Cyprus Payment Institution (PI) Authorization

What is a Cyprus Payment Institution?

Cyprus has become one of the most active EU jurisdictions for payment institution licensing, and for good reason. The Central Bank of Cyprus (CBC) authorises Payment Institutions (PIs) under the Provision and Use of Payment Services and Access to Payment Systems Laws of 2018 to 2025 — Cyprus's national transposition of PSD2 — and the resulting license grants access to EU passporting across all 30 EEA states, regulated status under a credible EU central bank, and the operational foundation for a broad range of payment, remittance, and payment initiation services. For fintech companies, remittance operators, payment service providers, and — increasingly — crypto-asset firms navigating the post-MiCA dual licensing landscape, the Cyprus PI is a commercially significant authorization.

As of 2026, the CBC operates an enhanced supervisory strategy for payment institutions with particular focus on operational resilience, DORA compliance, cross-border activity monitoring, and AML/CFT controls. The days of relatively light-touch PI authorization in Cyprus are over — the CBC now conducts rigorous substantive assessments and expects genuine operational substance in Cyprus, not a brass-plate structure. Firms that come prepared with a complete application, credible management team, and well-designed compliance framework generally find the process manageable. Those who underestimate the documentation requirements do not.

Why Cyprus for Payment Businesses

The Eight Payment Service Categories

A Cyprus PI authorization covers payment services as listed in Annex I of the Law. Services 1 through 7 require full PI authorization from the CBC. Service 8 — account information services — requires CBC registration rather than full authorization, and is governed by a lighter-touch regime under Section 34 of the Law.

1. 1
   Service 1: Services enabling cash to be placed on a payment account, including all operations required for operating a payment account.
2. 2
   Service 2: Services enabling cash withdrawals from a payment account, including all account operating operations.
3. 3
   Service 3: Execution of payment transactions including direct debits, payment card transactions, and credit transfers/standing orders where funds are held in the user's own payment account.
4. 4
   Service 4: Execution of payment transactions where funds are covered by a credit line — direct debits, card transactions, credit transfers/standing orders.
5. 5
   Service 5: Issuing and/or acquiring payment instruments.
6. 6
   Service 6: Money remittance — the transfer of funds received from a payer to a payee without a payment account being held in the PI's name. This is the lowest-capital-threshold service (€20,000 minimum capital) and the most common starting point for remittance operators.
7. 7
   Service 7: Payment initiation services (PIS) — initiating a payment order on behalf of the payer from a payment account held at another payment service provider.
8. 8
   Service 8: Account information services (AIS) — providing consolidated information on payment accounts held by users across different PSPs. Requires CBC registration, not full authorization.

Capital Requirements

Minimum initial capital requirements under the Cyprus Payment Services Law vary by the scope of services authorized:

These are initial capital thresholds — the CBC also applies ongoing own funds requirements calculated as a percentage of payment volume under one of three methods set out in the Law (Method A, B, or C). For growing payment businesses, own funds requirements will typically exceed the initial capital threshold within the first 12–24 months of operation. Capital must be maintained at all times and is monitored as part of the CBC's ongoing supervision.

Organizational Requirements

Cyprus requires genuine operational substance — the CBC will not authorize a PI that exists only on paper. The Law requires that the PI's registered and head office be in Cyprus, and that it carries out at least part of its payment service business from Cyprus. The following minimum staffing structure is required:

• •Executive Directors — 2, both Cyprus residents. Must be fit and proper and pass CBC suitability assessment under the Directive on the Assessment of Suitability of Members of the Management Body of 2025.
• •Non-Executive Director — 1, can be non-Cyprus resident
• •Independent Non-Executive Director — 1, can be non-Cyprus resident. A majority of the board should be independent.
• •Compliance and AML/CFT Officer — Cyprus resident. Must demonstrate relevant qualifications and experience.
• •Internal Audit — can be outsourced to a qualified third party
• •External Auditor — CBC-approved statutory auditor
• •Legal Adviser — to support ongoing regulatory obligations
• •Accounting and payroll — in-house or outsourced

All ultimate beneficial owners holding more than 10% of voting rights or share capital, directors, and key function holders must pass the CBC's fit and proper assessment. Non-EU shareholders are permitted — there is no restriction on foreign ownership. The personal questionnaire for management body and key function holder suitability assessments must be submitted via the CBC's e-platform as part of the application.

EU Passporting — Freedom to Provide Services and Branch Passports

The commercial value of a Cyprus PI license extends well beyond Cyprus itself. The Payment Services Law gives the authorized PI the right to provide services to customers throughout the EEA on a cross-border basis — the freedom to provide services (FPS) passport — without establishing a physical presence in the host member state. This covers all 30 EEA countries (EU 27 plus Norway, Iceland, and Liechtenstein).

Where the PI wishes to provide services through a physical presence — a branch — in a host EEA state, it must apply to the CBC for a branch passport, which the CBC then notifies to the host state's competent authority. The process is coordinated through the CBC and does not require a separate authorization from the host regulator.

The 17-Section Application — What CBC Expects

The Cyprus PI application follows the EBA Guidelines on authorisation under PSD2 (EBA/GL/2017/09), which are fully adopted by the CBC. The application comprises 17 guidelines (Guidelines 2–18 of the CBC Application Form issued in September 2018 and subsequently updated), covering:

• •Guideline 2 — Details of the applicant (corporate structure, shareholders, UBOs)
• •Guideline 3 — Programme of operations (services to be provided, target markets, distribution model)
• •Guideline 4 — Business plan with financial forecasts for at least three years
• •Guideline 5 — Organisational structure (governance, reporting lines, outsourcing arrangements)
• •Guideline 6 — Evidence of initial capital (bank statements, capitalization documents)
• •Guideline 7 — Safeguarding of client funds (segregation arrangements or insurance/guarantee)
• •Guideline 8 — Governance arrangements and internal control mechanisms
• •Guideline 9 — Procedures for monitoring, handling, and following up on security incidents
• •Guideline 10 — Process for managing access to sensitive payment data
• •Guideline 11 — Business continuity arrangements and disaster recovery
• •Guideline 12 — Statistical data collection principles (performance, transactions, fraud)
• •Guideline 13 — Security policy document
• •Guideline 14 — Internal controls for AML/CFT compliance
• •Guideline 15 — Identity and suitability of persons with qualifying holdings
• •Guideline 16 — Identity and suitability of management body members and key function holders
• •Guideline 17 — Identity of statutory auditors and audit firms
• •Guideline 18 — Professional indemnity insurance or comparable guarantee (for PIS and AIS providers)

The application must be submitted to the CBC via its e-platform, accompanied by a receipt confirming payment of the non-refundable application fee (deposited to the CBC APPLICATION FEES account, IBAN CY65 0010 0001 0000 0000 0772 3042). Preparation of a complete application package typically takes approximately three months. The CBC's assessment period thereafter is estimated at approximately 12 months — though this is entirely at the CBC's discretion and can extend further if additional information requests are issued.

MiCA and Dual Licensing — What Crypto Firms Need to Know in 2026

The regulatory intersection of MiCA and PSD2 has created a significant new driver of Cyprus PI applications in 2025 and 2026. In June 2025, the European Banking Authority issued a No-Action Letter on the interplay between PSD2 and MiCA, establishing that certain services involving Electronic Money Tokens (EMTs) constitute payment services under PSD2 — specifically, the transfer of EMTs on behalf of clients and the custody and administration of EMTs where the wallet constitutes a payment account.

From 2 March 2026, CASPs providing these EMT-related payment services must either hold a CBC PI or EMI authorization, or have partnered with a payment service provider that does. The CBC required CASPs already providing these services to have submitted PI/EMI applications by 20 February 2026. CASPs that submitted applications by that date may continue providing services to existing clients while their applications are assessed.

PI vs. EMI — Which Authorization is Right for Your Business?

The primary distinction between a Payment Institution and an Electronic Money Institution (EMI) in Cyprus is the scope of permitted activities. A PI is authorized to provide payment services (Services 1–7) and, subject to PSD2's ancillary credit provisions, limited credit facilities directly linked to payment transactions. An EMI can do everything a PI can do — plus issue electronic money. If the business model involves issuing e-money (prepaid cards, e-wallets, stored value), an EMI authorization is required. If the model is purely payment processing, remittance, payment initiation, or card acquiring without e-money issuance, a PI is the appropriate authorization.

EMI minimum capital requirements are higher than PI — €350,000 initial capital for an EMI regardless of the services provided. The EMI application follows a similar structure to the PI application but with additional requirements around e-money issuance, redemption, and the specific safeguarding obligations that apply to e-money. For businesses that may add e-money issuance to their model later, it is worth considering EMI authorization from the outset to avoid a full re-authorization process.

How Zitadelle AG Assists

• •Initial regulatory scoping — determining whether PI, EMI, or both authorizations are required for your business model
• •Service category selection — identifying which of the eight payment service categories apply to your operations
• •Cyprus company incorporation — establishing the Cyprus legal entity if not already in place
• •17-section application preparation — complete documentation covering all EBA guidelines
• •Suitability assessment support — preparing directors and key function holders for CBC fit and proper assessments
• •CBC submission and follow-up — managing all CBC correspondence and information requests
• •EU passporting notifications — coordinating FPS and branch passport applications through the CBC
• •MiCA dual licensing advisory — assessing parallel PI/EMI requirements for CASPs offering EMT services
• •Post-authorization compliance support — ongoing regulatory compliance, DORA readiness, and CBC examination preparation
• •Banking introductions — for PIs requiring correspondent banking relationships

Zitadelle AG assists payment companies, fintech operators, remittance businesses, and crypto-asset firms with Cyprus PI authorization — from initial regulatory scoping and service category selection through the full 17-section application preparation, CBC submission, and post-submission follow-up. Our Cyprus office provides direct access to the local regulatory and legal environment, and our team has direct experience with the CBC's current application standards including the enhanced 2025 suitability assessment directive and the dual licensing requirements affecting CASPs from March 2026.

For businesses evaluating the Cyprus PI alongside other EU payment licensing options — including Lithuanian EMI, UK FCA Small PI, or Maltese PI — we provide comparative regulatory analysis and licensing roadmaps tailored to the specific business model, target markets, and passporting requirements. Contact Zitadelle AG for a confidential initial consultation on your Cyprus PI authorization.