Cyprus PI License 2026 — CBC Payment Institution Authorization & CIF+PI Dual Structure Guide

What is a Cyprus Payment Institution?

Cyprus has become one of the most active EU jurisdictions for payment institution licensing, and for good reason. The Central Bank of Cyprus (CBC) authorises Payment Institutions (PIs) under the Provision and Use of Payment Services and Access to Payment Systems Laws of 2018 to 2025 — Cyprus's national transposition of PSD2 — and the resulting license grants access to EU passporting across all 30 EEA states, regulated status under a credible EU central bank, and the operational foundation for a broad range of payment, remittance, and payment initiation services. For fintech companies, remittance operators, payment service providers, and — increasingly — crypto-asset firms navigating the post-MiCA dual licensing landscape, the Cyprus PI is a commercially significant authorization.

As of 2026, the CBC operates an enhanced supervisory strategy for payment institutions with particular focus on operational resilience, DORA compliance, cross-border activity monitoring, and AML/CFT controls. The days of relatively light-touch PI authorization in Cyprus are over — the CBC now conducts rigorous substantive assessments and expects genuine operational substance in Cyprus, not a brass-plate structure. Firms that come prepared with a complete application, credible management team, and well-designed compliance framework generally find the process manageable. Those who underestimate the documentation requirements do not.

If you are researching the Cyprus payment institution license — the Central Bank of Cyprus payment institution authorization, often compared as Cyprus PI vs EMI — the practical reality in 2026 is shaped by two factors: DORA Cyprus compliance obligations from January 2025, and the PSD3 Cyprus transition timeline. Both are covered in detail below.

For Zitadelle AG clients specifically: Cyprus is our home jurisdiction. Our Limassol headquarters provides direct access to the Central Bank of Cyprus for PI applications and to CySEC for CIF authorizations — giving us a material advantage in managing dual applications, coordinating CBC/CySEC regulatory engagement, and responding to examiner queries faster than remote advisory firms. For any operator considering a Cyprus PI alongside a CySEC CIF, our team can manage both applications from the same office.

Why Cyprus for Payment Businesses

The CIF + PI Dual Structure — Cyprus's Most Powerful Licensing Combination

The most commercially significant development in Cyprus financial licensing in 2025–2026 is the convergence of investment firm authorization (CySEC CIF) and payment institution authorization (CBC PI) into coordinated dual-license structures for forex brokers, CFD platforms, and investment firms.

Why Forex and Investment Firms Need a PI License

A CySEC-authorized investment firm (CIF) can legally execute trades, manage client portfolios, provide investment advice, and take client orders. What a CIF license does NOT authorize — on its own — is the direct handling of client payment flows under a dedicated payment services framework.

In practice, most CIF licensees route client deposits and withdrawals through third-party PSPs and payment providers. This is operationally standard but creates cost, dependency, and control limitations. A CIF that also holds a CBC PI license can:

• •Process client deposits and withdrawals directly under its own regulated payment authorization
• •Issue payment accounts to clients under the PI framework
• •Conduct intra-group payment flows between the CIF trading entity and a regulated payment entity
• •Provide money remittance services for cross-border client fund transfers
• •Access better banking terms from EU correspondent banks that prefer regulated PSP counterparties
• •Satisfy institutional counterparties (liquidity providers, prime brokers) who require regulated payment infrastructure from their clients

Who Should Consider the Dual Structure

The CIF + PI combination is appropriate for:

• •Established CySEC CIF licensees seeking to bring payment processing in-house and reduce PSP dependency. A PI authorization alongside an existing CIF is a change-of-scope application rather than a new application — materially faster and simpler than applying from scratch.
• •New forex broker entrants who intend to build institutional-grade payment infrastructure from day one. Applying for both CIF and PI simultaneously — with a coordinated application strategy — is more efficient than sequential applications.
• •Fintech groups with both investment and payment services — operating a CIF for investment and a separate PI entity for payment processing within the same Cyprus corporate group. Group-level regulatory coordination is cleaner when both regulators are in the same jurisdiction.
• •Crypto-asset service providers operating under MiCA CASP authorization who also need payment service authorization for fiat on-ramp and off-ramp operations. The MiCA CASP (CySEC) + EMT transfer PI (CBC) dual structure is the emerging standard for institutional crypto operators in Cyprus from 2026.

Application Coordination

The CIF authorization is granted by CySEC. The PI authorization is granted by the CBC. These are separate regulators with separate application processes, separate application forms, and separate compliance requirements. However, they share:

• •Overlapping documentation requirements (business plan, UBO/shareholder structures, AML/CFT policy, DORA compliance framework, governance documentation)
• •Overlapping fit-and-proper requirements for key personnel
• •Overlapping substance requirements (Cypriot office, qualified executive management, local compliance)

A coordinated application strategy — preparing shared documentation that satisfies both regulators, sequencing the applications correctly, and managing CBC/CySEC regulatory correspondence from a single Cyprus-based advisory team — materially reduces total application time, cost, and duplication.

Zitadelle AG manages CIF + PI coordinated applications from our Limassol office, with direct relationships at both CySEC and CBC. This is our most-requested Cyprus licensing engagement in 2026.

The Eight Payment Service Categories

A Cyprus PI authorization covers payment services as listed in Annex I of the Law. Services 1 through 7 require full PI authorization from the CBC. Service 8 — account information services — requires CBC registration rather than full authorization, and is governed by a lighter-touch regime under Section 34 of the Law.

1. 1
   Service 1: Services enabling cash to be placed on a payment account, including all operations required for operating a payment account.
2. 2
   Service 2: Services enabling cash withdrawals from a payment account, including all account operating operations.
3. 3
   Service 3: Execution of payment transactions including direct debits, payment card transactions, and credit transfers/standing orders where funds are held in the user's own payment account.
4. 4
   Service 4: Execution of payment transactions where funds are covered by a credit line — direct debits, card transactions, credit transfers/standing orders.
5. 5
   Service 5: Issuing and/or acquiring payment instruments.
6. 6
   Service 6: Money remittance — the transfer of funds received from a payer to a payee without a payment account being held in the PI's name. This is the lowest-capital-threshold service (€20,000 minimum capital) and the most common starting point for remittance operators.
7. 7
   Service 7: Payment initiation services (PIS) — initiating a payment order on behalf of the payer from a payment account held at another payment service provider.
8. 8
   Service 8: Account information services (AIS) — providing consolidated information on payment accounts held by users across different PSPs. Requires CBC registration, not full authorization.

Cyprus PI vs Lithuania EMI vs Latvia EMI — Which Is Right?

The most common question from operators evaluating EU payment licensing in 2026 is whether to apply for a Cyprus PI, a Lithuanian EMI, or a Latvian EMI. The answer depends entirely on business model, target market, and strategic positioning — not just capital cost.

Choose Cyprus PI when:

• •You already hold or are applying for a CySEC CIF and want to add payment services in the same jurisdiction under the same corporate framework
• •You need the MiCA CASP + PI dual structure from Cyprus
• •Your operational cost model benefits from 12.5% CIT
• •You want Zitadelle AG's direct CBC access and on-the-ground Limassol presence managing your application

Choose Lithuania EMI when:

• •You need e-money issuance and IBAN issuance (a PI cannot do this — only an EMI can)
• •CENTROlink direct SEPA access is operationally important
• •Your corporate tax optimization benefits from Lithuania's framework or the restricted EMI entry-level pathway

Choose Latvia EMI when:

• •You want the 0%/20% deferred CIT model for reinvestment efficiency
• •A less crowded licensing pipeline suits your timeline
• •You are also considering Latvia's new €1M specialised credit institution for deposit-taking

Capital Requirements

Minimum initial capital requirements under the Cyprus Payment Services Law vary by the scope of services authorized:

These are initial capital thresholds — the CBC also applies ongoing own funds requirements calculated as a percentage of payment volume under one of three methods set out in the Law (Method A, B, or C). For growing payment businesses, own funds requirements will typically exceed the initial capital threshold within the first 12–24 months of operation. Capital must be maintained at all times and is monitored as part of the CBC's ongoing supervision.

Organizational Requirements

Cyprus requires genuine operational substance — the CBC will not authorize a PI that exists only on paper. The Law requires that the PI's registered and head office be in Cyprus, and that it carries out at least part of its payment service business from Cyprus. The following minimum staffing structure is required:

• •Executive Directors — 2, both Cyprus residents. Must be fit and proper and pass CBC suitability assessment under the Directive on the Assessment of Suitability of Members of the Management Body of 2025.
• •Non-Executive Director — 1, can be non-Cyprus resident
• •Independent Non-Executive Director — 1, can be non-Cyprus resident. A majority of the board should be independent.
• •Compliance and AML/CFT Officer — Cyprus resident. Must demonstrate relevant qualifications and experience.
• •Internal Audit — can be outsourced to a qualified third party
• •External Auditor — CBC-approved statutory auditor
• •Legal Adviser — to support ongoing regulatory obligations
• •Accounting and payroll — in-house or outsourced

All ultimate beneficial owners holding more than 10% of voting rights or share capital, directors, and key function holders must pass the CBC's fit and proper assessment. Non-EU shareholders are permitted — there is no restriction on foreign ownership. The personal questionnaire for management body and key function holder suitability assessments must be submitted via the CBC's e-platform as part of the application.

EU Passporting — Freedom to Provide Services and Branch Passports

The commercial value of a Cyprus PI license extends well beyond Cyprus itself. The Payment Services Law gives the authorized PI the right to provide services to customers throughout the EEA on a cross-border basis — the freedom to provide services (FPS) passport — without establishing a physical presence in the host member state. This covers all 30 EEA countries (EU 27 plus Norway, Iceland, and Liechtenstein).

Where the PI wishes to provide services through a physical presence — a branch — in a host EEA state, it must apply to the CBC for a branch passport, which the CBC then notifies to the host state's competent authority. The process is coordinated through the CBC and does not require a separate authorization from the host regulator.

The 17-Section Application — What CBC Expects

The Cyprus PI application follows the EBA Guidelines on authorisation under PSD2 (EBA/GL/2017/09), which are fully adopted by the CBC. The application comprises 17 guidelines (Guidelines 2–18 of the CBC Application Form issued in September 2018 and subsequently updated), covering:

• •Guideline 2 — Details of the applicant (corporate structure, shareholders, UBOs)
• •Guideline 3 — Programme of operations (services to be provided, target markets, distribution model)
• •Guideline 4 — Business plan with financial forecasts for at least three years
• •Guideline 5 — Organisational structure (governance, reporting lines, outsourcing arrangements)
• •Guideline 6 — Evidence of initial capital (bank statements, capitalization documents)
• •Guideline 7 — Safeguarding of client funds (segregation arrangements or insurance/guarantee)
• •Guideline 8 — Governance arrangements and internal control mechanisms
• •Guideline 9 — Procedures for monitoring, handling, and following up on security incidents
• •Guideline 10 — Process for managing access to sensitive payment data
• •Guideline 11 — Business continuity arrangements and disaster recovery
• •Guideline 12 — Statistical data collection principles (performance, transactions, fraud)
• •Guideline 13 — Security policy document
• •Guideline 14 — Internal controls for AML/CFT compliance
• •Guideline 15 — Identity and suitability of persons with qualifying holdings
• •Guideline 16 — Identity and suitability of management body members and key function holders
• •Guideline 17 — Identity of statutory auditors and audit firms
• •Guideline 18 — Professional indemnity insurance or comparable guarantee (for PIS and AIS providers)

The application must be submitted to the CBC via its e-platform, accompanied by a receipt confirming payment of the non-refundable application fee (deposited to the CBC APPLICATION FEES account, IBAN CY65 0010 0001 0000 0000 0772 3042). Preparation of a complete application package typically takes approximately three months. The CBC's assessment period thereafter is estimated at approximately 12 months — though this is entirely at the CBC's discretion and can extend further if additional information requests are issued.

DORA Compliance for Cyprus PIs — January 2025

The Digital Operational Resilience Act (DORA, EU 2022/2554) applies to all CBC-authorized payment institutions from 17 January 2025. The CBC has made DORA compliance a substantive application requirement — applicants who cannot demonstrate a credible DORA-aligned ICT framework at application stage face extended review timelines.

Key DORA requirements for Cyprus PIs:

Zitadelle AG prepares complete DORA-aligned ICT risk management frameworks and ICT third-party registers as standard components of the Cyprus PI application package — reducing CBC examiner queries and accelerating the authorization timeline.

MiCA and Dual Licensing — What Crypto Firms Need to Know in 2026

The regulatory intersection of MiCA and PSD2 has created a significant new driver of Cyprus PI applications in 2025 and 2026. In June 2025, the European Banking Authority issued a No-Action Letter on the interplay between PSD2 and MiCA, establishing that certain services involving Electronic Money Tokens (EMTs) constitute payment services under PSD2 — specifically, the transfer of EMTs on behalf of clients and the custody and administration of EMTs where the wallet constitutes a payment account.

From 2 March 2026, CASPs providing these EMT-related payment services must either hold a CBC PI or EMI authorization, or have partnered with a payment service provider that does. The CBC required CASPs already providing these services to have submitted PI/EMI applications by 20 February 2026. CASPs that submitted applications by that date may continue providing services to existing clients while their applications are assessed.

PSD3 Impact on Cyprus PI Holders

The provisional political agreement on PSD3 reached on 27 November 2025 will, when transposed (expected from late 2027), merge the PI and EMI licensing frameworks under a unified "payment institution" category with electronic money issuance as a specific permission.

For existing Cyprus PI holders:

• •PI authorizations granted under PSD2 will be grandfathered for 24 months after PSD3 enters into force — no immediate re-application required
• •After 24 months, PIs must submit a re-authorization application to the CBC demonstrating PSD3 compliance
• •The re-authorization process will resemble the PSD2 grandfathering exercise
• •Applying for a Cyprus PI in 2026 under the current PSD2/national law framework is correct — the 24-month grandfathering benefit makes applying now advantageous

For Cyprus PI holders considering upgrading to EMI: PSD3 will create a single framework — but for operators who need e-money issuance and IBANs before 2027, applying for a Cyprus EMI under the current EMD2 framework remains the correct route now. The EMD2 EMI authorization will also be grandfathered under PSD3.

PI vs. EMI — Which Authorization is Right for Your Business?

The primary distinction between a Payment Institution and an Electronic Money Institution (EMI) in Cyprus is the scope of permitted activities. A PI is authorized to provide payment services (Services 1–7) and, subject to PSD2's ancillary credit provisions, limited credit facilities directly linked to payment transactions. An EMI can do everything a PI can do — plus issue electronic money. If the business model involves issuing e-money (prepaid cards, e-wallets, stored value), an EMI authorization is required. If the model is purely payment processing, remittance, payment initiation, or card acquiring without e-money issuance, a PI is the appropriate authorization.

EMI minimum capital requirements are higher than PI — €350,000 initial capital for an EMI regardless of the services provided. The EMI application follows a similar structure to the PI application but with additional requirements around e-money issuance, redemption, and the specific safeguarding obligations that apply to e-money. For businesses that may add e-money issuance to their model later, it is worth considering EMI authorization from the outset to avoid a full re-authorization process.

How Zitadelle AG Assists

• Initial regulatory scoping — determining whether PI, EMI, or both authorizations are required for your business model
• Service category selection — identifying which of the eight payment service categories apply to your operations
• Cyprus company incorporation — establishing the Cyprus legal entity if not already in place
• 17-section application preparation — complete documentation covering all EBA guidelines
• Suitability assessment support — preparing directors and key function holders for CBC fit and proper assessments
• CBC submission and follow-up — managing all CBC correspondence and information requests
• EU passporting notifications — coordinating FPS and branch passport applications through the CBC
• MiCA dual licensing advisory — assessing parallel PI/EMI requirements for CASPs offering EMT services
• Post-authorization compliance support — ongoing regulatory compliance, DORA readiness, and CBC examination preparation
• Banking introductions — for PIs requiring correspondent banking relationships

Zitadelle AG assists payment companies, fintech operators, remittance businesses, and crypto-asset firms with Cyprus PI authorization — from initial regulatory scoping and service category selection through the full 17-section application preparation, CBC submission, and post-submission follow-up. Our Cyprus office provides direct access to the local regulatory and legal environment, and our team has direct experience with the CBC's current application standards including the enhanced 2025 suitability assessment directive and the dual licensing requirements affecting CASPs from March 2026.

For businesses evaluating the Cyprus PI alongside other EU payment licensing options — including Lithuanian EMI, UK FCA Small PI, or Maltese PI — we provide comparative regulatory analysis and licensing roadmaps tailored to the specific business model, target markets, and passporting requirements. Contact Zitadelle AG for a confidential initial consultation on your Cyprus PI authorization.