NIS2 Greece: what you need to know about compliance and certification

NIS2 Greece

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Because of the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and the Council of 14 December 2022, which imposes stricter requirements and applies a broader scope to increase the resilience of critical infrastructures to cyber attacks.

The NIS2 directive was transposed into Greek law through the cybersecurity law 5160/2024, which was published in the Official Gazette on 27 November 2024 and has been in force since 28 November 2024. In addition to the primary cybersecurity law, there is secondary legislation such as Ministerial Decree 1645/2025 on Entity Registration dated 15 April 2025 and Ministerial Decree 1689/2025 on Cybersecurity Requirements dated 6 May 2025.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how to prepare for the new regulations.

 

NIS2 entities

The Greek cybersecurity law is relevant to both legal and natural persons, collectively referred to as ‘entities‘, registered in Greece and providing products and/or services in an EU country. The Greek cybersecurity law adopts the scope of the NIS2 directive.

The cybersecurity law explicitly defines which public and private entities are subject to cybersecurity obligations. For this purpose, a distinction is made between essential entities and important entities. To categorise entities, the services offered, the size of the entity and the location of the entity are taken into account.

Basically, your entity falls under the Greek cybersecurity law when:

  • Your organisation provides services within a sector listed in Annex I and Annex II of the cybersecurity law;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is based in Greece (except providers of public electronic communication networks and providers of public electronic communication services. These are covered by the Greek cybersecurity law if they provide services on Greek territory).

Criteria 1: services provided

Annex I and II of the Greek cybersecurity law describe the sectors that fall within its scope. It is therefore very important to thoroughly analyse your delivered services to third parties by (sub)sector.

Annex I: Very critical sectorsAnnex II: Other critical sectors

Energy

  • Electricity
  • District heating and cooling
  • Oil
  • Gas
  • Hydrogen
Postal and courier services

Transport

  • Air
  • Rail
  • Water
  • Road
Waste management
BankingManufacture, production and distribution of chemicals
Financial market infrastructuresManufacture, processing and distribution of food
Health

Manufacturing

  • Medical devices and in vitro diagnostic medical devices
  • Computer, electronic and optical products
  • Electrical equipment
  • Machinery and equipment n.e.c.
  • Motor vehicles, trailers and semi-trailers
  • Other transport equipment
Drinking waterDigital providers
WastewaterResearch
Digital infrastructure 
ICT service management (business-to-business) 
Public administration 
Space 

If your organisation provides a service from the above list, your organisation may fall within the scope of the Cybersecurity law.

Criteria 2: company size

In addition to the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Greek cybersecurity law. Click here to determine whether your organisation is a small, medium, or large enterprise. In principle, medium-sized and large enterprises must comply with the obligations under the cybersecurity law.

In addition, the law also applies to the following specific providers, regardless of the size of the entity. They are:

  • Providers of public electronic communication networks or services
  • Central government agencies
  • Providers of trust services
  • Managers of domain name registries
  • DNS providers

Moreover, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

  • They provide services essential to critical social or economic functions that are not provided by other providers
  • A disruption of their services would have a significant impact on public order, security or public health
  • An incident at them could cause systemic risks with cross-border implications
  • They are of strategic or vital importance at a national or regional level, for example due to dependencies in other sectors

Criteria 3: established entity in Greece

In principle, the Greek cybersecurity law can only apply to entities with an establishment in Greece. However, exceptionally, the following entities are subject to the Greek cybersecurity law:

  • Providers of public electronic communication networks or providers of public electronic communication services offering their services in Greece;
  • DNS service providers, top-level domain name registries, entities that provide domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines or social networking service platforms, if they have their principal place of business in Greece or if they have their EU legal representative in Greece in case they do not have an establishment within the EU;
  • Public bodies established by Greece.

In addition to the three criteria above, when analysing the scope of the cybersecurity law, one should take into account that, as a non-NIS2 organisation, one may still be affected by the cybersecurity law due to the fact that the national authority designates the entity as an essential or important entity or that the non-NIS2 organisation belongs to the supply chain of an NIS2 organisation.

Determine whether your organisation falls within the scope of the Greek cybersecurity law using the scope test.

What does this mean for my business?

1. Registration

The supervisory authority must maintain a list of essential and important entities under its jurisdiction. Essential and important entities should register with the supervisory authority by forwarding the following entity details to register.ncsa@cyber.gov.gr:

  • Name of the entity
  • Sector and subsector (see Annex I and II of the Cybersecurity Law)
  • Address of its headquarters and other legal offices in the EU or, if it is not located there, the address of its representative
  • Email addresses, telephone numbers and other contact details
  • List of EU Member States where the entity provides services
  • IP address range

Changes to the above data should be reported immediately and within 3 months of the change.

Registration of your entity should be done no later than 30 May 2025.

2. Management measures

If your organisation is categorised as a critical or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecurity management measures cover at least:

  • Risk analysis and security policies for communication networks and information systems
  • Incident management
  • Business continuity and crisis management and, if necessary, the use of secure backup systems
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including vulnerability response and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  • Security aspects regarding cyber hygiene and cybersecurity training
  • Policies and procedures on cryptography and, where appropriate, encryption
  • Personnel security, access control policies and asset management
  • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communication systems within the entity, where applicable.

The European Commission has elaborated the above minimum cybersecurity measures in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers.

More information on management measures can be found here.

3. Reporting obligation of significant incidents

Essential and important entities are required to notify the CSIRT and the national cybersecurity authority when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services concerning Annex I and II (sub-)sectors.

An incident is considered significant if

  • The incident has led or may lead to serious disruption of services or financial losses for the affected entity or
  • The incident has affected or may affect other natural or legal persons by causing significant physical or immaterial damage.

The significant incident is reported by the essential and important entity through an online form according to the following procedure:

  1. immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, reporting probable cause and any cross-border impact;
  2. immediately and within 72 hours of becoming aware of the significant incident, the entity communicates an incident report that includes an information update and an initial assessment of the incident;
  3. at the request of the competent CSIRT, the entity submits an interim report;
  4. No later than 1 month after the incident report, the entity submits a final report indicating:
    • A detailed desciption of the incident, as well as its severity and consequences;
    • The type of threat or root cause likely to have led to the incident;
    • Risk mitigation measures applied and ongoing;
    • The cross-border impact of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity shall submit a preliminary report and a final report shall be submitted within one month of the incident resolution.

The European Commission has defined the criteria for a significant incidents in the implementing regulation 2024/2690 for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the Cybersecurity Act, can voluntarily report (significant) incidents, cyber threats and near-incidents via the e-service.

More information regarding incident reporting can be found here.

4. Management obligations and responsibilities

The governing bodies of essential and important entities are responsible for compliance with the Cybersecurity law and must fulfil several obligations including:

  • Approving cybersecurity management measures and monitoring their compliance
  • Undergoing training to have sufficient knowledge and skills to identify risks and assess control measures and their impact on their services
  • Ongoing training of the cybersecurity entity’s employees on cybersecurity, at least annually

Governing bodies are liable for non-compliance with the cybersecurity law.

5. Cooperating with authorities

Essential and important entities should cooperate with national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection services, etc.

How can I demonstrate that my company complies NIS2 legislation?

As indicated in the ‘Enforcement and sanctions‘ section, competent authorities conduct inspections of essential and important entities for compliance with the cybersecurity law.

Entities are inspected for compliance with the Greek cybersecurity law. This requires the use of European and international standards related to the security of network and information systems. In doing so, the cybersecurity law does not specify which standards frameworks it accepts.

An important international standard that can be used for this purpose is ISO/IEC 27001. As an entity, you can have an independent audit carried out by an accredited CAB. Based on this independent conformity assessment, the entity can obtain a certificate, demonstrating cybersecurity compliance to stakeholders.

If you would like more information on certification, you can make an appointment with an expert here.

Enforcement and sanctions

The National Cybersecurity Authority conducts inspections on cybersecurity entities’ compliance with the requirements stipulated in the cybersecurity law. For this purpose, a distinction must be made between essential and important entities:

  • Essential entities are inspected both proactively (ex-ante) and reactively (ex-post) and are required to have regular compliance assessments.
  • Important entities are in principle only monitored reactively, following an incident or suspected non-compliance with the law.

The Greek cybersecurity law provides for specific sanctions for entities that do not comply with the legal provisions. These sanctions vary according to the nature and severity of the breach and are divided into administrative measures and administrative fines.

Possible administrative measures that can be imposed include issuing warnings, temporarily prohibiting the performance of managerial functions, requiring the entity to take certain measures and so on.

Administrative fines that can be imposed are also laid down by law and can amount to

  • €10,000,000 or 2% of the annual global turnover for essential entities
  • €7,000,000 or 1.4% of the annual global turnover for important entities.

In addition, the Greek cybersecurity law imposes additional fines for violations of certain paragraphs of Articles 24 and 25 of up to €1,000,000 and €700,000 respectively. Finally, additional administrative fines between €20,000 and €500,000 can also be imposed on entities for breaches formulated in Article 26 paragraph 9.

Timeline

  • 17 October 2024: Initial deadline for EU member states to transpose NIS2 directive into national law
  • 28 November 2024: Greek Cybersecurity Law enters into force
  • 28 February 2025: Board approval of risk management measures
  • 30 May 2025: Entity must register with competent authority

Competent authorities

As part of the implementation of the NIS2 Directive in Greece, several competent authorities have been designated to implement and enforce the national cybersecurity law.

The Ministry of Digital Governance has the central coordination and policy role for cybersecurity. This ministry is responsible for developing the national strategy and overall oversight of the law.

Under the Ministry of Digital Governance, falls the National Cyber Security Authority (NCSA), the official supervisory and regulatory body for cybersecurity in Greece. The NCSA monitors the application of the law, conducts inspections, imposes sanctions for non-compliance and oversees assessing the security measures of essential and important entities.

The Greek Data Protection Authority (DPA) also plays a role when cybersecurity incidents involve personal data, ensuring coordination with the European GDPR.

The law also provides for cooperation between different competent authorities, both nationally and internationally.