Filenews 8 July 2025 -by Vasos Vassiliou
With the invocation of the "strengthening of public safety and the investigation of serious criminal offenses", the debate on the regulations concerning the identification of owners and users of mobile telephony services that literally "break bones" begins today in Parliament. Specifically, for those who give false information in order to hide their identity, a fine of up to €50,000 or imprisonment of up to five years is foreseen.
The regulations under discussion provide that: "Anyone who makes a false statement or provides untrue information is guilty of an offence and, if convicted, is subject to a prison sentence not exceeding five years or a fine not exceeding €50,000 or both.
Based on the regulations, those who wish to purchase a mobile telephony SIM card and/or eSIM, will sign a declaration stating the following: "In case of false declaration, I acknowledge that I will be subject to the consequences provided for by the provisions of the "Identification of Holders and/or Users of SIM and/or eSIM Subscriber Identity Cards of Prepaid Mobile Telephony Services Law of 2024", as amended or replaced from time to time (Law 63(I)/2024). In particular, I acknowledge that according to Article 4(4) of the Law, a holder who makes a false declaration and/or provides untrue information is guilty of an offence and, in case of conviction, is subject to a prison sentence not exceeding five (5) years or a fine not exceeding fifty thousand euros (€50,000) or both. In addition, I recognize that an owner who fails to declare the user's identity data is guilty of an offence and, in the event of conviction, is subject to a prison sentence not exceeding six (6) months or a fine not exceeding five thousand euros (€5,000) or both".
The regulations also provide that when it is not possible to identify any person, their card will simply be for rubble. Specifically, it is provided that "where the required data specified in the Law are not available, identification is not possible and therefore the activation of the prepaid mobile telephony service is not allowed".
Those who wish to acquire and activate a mobile telephony card are given the opportunity to submit, with a relevant upload (upload), a solemn declaration. The regulations also provide for the possibility of recognizing a minor's attempt to register, in which case the request for identification is rejected with a relevant "error message".
The Commissioner for Communications is responsible for the management of the whole process, who undertakes the implementation of the regulations, which harmonize the Cypriot legislation with the "Regulation (EU) 2016/679", i.e. the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
The aim is to protect public safety
As stated in this regard, the purpose of the Regulations is to better implement the provisions of the Law (already adopted) for the protection of public security and the investigation of serious criminal offences, while ensuring that the basic principles governing the processing of personal data are complied with, and in particular:
(a) The determination of the identification procedures for the identification of the holders and users of SIM subscriber ID cards and/or eSIM prepaid mobile telephony services.
(b) The determination of any other matters of a technical nature which the Commissioner considers to be necessary or amenable to being determined.
In an accompanying document, it is stated that in compliance with the provisions of article 4 of the Law, for the identification of the owner and user of prepaid mobile telephony services, the following procedure is required:
>> The provider and/or the authorised representative shall ensure that the solemn declaration for the submission of mobile prepaid card holder and user identity information includes the minimum content (required user details).
>> For the identification of the holder and in particular the verification of the data entered in the solemn declaration, it is possible to use the existing procedure followed by the providers when concluding contracts with the subscribers (natural and legal persons) of the mobile contract services and, where possible, the identification process can be carried out through an electronic system that can be developed by the respective provider.
Where there is a change of user, providers must retain the data of previous users for the purpose of investigating any criminal offences for a period of three (3) months.
In case of theft or loss of a card, the existing procedure followed by the providers may be applied in cases of theft or loss of the SIM card of the contract subscribers.
The Regulations shall enter into force from the date of their publication in the Official Gazette of the Republic.
It is noted that for identification purposes, all the necessary documents must be presented in order to be able to control by the provider. The details of the declaration are considered confidential, except in cases where secrecy is lifted. Applications that are not accompanied by the required certificates or are not filled in normally will be rejected and the SIM and/or eSIM subscriber ID card will not be activated.
A public consultation was held
The Council of Ministers, in its session, dated 11 June 2025, approved the issuance of the Regulations "On the Identification of Holders and/or Users of SIM Subscriber ID Cards and/or eSIM prepaid mobile telephony services Regulations of 2025" and approved their submission to Parliament for approval. As stated in a relevant accompanying text, the content of the Regulations was prepared by the Commissioner for Communications and put up for public consultation during the period from 21/10/2024 to 18/11/2024, which was open to all interested parties.
Prior to the launch of the public consultation, a consultation was carried out with the Deputy Ministry of Research, Innovation and Digital Policy, the Ministry of Justice, the Central Intelligence Service and the Cyprus Police. In addition, before the end of the public consultation, the Commissioner for Personal Data Protection was consulted. Subsequently, a legal and technical audit of the relevant Regulations was carried out by the Legal Service.
