New law aims to crack down on organised crime

By November 10, Cyprus will have joined 160 other countries who demand all users of pay-as-you-go SIM cards to register their identity with legal documentation, or the numbers they may have used for decades will be permanently deactivated.

The stated aim is the fight against organised crime with drug dealers and people smugglers and traffickers ostensibly finding their room for manoeuvre that little bit smaller. And after the murder of Limassol businessman Stavros Demosthenous last week, allegedly partly linked to a mobile phone call by an inmate in Nicosia prison, such a move provides a sense of urgency.

But the desire to reduce anonymous mobile communications has not come without criticism. Some raise data protection concerns, questioning why they should present their ID to a phone company. Others will have serious problems presenting any valid ID, irregular migrants for instance.

Prepaid SIM cards gained popularity in the 1990s as they provided the ability to avoid credit checks and contracts, an ease of purchasing a SIM card in an uncontrolled environment, and they were accessible to minors and those with poor credit. But it was also a perfect opening for organised crime groups – one too good to ignore.

Customers waiting to register their SIM with their ID

The ease of access meant that privacy-seekers caught on quickly. With a degree of anonymity users could abandon the numbers at will. The Los Angeles Times, in 2007, went as far as to label prepaid SIMs cards “aimed at deadbeats”.

Cyprus’ new law will single out everybody – from drug traffickers and irregular migrants to anyone with a secret identity. Providing false information carries heavy penalties, with government fines reaching the €50,000 mark, and possible imprisonment.

As of 2025, some 160 countries worldwide have implemented similar laws. Notably the UK is an exception. Germany strengthened its security measures in 2017 by requiring proof of home address and, for online processes, mandatory video ID verification. That same year, Australia passed a similar legislation and is now planning to integrate digital ID verification.

The law is aimed at ensuring that individuals are acting in good faith, requiring users to submit government-issued documents like IDs, passports or residence permits to verify their details.

It’s a key step in Cyprus’ digital transformation, but public opinion is divided. A 2025 survey by Regula, a company specialising in providing ID verification solutions, found that 34 per cent of the population have concerns about sharing personal legal information online.

The Cyprus Mail spoke to Cyta, who stressed the ease of the procedure.

“It consists of four easy steps; no bureaucracy involved whatsoever. All that the public needs is a form of identification or an ARC [residence] document,” said a Cyta representative. “Immense efforts have taken place to inform the public, because what is at cost here is the phone number they’ve held for possibly 20 years and counting.”

The process can be completed either in-person at one of the shops or online, however, some felt that certain social groups may be at an undeliberate disadvantage.

“Older people might struggle with registration, as could those facing language barriers, poverty, or disabilities that make visiting the branches difficult,” said 23-year-old Alexandra Theodorou.

Although providers said they have taken extensive measures to inform the public about the new requirement, many still remain unaware.

“Honestly, I didn’t even know this was happening until you asked for my opinion,” she said.

Most prepaid SIM card users in Cyprus are refugees and migrant workers. A Cyta spokesperson said that foreigners have been specifically targeted through specialised campaigns by “the distribution of multilingual informative materials and the company’s outreach unit with promoters from South Asian countries”.

Visits to various of their social, work and worship locations were carried out, they created social media campaigns and public signage displays, while most importantly, users received messages on their phones. However, one refugee protection NGO also reported to being uninformed about the new requirement.

“Truthfully we have not heard much about this, newspapers have already got more information that we have been able to,” said the representative, pointing out they were unaware ARCs could be used as ID substitutes.

Sign on a bus telling pay-as-you-go customers to register their SIMs

Another complaint was the lack of transparency about the benefits and the lack of clear communication about why the law was being implemented.

Maria, a 20-year-old university student, said little was done to reassure the public that the government is acting in good faith. Telecom companies have stated that all data will be securely stored securely, for as long as an account is active, but the student was not convinced.

“Existing identity protection laws sound reassuring but may not necessarily translate into effective protection in practice,” she said, calling the policy naïve. “Criminal networks are technologically savvy and can likely bypass such registration systems.”

Data Protection Commissioner, Maria Christofidou, was quick to reassure the public.

“All telecom providers have fulfilled their obligations arising from the general data protection regulations (GDPR),” she told the Cyprus Mail.

She added that a data protection impact assessment was carried out which indicated that all tests for the implementation of appropriate security measures to protect the data and freedoms of prepaid mobile phone users, were in accordance with Articles 35 and 36 of the GDPR, meaning that the public’s data is safely stored.

Nevertheless, a Cyprus digital security authority survey found that in 2024, 47 per cent of businesses fell victim to some form of cyber breach in the past year, underscoring a growing threat to the island’s security. With that information in mind, Theodorou was concerned that the real outcome is the unnecessary surveillance which hits ordinary people the hardest.

And some of those who completed the process in-person are already reporting their discomfort with the procedure.

“I had to hand over my ID to a young shop worker who didn’t explain what happens to my data, who has access to it or for how long,” said 31-year-old Makis Theophanou, who completed the process through epic’s branch.

A different shop worker told the Cyprus Mail that they were not allowed to take photographs of the users’ legal documents during the verification, but the 31-year-old’s experience was different. He said that the shop worker took a photograph of his documents and saved in an endless file with hundreds of more IDs, easily visible to any passerby.

“That made me feel uncomfortable,” he said. “With a sense of helplessness and a seemingly low level of professionalism with which my data was handled, but there’s no realistic alternative.”

Those who work in the field of cybersecurity have an alternative point of view. “Our lives are data-dependent, and such laws can serve public good,” said a cybersecurity officer, who did not wish to be named, adding that our personal data is already everywhere whether we like it or not.

“What I can say is that data collection always benefits companies, but it depends on what kind of data is gathered. I just hope they manage what is at stake.”

Maria may be speaking for many when she says constantly being perceived through the government’s eyes is wearing down the public.

“Mundane acts such as calling a friend leave the impression of being monitored. How far will surveillance go? Is this truly the best way to battle crime?”