obliged entities (accountants, lawyers, corporate service providers, regulated investment firms, payment institutions), AMLA will exercise indirect supervision through CySEC, ICPAC, and the Central Bank. Direct supervision by AMLA itself will initially apply to approximately 40 high-risk cross-border financial institutions across the EU.
The dates every Cyprus firm should have on record
The transition to the new framework is phased. The relevant milestones for Cyprus-regulated entities are as follows:
How the harmonised Regulation differs from current national law
The new EU AML Regulation is considerably more prescriptive than Cyprus's current Prevention of Money Laundering Law. For Cyprus-regulated entities, the changes that matter most are:
- Risk assessment methodology: binding RTS specify how customer risk must be segmented. Firms using their own risk rating systems will need to verify they align with AMLA's methodology, not just confirm that a system exists.
- Governance at board level: the Regulation introduces explicit requirements for AML/CFT governance at board level, with defined responsibilities, escalation procedures, and documented oversight. The MLCO role is more specifically defined than it is under current Cyprus law.
- Enhanced due diligence triggers: the list of circumstances requiring enhanced due diligence is extended and standardised across the EU. Firms whose EDD procedures were built around national guidance that is narrower than the Regulation will find gaps when they check.
- Crypto asset service providers (CASPs): CASPs are fully in scope as obliged entities, with requirements equivalent to those applied to financial institutions. CASPs authorised under MiCA face immediate and comprehensive AML obligations.
- Structured data and reporting: the Regulation introduces structured data requirements for certain disclosures. Firms running their compliance on documents and spreadsheets may need to rethink how they capture and report this information.
- Internal audit: the Regulation requires an internal audit capacity that specifically tests the AML/CFT programme, not a general audit that touches compliance as one item among many.
Current position vs AMLA Regulation: where the gaps are
| Compliance Area | Current Position (Cyprus Law) | AMLA Regulation Requirement | Gap Risk |
|---|---|---|---|
| Customer risk rating | Risk-based approach, national guidance | Binding RTS methodology — must align precisely | Elevated |
| MLCO role and governance | MLCO appointment required, duties general | Explicit board-level governance framework, defined escalation, documented oversight | High |
| Enhanced due diligence | Cyprus-transposed triggers (4AMLD/5AMLD) | Extended, standardised EU trigger list — some national EDD frameworks are narrower | Elevated |
| CDD documentation standard | Risk-proportionate, regulator guidance | Broadly consistent — verify against RTS | Low |
| Internal audit of AML framework | Good practice, not always formalised | Mandatory, dedicated AML/CFT internal audit function | High |
| CASPs / crypto entities | CASP registration under CySEC | Full obliged entity status, financial institution-equivalent obligations | Critical |
| SAR / STR filing | MOKAS reporting obligations | Consistent with current requirements | Low |
| Beneficial ownership | UBO registry, 60-day update obligation | Consistent — UBO verification standard clarified | Low |
| Structured data / reporting format | No structured data requirement | Structured data requirements for specific disclosures — may require system changes | Elevated |
Where most Cyprus firms stand today
From the work we do with regulated firms across Cyprus, most fall into one of four positions relative to where the Regulation will require them to be:
Compliant on paper, weak in practice
Policies exist and pass current inspection. But they reference national law rather than the EU Regulation, the risk assessment has not been touched since implementation, and nobody has specifically reviewed the AML programme through an internal audit lens. The gap is real but closeable.
Strong on process, weak at the top
CDD is applied consistently and files are in good order. But at board level, things are informal. The MLCO reports to management rather than the board, compliance is not on the board agenda, and there is no written escalation procedure. The Regulation's governance requirements will expose this.
In good shape, but not finished
The compliance programme is current, governance is structured, and internal audit reviews AML as a specific item. The main job now is tracking the binding RTS as they are finalised and confirming alignment. Not a rebuild, but not something to set aside either.
Significant gaps requiring attention now
For CASPs especially, and for firms that have grown quickly without keeping their compliance structure up to speed, the gap is serious. The Regulation's requirements are not optional improvements. They are conditions for remaining authorised.
What a readiness programme actually looks like
In practice, we approach AMLA readiness work in four stages. Each has a different lead time and they do not all run in parallel. The governance work tends to take the longest because it requires board-level engagement and real structural changes, not just documentation updates.
- Gap analysis. A line-by-line comparison of your current policies, procedures, and controls against the AMLA Regulation and the draft RTS. The result is a clear picture of where gaps exist, how serious they are, and what it will take to close them.
- Policy and procedure update. Rewriting or supplementing existing AML documentation to reference the EU Regulation directly, not just national law. Updating the risk assessment to align with AMLA's binding RTS on customer segmentation. Extending EDD triggers to the new EU-standard list.
- Governance restructure. Putting in place the governance structure the Regulation requires: a documented MLCO mandate, clear reporting lines to the board, a standing compliance agenda item, and a written escalation procedure. This is where firms most consistently underestimate the time and internal coordination involved.
- Testing and audit. Running an internal review that tests whether policies are being applied, not just whether they exist. Finding and resolving gaps before a regulator working under the new standard finds them instead.
The firms in the best position when July 2027 arrives will be those that finished their gap analysis in 2026 and treated the remediation work as a proper project: one person accountable, a budget, a completion date. Not something done in the margins of everything else.
Obligations by entity type in Cyprus
The Regulation applies to all obliged entities. For Cyprus, the entity types facing the most significant changes relative to where they are now are:
- CySEC-regulated entities (CIFs, ASPs, payment institutions): indirect AMLA supervision through CySEC. Governance and risk assessment are the main areas needing attention. CySEC will be expected to show AMLA that it is applying the new standard consistently, which means CySEC-supervised firms will feel that pressure directly.
- ICPAC members (accountants, auditors, tax advisors): indirect supervision through ICPAC. The extended EDD trigger list and the internal audit requirement are the most significant changes here. Most ICPAC-supervised firms have decent CDD procedures. The governance side is less developed and will need work.
- Crypto asset service providers (CASPs): the biggest change of any category. CASPs are elevated to full obliged entity status with requirements equivalent to those applied to banks and investment firms. For those authorised under MiCA who have not yet built a proper AML structure, this cannot be deferred.
- Trust and Company Service Providers (TCSPs): already obliged entities under Cyprus law. The Regulation's more prescriptive approach to risk assessment and governance will require a review of existing procedures, particularly for TCSPs whose client base has shifted over the years.
- Real estate professionals: the National Risk Assessment identifies real estate as one of the highest-risk sectors in Cyprus. The Regulation's approach to EDD on high-value transactions will apply uniformly and will attract more scrutiny than it has under national rules.
How Euromanagement supports AMLA readiness
This regulation does not reward firms that wait. The gap between where most Cyprus firms are today and where the Regulation requires them to be is still closeable without major disruption. In twelve months it will be smaller. In twenty-four, it will need closing regardless of what that costs or how inconvenient the timing is.