Cyprus CIF License in 2026: The Complete CySEC Investment Firm Guide

Why Cyprus CIF is still the EU's most popular MiFID jurisdiction

A Cyprus Investment Firm (CIF) is a MiFID II investment firm authorised by the Cyprus Securities and Exchange Commission (CySEC). Cyprus has licensed more CIFs than any other EU jurisdiction: several hundred retail brokers, proprietary trading firms, asset managers and wealth managers operate under a CIF licence. The pattern is driven by four factors: an English-language procedure, a relatively pragmatic supervisor, tier-1 EU passport access, and lower setup cost than Germany or France.

Cyprus is also one of the most active EU jurisdictions for retail FX and CFD brokerage. European retail-broker supervision (leverage caps, negative-balance protection, product governance) has been heavily driven by CySEC enforcement experience since 2018.

The three CIF classes and capital

CIF capital is based on Investment Firms Regulation (IFR) and MiFID II Article 15. CySEC puts the services into three classes by risk.

Initial capital must be paid up in cash in a Cypriot credit institution and ring-fenced until authorisation. Ongoing own funds follow IFR Class 1/2/3 K-factor methodology; retail brokers typically hold significantly more than the floor to absorb client-volatility stress events.

Authorisation process and timeline

1. Pre-filing. Incorporate a Cypriot limited company, appoint board and key function holders, lease real office.
2. File preparation. Business plan, programme of operations, organisational chart, operations manual, AML/CFT manual, risk manual, ICT and DORA framework, compliance manual, outsourcing register, remuneration policy, fit-and-proper questionnaires, capital evidence.
3. Submission. File to CySEC via the SPIDER online portal. Application fee EUR 5,000 to EUR 10,000 depending on class.
4. Completeness review. 10 to 15 working days.
5. Substantive assessment. Six months from a complete file per MiFID II. Real-world 6 to 12 months with RFI rounds.
6. Conditions precedent. Paid-up capital, key hires on board, IT live, safeguarding partners in place. Passive CIF registration number issued.
7. Passporting. Notifications to host NCAs; services start 15 calendar days after.

End-to-end for a Class 2 retail-broker CIF: 9 to 14 months. Class 3 advisory CIFs can run a few months shorter; Class 1 market-maker CIFs run longer.

DORA, client-asset protection and conduct expectations

Since January 2025 DORA applies to all CIFs. Documented ICT risk framework, incident reporting compliant with CySEC Circular C700, regular digital resilience testing and third-party ICT register are part of the base authorisation file and ongoing supervision.

CySEC has also invested heavily in conduct supervision since 2018. Expect focused reviews on:

• Client-asset protection. Segregation, daily reconciliation, auditor attestation.
• Product governance. Target-market definitions, distribution-channel appropriateness, review frequency.
• Inducements and third-party payments. Enhanced disclosure, no quality-improvement tests for retail.
• Suitability and appropriateness. For retail brokers, structured assessment and record-keeping.
• Leverage caps and negative-balance protection. ESMA product-intervention measures enforced in Cyprus.

CIF + MiCA CASP: the two-for-one play

CySEC is one of the European supervisors that authorises both MiFID CIFs and MiCA CASPs. A CIF that wants to add crypto services has two options:

• Article 60 simplified notification. Use the MiCA Article 60 path to add CASP services onto the existing CIF. The NCA has 40 working days to object.
• Separate CASP authorisation. File a standalone MiCA application, useful when the crypto business is large and operationally distinct.

Most large CIFs that offer crypto-exposure products chose the Article 60 route during 2025 and 2026 to compress the timeline. Retail FX/CFD brokers adding crypto CFDs often go CIF-only because crypto derivatives are already MiFID instruments.

Substance and governance

• Board. At least four directors, of whom two executive and two independent. Collective suitability on MiFID, risk, compliance, technology and (for FX/CFD brokers) retail product expertise.
• Executive management. CEO, head of compliance (typically dual-hat AMLCO), head of risk, head of internal audit, head of dealing. CySEC assesses each individually.
• Local substance. Cyprus office, local executive management, local compliance and risk. CySEC has tightened substance expectations in response to historical critiques.
• Outsourcing. Allowed with CySEC notification. Intragroup outsourcing common.

Cyprus tax: corporate income tax 12.5% (being increased to 15% in 2026 under the OECD Pillar Two framework for large multinationals). Non-dom regime remains attractive for individuals relocating to Cyprus.

Ship a Cyprus CIF product with Crassula

Crassula provides the core platform that a CIF needs: client onboarding, KYC and suitability, client-money segregation, trading integration, reporting, DORA ICT and CySEC-ready regulatory returns. For CIFs that also add MiCA CASP services, the same platform covers the crypto module.

FAQ