CySEC Marketing and Communications Compliance: The 2026 Guide for CIFs and Cyprus-Licensed Brokers

CySEC Marketing Compliance: the 2026 pillar guide for Cyprus Investment Firms.

Sedric Team

Communications

Share article on

TL;DR — CySEC (the Cyprus Securities and Exchange Commission) supervises Cyprus Investment Firms (CIFs) and other licensed entities under a tightly EU-harmonised framework: MiFID II / MiFIR, the Investment Services and Activities and Regulated Markets Law (Law 87(I)/2017), the ESMA CFD product-intervention measures CySEC has made permanent in Cyprus, and the supporting CySEC Circulars. This pillar covers the marketing-specific surface: the MiFID II Article 24 fair-clear-not-misleading standard, the CFD leverage caps and standardised risk warning, investor categorisation, the retail bonus prohibition, and affiliate and finfluencer supervision. The companion pillars cover Article 16(7) call recording and electronic communications and the MiCA framework for Cyprus-licensed CASPs.

What CySEC marketing compliance is, and who it applies to
The regulatory framework
MiFID II's fair, clear, and not misleading standard
CFDs and leveraged products: the ESMA / CySEC product-intervention regime
The standardised risk-warning requirement
Investor categorisation: retail, professional, eligible counterparty
Bonuses, inducements, and aggressive marketing
Influencer, affiliate, and introducer marketing
CySEC enforcement patterns in marketing supervision
Building a CySEC marketing-compliance programme
How Sedric helps with CySEC marketing compliance
FAQ

What CySEC marketing compliance is, and who it applies to

CySEC marketing compliance is the discipline by which Cyprus-licensed regulated entities — primarily Cyprus Investment Firms (CIFs) — ensure that every promotional communication directed at clients and prospects complies with MiFID II, the local Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(I)/2017), the ESMA product-intervention measures CySEC has rendered permanent for Cyprus, and the CySEC Circulars that implement those frameworks operationally. The scope covers websites, paid digital media, search and social ads, video, podcasts, affiliate and introducer content, finfluencer arrangements, sponsorships, and any other communication that promotes the firm's regulated activity.

The framework applies to a wide and diverse population of licensed firms:

CIFs authorised under Law 87(I)/2017 to provide investment services and activities (reception/transmission of orders, execution of orders, dealing on own account, portfolio management, investment advice, underwriting, placing, and operation of multilateral or organised trading facilities).
UCITS Management Companies and the UCITS funds they manage.
Alternative Investment Fund Managers (AIFMs) and the AIFs they manage, including AAIFMs (Small AIFMs).
Administrative service providers registered under the local law.
Crypto-asset service providers (CASPs) authorised under MiCA — covered in the separate CySEC MiCA pillar.

The substantive marketing standards travel with the licence. A CIF marketing CFDs and forex to a retail client in Germany, Spain, Greece, or any other Member State must apply the CySEC-supervised MiFID II framework to that activity — and the host-state NCA may also assert competence over how the marketing reaches consumers in its jurisdiction. Cross-border passporting does not reduce the substantive supervisory obligations; it adds host-state expectations on top.

The regulatory framework

CySEC marketing compliance is built from a stack of EU and national instruments that interact closely. The core layers, in order of weight for marketing:

1. MiFID II and MiFIR

Directive 2014/65/EU (MiFID II) and Regulation (EU) 600/2014 (MiFIR), together with the MiFID II Delegated Regulation (EU) 2017/565 and the supporting Commission Delegated Acts. Articles 24 (general principles and information to clients) and 25 (assessment of suitability and appropriateness) are the central substantive marketing provisions.

2. The Cyprus Investment Services and Activities and Regulated Markets Law (Law 87(I)/2017)

The Cyprus transposition of MiFID II. It restates MiFID II's substantive requirements into Cyprus law, gives CySEC the supervisory and enforcement powers it needs to apply them, and adds Cyprus-specific procedural detail.

3. ESMA product-intervention measures, made permanent by CySEC

The ESMA Decisions of 2018 imposed temporary product-intervention measures on the marketing, distribution, and sale of contracts for difference (CFDs) and binary options to retail clients across the EU. ESMA's measures expired in 2019, and most National Competent Authorities — including CySEC — adopted permanent national product-intervention measures that mirror the ESMA framework. Binary options remain prohibited for retail distribution; CFDs are subject to leverage limits, a margin close-out rule, negative-balance protection, a ban on monetary and non-monetary benefits for retail clients, and the standardised risk warning.

4. CySEC Circulars and Directives

CySEC publishes Circulars that interpret and operationalise the substantive framework. Marketing-relevant Circulars include those addressing risk-warning content and prominence, professional-client categorisation, the ban on inducements for retail clients, marketing communications on social media, and the introducer/affiliate model. CySEC Circulars state the supervisory expectations against which CIFs are examined.

5. ESMA and Joint Committee guidance

ESMA's Q&A documents, guidelines, and opinions are not binding law but are persuasive in CySEC supervision. ESMA work directly relevant to CySEC marketing supervision includes guidelines on marketing communications under cross-border distribution of investment funds, the use of social media in financial promotions, finfluencer activity, and best-execution disclosures.

MiFID II's fair, clear, and not misleading standard

Article 24(3) of MiFID II is the central substantive standard for CIF marketing: all information addressed to clients or prospective clients, including marketing communications, must be fair, clear, and not misleading. Marketing communications must be clearly identifiable as such.

The standard is articulated through the MiFID II Delegated Regulation, particularly Article 44, which lays out concrete requirements for information to retail clients. A communication satisfies the standard only when all of the following are true:

The information is accurate and presents prominently any risks where it references benefits.
The font, format, and prominence treatment of risk information matches that of benefits. Burying risk in low-contrast or smaller-font disclosure is a substantive failure, not a cosmetic one.
The information is not disguising or diminishing important items.
Comparative information is fair: comparisons between products, between firms, between time periods, or between strategies must be on like-for-like terms, with sources cited and methodology disclosed.
Past-performance information includes specified disclosures and the mandatory caveat ("Past performance is not a reliable indicator of future results"). Performance figures must cover specified time periods consistent with the requirement.
The communication identifies the CIF, the products, the regulatory status of the CIF and its services, and the relevant supervisory authority.
For complex or high-risk products — most relevantly CFDs and other leveraged derivatives — additional risk-warning, leverage-disclosure, and balance-protection content is mandated.

The standard is principles-based: examiners look at communications holistically, considering the audience, the channel, and the context. A standard a sophisticated institutional audience can be expected to interpret is not the standard that applies to retail social-media advertising. The retail-facing standard is materially higher.

CFDs and leveraged products: the ESMA / CySEC product-intervention regime

Cyprus is one of the EU's largest hubs for retail CFD and leveraged-forex brokerage. The marketing-compliance regime CySEC applies to this segment is correspondingly detailed. The substantive elements come from the ESMA Decisions of 2018 (which were time-limited and have been made permanent in Cyprus by a CySEC national product-intervention measure):

Leverage limits for retail clients

Maximum leverage levels on CFDs for retail clients, by underlying asset class:

Retail CFD leverage caps by underlying asset class under the ESMA / CySEC product-intervention framework.

30:1 for CFDs on major currency pairs.
20:1 for CFDs on non-major currency pairs, gold, and major equity indices.
10:1 for CFDs on commodities other than gold and non-major equity indices.
5:1 for CFDs on individual equities and any other underlying that is not specifically listed elsewhere.
2:1 for CFDs on cryptocurrencies.

Marketing that misrepresents the leverage levels available to retail clients — for example, by displaying institutional-grade leverage prominently while burying the retail caps in fine print — is a substantive breach, not a presentation defect.

Margin close-out rule

CIFs must close out a retail client's open CFD position when margin equity falls below 50% of the initial margin required, on a per-account basis. Marketing communications cannot suggest the absence of close-out, or imply that clients can lose more than their deposit by leaving positions open.

Negative-balance protection

Retail clients cannot lose more than the total funds in their CFD trading account, on a per-account basis. Marketing communications must not contradict this protection. Promotions that imply "unlimited downside" or "you can lose more than you deposit" mischaracterise the protection retail clients in fact enjoy.

Ban on monetary and non-monetary benefits

CIFs are prohibited from offering monetary or non-monetary benefits to retail clients in connection with their CFD trading — bonuses, deposit-matching incentives, rebates, free trades, lifestyle gifts, or any other inducement designed to attract or retain the retail client. This is one of the most-cited categories in CySEC enforcement against CIFs.

Ban on aggressive marketing

The framework prohibits marketing practices considered aggressive in the retail context — high-pressure language, urgency claims, pseudo-personalised messaging suggesting unique opportunities, and any framing that misrepresents the risk of loss.

The standardised risk-warning requirement

The ESMA / CySEC product-intervention framework mandates a standardised, prescribed-text risk warning for CFD marketing communications. The warning must be displayed with the same prominence as the dominant claim of the communication. It states, in substance, that CFDs are complex instruments, that they come with a high risk of losing money rapidly due to leverage, and that a specified percentage of retail-client accounts at the specific firm have lost money trading CFDs. The percentage is firm-specific and updates on a regular cadence based on the firm's own client data.

Operational implications of the warning regime:

The four elements every CFD promotion's risk warning must carry.

Every marketing surface that promotes CFD trading — website, paid digital, social, video, podcast, finfluencer content, partner content, email — must carry the warning at the required prominence.
The percentage figure must be the CIF's own current statistic. The figure is recalculated on a quarterly basis covering the preceding 12-month period. Using a market-average figure, an older statistic, or a competitor's figure is a substantive breach.
Truncated, abridged, or stylised versions of the warning ("Risk warning: CFDs are risky") do not satisfy the standard.
The warning must appear in the same medium as the marketing — not in a separate page reached only by following a link, not in a hover state, and not in a small-text footer the consumer cannot reasonably be expected to read.

Risk-warning compliance is one of the most-tested elements in a CySEC marketing examination. Examiners systematically sample marketing surfaces and check the warning's presence, accuracy, and prominence, and the underlying calculation of the firm-specific loss percentage.

Investor categorisation: retail, professional, eligible counterparty

The MiFID II investor-categorisation framework — retail clients, professional clients (per-se or elective), and eligible counterparties — is the operational axis that determines which marketing protections apply to which audience. The marketing standards that bind a CIF's retail-targeted promotions do not, in many cases, bind its institutional-facing equivalents.

Retail-to-professional reclassification is one of the highest-risk areas in CySEC supervision. The framework permits a retail client to be reclassified as elective professional only when the client meets specific quantitative and qualitative tests (typically a combination of trading frequency, portfolio size, and relevant professional experience), and only after the firm conducts a documented assessment. The temptation in some segments has been to use the reclassification process to strip retail protections — leverage caps, the bonus prohibition, the close-out rule, the risk warning — from clients who do not genuinely meet the test.

CySEC has been clear in supervisory communications that:

The retail-to-professional reclassification process is not a marketing tool. Inviting retail clients to "upgrade" to professional status for the purpose of obtaining higher leverage or other inducements is not a defensible practice.
The CIF must document the quantitative and qualitative tests, the supporting evidence, and the rationale for the reclassification, on a per-client basis.
The firm must give clear and prominent disclosure of the protections the client gives up by accepting professional status.
Aggregate professional-client populations whose composition appears statistically improbable given the firm's marketing footprint will attract supervisory attention.

The categorisation regime is enforceable in itself, separately from any breach of the underlying marketing or product rules. A CIF that mis-categorises clients can be cited even where the downstream marketing or trading conditions would have been defensible against a properly categorised population.

Bonuses, inducements, and aggressive marketing

Bonus and inducement marketing is the area where retail-focused CIFs have most frequently come under enforcement. The substantive prohibitions:

Deposit bonuses, deposit-match offers, rebates, and similar monetary inducements to retail clients on CFD products are prohibited under the CySEC product-intervention measure.
Non-monetary inducements — free trading days, premium-account benefits, free signals, gifts, lifestyle prizes — are equally caught when offered as an incentive to open or fund retail accounts.
"Refer a friend" and similar referral programmes that pay the referring client are subject to the same regulatory analysis. CySEC has indicated that affiliate-style payments to retail clients trigger the same conduct concerns as bonuses paid directly.
Cash-back and "no-loss" guarantees misrepresent the nature of leveraged trading and breach the fair-clear-not-misleading standard.
"Risk-free demo to live conversion" promotions are scrutinised closely. The substance of the framing has to be honest about the difference between demo-account performance and live-account performance.

Aggressive marketing — high-pressure sales calls, repeated unsolicited approaches, urgency language ("offer ends in 24 hours"), false scarcity, and pseudo-personalised messaging — is also caught. The standard extends across channels: outbound calls, email, in-app push, social DMs, and affiliate-distributed communications. The detection and supervision side of this — the conversations themselves — sits inside the CySEC Communications Compliance pillar.

Influencer, affiliate, and introducer marketing

CIFs running affiliate programmes, introducer arrangements, or finfluencer campaigns sit inside the same substantive marketing framework as their direct communications. The CIF is responsible for the content of marketing distributed on its behalf, and CySEC has been increasingly clear about the operational expectations:

Pre-publication review. The CIF must review and approve content before the third party publishes, retain a record of the approved version, and supervise compliance with the approved scope after publication.
Disclosure of the commercial relationship. Promoter content must clearly disclose that the promoter is being compensated by the CIF. Disclosure in a bio link or a separate post is generally insufficient.
Risk-warning carry-through. The standardised CFD risk warning travels with the marketing. A finfluencer post that promotes a CIF's CFD product without the warning, at the required prominence, is non-compliant — and the CIF is responsible.
No bonus or aggressive-marketing arrangements. Affiliate compensation structures that effectively recreate the prohibited bonus framework — for example, paying the promoter a per-deposit fee that the promoter passes through to the client — are subject to look-through analysis.
Cross-border targeting. An affiliate in another EU Member State distributing the CIF's content to that Member State's residents brings host-state supervision into play.
Retention. Marketing distributed by affiliates and finfluencers is part of the CIF's books and records under MiFID II Article 16 and the firm must be able to produce the content, the approval record, and the supervisory log on examiner request.

The same operational framework is covered in detail, with cross-jurisdictional analysis, in our finfluencer compliance pillar and the partner and affiliate compliance pillar.

CySEC enforcement patterns in marketing supervision

CySEC enforcement against CIFs has built consistently over the past several years. The pattern is dominated by retail-trading firms, and the marketing-side categories of finding are recognisable across cases:

Risk-warning failures. Missing warning, incorrectly calculated loss-percentage, sub-prominent warning, abridged warning, or warning omitted from affiliate content.
Bonus and inducement breaches. Direct bonuses, deposit-match promotions, premium-account inducements, refer-a-friend payments that look like prohibited inducements, and look-through breaches in affiliate compensation.
Mis-categorisation of retail clients as professional. Either no documented test, or a test that does not in fact support the professional status, or marketing the upgrade as a way to obtain higher leverage.
Aggressive marketing. High-pressure sales-call practices, false urgency, scarcity claims, and pseudo-personalised messaging.
Marketing through unauthorised channels. CIFs whose marketing reaches jurisdictions where the firm is not passported.
Affiliate and introducer supervision gaps. Affiliates publishing non-compliant content; no pre-publication review; no retained record of approvals; bonus-style payments through the affiliate channel.
Outdated or non-conforming professional disclosures — the periodic loss-percentage figure not updated, the firm's licensed-services description inaccurate, the regulatory-status disclosure absent.

CySEC's enforcement toolkit includes administrative fines (under the CIF Law and related instruments), withdrawal or suspension of authorisation, restrictions on the firm's activities, and public notices. Beyond CySEC, the firm also faces host-state regulator scrutiny in any Member State where its marketing reaches consumers and a national NCA asserts host-state competence.

Building a CySEC marketing-compliance programme

A defensible CySEC marketing-compliance programme has four operational pillars on the marketing side. (The fifth — capture and supervision of recorded communications — sits in the Communications Compliance pillar.)

The four pillars of a defensible CySEC marketing compliance programme.

1. A policy library mapped to the framework

Every layer of the marketing regulatory stack should be reflected in the firm's marketing policy: MiFID II Article 24 and the Delegated Regulation Article 44 substantive requirements, the CySEC product-intervention measure on CFDs, the risk-warning text and prominence rules, the categorisation framework, the inducement prohibition, and the affiliate-supervision expectations.

2. Pre-publication review with rule-level audit trail

Every advertisement — website, paid digital, social, video, podcast, email, affiliate content, finfluencer post — should pass through pre-publication review against the policy library, with every flag linked to the specific provision and every decision and override logged.

3. Risk-warning enforcement at template level

The standardised CFD risk warning, with the firm's own current loss-percentage figure, should sit in a versioned template library that the marketing platform applies automatically to relevant content. A change in the percentage figure should propagate immediately; a non-compliant variant should be detected and corrected before publication.

4. Affiliate, introducer, and finfluencer supervisory layer

Pre-engagement diligence, written agreement, pre-publication review of every campaign asset, in-flight monitoring for content drift, retention of approval records and published versions, and incident-response and termination procedures. The CIF carries the same supervisory burden over third-party-distributed content as over its own.

How Sedric helps with CySEC marketing compliance

Sedric is the AI compliance platform purpose-built for the marketing side of the regulatory stack CIFs operate inside. Many CySEC-licensed CIFs and brokerage firms run Sedric for marketing review across direct and affiliate channels.

A CySEC-aware policy library. Sedric's rule library is mapped to MiFID II Article 24, the Article 44 substantive marketing requirements, the CySEC CFD product-intervention measure, the standardised risk warning, the categorisation framework, the inducement and aggressive-marketing prohibitions, and the affiliate-supervision expectations. The library is configurable so the CIF can layer its own product-specific and language-specific overlays on top.

Pre-publication review across every channel and language. Every advertisement — website, paid digital, social, video, podcast, email, RFP response, partner content, finfluencer post — is reviewed in real time. Sedric processes content in the languages CIFs actually market in across the EU — English, Greek, German, French, Italian, Spanish, Portuguese, Dutch, Polish, Romanian, and others.

Risk-warning enforcement at the asset level. The platform validates the presence, accuracy (firm-specific loss-percentage figure), and prominence of the standardised CFD risk warning on every published asset — including affiliate-distributed content where the CIF has carried-through supervisory responsibility. Outdated percentage figures are flagged.

Affiliate, introducer, and finfluencer supervision. The platform extends the same review-and-audit framework to third-party content, with diligence, written-agreement tracking, pre-publication review, post-publication monitoring, and retention.

Audit-ready export. Every flag, citation, decision, override, and approval is logged with timestamp and attributable decision-maker. The export is what a CySEC examiner asks for, in the form expected.

For CIFs that already run Sedric for marketing review, the natural next step is the communications-surveillance side — call recording supervision under Article 16(7), MAR market-abuse surveillance, and the rest of the post-publication interaction layer. That part of the programme is covered in the dedicated CySEC Communications Compliance pillar. For CIFs that also operate under MiCA as CASPs, the CySEC MiCA Compliance pillar covers the crypto-specific overlay.

Frequently asked questions

What is CySEC, and what does it regulate?

The Cyprus Securities and Exchange Commission (CySEC) is the National Competent Authority for the financial-services sector in Cyprus, established in 2001. It supervises Cyprus Investment Firms (CIFs), UCITS Management Companies, AIFMs, AAIFMs, administrative service providers, and crypto-asset service providers (CASPs) under MiCA.

What is a CIF, and how does the licence work?

A CIF is a Cyprus Investment Firm authorised by CySEC under the Investment Services and Activities and Regulated Markets Law of 2017 (Law 87(I)/2017) to provide one or more investment services or activities. A CIF licence is passportable across the EEA, allowing the firm to operate cross-border subject to host-state procedures.

Does the ESMA CFD product-intervention measure still apply?

Yes. The ESMA Decisions of 2018 were originally time-limited, but CySEC (along with most other EU NCAs) has issued a national product-intervention measure that makes the ESMA framework permanent for Cyprus-licensed firms. The leverage caps, margin close-out rule, negative-balance protection, ban on monetary and non-monetary benefits to retail clients, and the standardised risk warning all remain in force.

What is the standardised risk warning for CFDs?

The risk warning is a prescribed-text statement that must accompany CFD marketing communications. It states, in substance, that CFDs are complex instruments, that they involve a high risk of losing money rapidly due to leverage, and that a specified percentage of retail-client accounts at the marketing firm have lost money. The percentage is firm-specific, recalculated on a quarterly basis covering the preceding 12-month period, and must appear with the same prominence as the dominant marketing claim.

Can a CIF offer bonuses to retail clients?

No. The CySEC product-intervention measure prohibits monetary and non-monetary benefits to retail clients in connection with CFD trading. Deposit bonuses, deposit-match offers, rebates, premium-account inducements, and lifestyle prizes are all caught. The prohibition extends to affiliate compensation structures that effectively re-create the bonus framework through the affiliate channel.

How does the retail-to-professional reclassification work?

A retail client may be reclassified as an elective professional only when the client meets specific quantitative criteria (typically trading frequency, portfolio size, and relevant professional experience) and qualitative criteria, and only after the CIF conducts a documented assessment. The CIF must give clear prior disclosure of the protections the client gives up. CySEC has been clear that the reclassification process is not a marketing tool to bypass the retail leverage caps or the bonus prohibition.

Does CySEC supervision reach affiliate and finfluencer content?

Yes. The CIF is responsible for the content of marketing distributed on its behalf, regardless of whether the publisher is the CIF itself, an affiliate, an introducer, or a paid finfluencer. The CIF must conduct pre-engagement diligence on the third party, enter into a written agreement, pre-approve the content, supervise compliance post-publication, and retain the records.

What happens if our marketing reaches retail consumers in another EU Member State?

The CIF's substantive marketing obligations under MiFID II travel with the marketing. In addition, the host-state NCA in the consumer's jurisdiction may assert competence over consumer-facing aspects of how the marketing reaches the relevant audience. Passporting the licence does not exhaust the compliance footprint.

How are CySEC marketing examinations conducted?

CySEC examinations are document- and evidence-led. Examiners typically request the firm's marketing policies, samples of marketing communications across channels, the supervisory-review log, the risk-warning template and the underlying loss-percentage calculation, the books-and-records retention configuration, and the affiliate and introducer agreements and supervisory file. A CIF that can produce all of these on demand in the form examined is in a defensible posture.

What about Article 16(7) call recording and electronic communications?

Call recording, electronic-communications retention, and the supervisory review over captured archives sit in the Communications Compliance pillar. See CySEC Communications Compliance: The 2026 Guide for CIFs for the full framework.

What's the relationship between this regime and MiCA for crypto firms?

MiCA (the Markets in Crypto-Assets Regulation) applies to CASPs and to issuers of crypto-assets in scope. CySEC is the National Competent Authority for MiCA in Cyprus and supervises CASPs alongside CIFs. The marketing framework for crypto products under MiCA is covered in the dedicated CySEC MiCA Compliance pillar.

Operationalising CySEC marketing compliance?

Sedric is the AI compliance platform purpose-built for the marketing-supervision regime CIFs operate inside. Our platform reviews every advertisement against the CySEC and MiFID II framework before it ships, enforces the standardised CFD risk warning across every channel and language, and supervises affiliate and finfluencer content end-to-end.

Book a working session with our team and we'll walk through your real content — with citations to the specific MiFID II provision or CySEC measure for every flag, and a sample of the audit export your firm would hand to a CySEC examiner.

Book a demo · Marketing compliance product · For trading and wealth-management firms