Overview of the NIS2 Law in Greece: A comparison with the NIS2 Directive

On November 27, 2024, Greece published Law 5160/2024 (“Greek NIS2 Law”) to transpose the EU NIS2 Directive (Directive (EU) 2022/2555) into Greek legislation. The new law adopts the core principles of the NIS2 Directive and introduces various local nuances concerning public administration, deadlines, and enforcement methods. Below is an overview of its key provisions, focusing on how it aligns with or differs from the NIS2 Directive and what organizations need to do to comply.

The Greek NIS2 Law follows the EU NIS2 Directive closely; however, it does specify some new requirements — for example, nominating the security officer, submitting a cybersecurity policy to the authorities, and keeping a comprehensive inventory.

Basics of the Greek NIS2 Law

The full title of the law is “Incorporation of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity throughout the Union,” and it can be found at this link: https://search.et.gr/el/fek/?fekId=774154.

Greece’s NIS2 Law replaces earlier cybersecurity rules, such as those in Law 4577/2018, and aims to safeguard critical infrastructure and essential services. It designates a National Cybersecurity Authority for oversight and sets out technical, organizational, and governance measures.

Similarities and differences

The following table highlights major aspects in which the Greek NIS2 Law compares to the NIS2 Directive:

Aspect Greek NIS2 Law (Law 5160/2024) compared to the EU NIS2 Directive
Which companies must comply The same criteria as in NIS2, but only for companies that are registered in Greece; the exceptions are electronic communication networks or services. Explicitly defines which smaller companies also need to comply with the law.
Deadlines for compliance Took effect in late November 2024. Entities newly within scope must register with the National Cybersecurity Authority within two months of the law’s entry into force.
Responsibilities of senior management The same as NIS2.
Importance of training The same as NIS2.
Risk-based approach The same as NIS2.
Cybersecurity measures The same as NIS2.
Supply chain security The same as NIS2.
Incident reporting The same as NIS2, but National CERT is the main contact point.
Using certified IT products/services The same as NIS2.
Supervision & enforcement The National Cybersecurity Authority may conduct audits, request documentation, and impose corrective measures. Joint or sectoral oversight may be applied.
Fines The same as NIS2.
Completely new requirements Appointing an Information and Communication Systems Security Officer (ICSECO) and the main person responsible for compliance. Submitting cybersecurity policy to the National Cybersecurity Authority. Keeping a comprehensive inventory of tangible and intangible assets. Appointing a representative in the European Union for digital infrastructure companies.

Which companies must comply

All of the same sectors listed in Annexes I and II of the NIS2 Directive are included in the Greek law, so medium and large companies involved in energy, transport, financial services, health care, digital infrastructure, and similar areas are affected.

Smaller organizations also fall within scope if they provide a unique or critical service. The legislation explicitly refers to public administration entities, including certain municipalities and other state bodies, if they deliver essential public services or are deemed critical for the country’s functioning.

Deadlines

The legislation became effective upon publication in November 2024. Entities newly designated as essential or important under the law must register specific details, such as contact information, IP ranges, and domain names, with the National Cybersecurity Authority.

A two-month window is generally set for that registration, although in practice the Authority may extend or refine the timeline for various compliance steps. Beyond registration, the law’s obligations (risk management, governance, and incident reporting) start applying once an entity is formally identified or self-declares its in-scope status.

Supervision and enforcement

Articles 23 to 25 grant the National Cybersecurity Authority extensive powers. The Authority can request risk assessment reports, carry out onsite inspections, and coordinate with other regulators to ensure a consistent approach across multiple sectors. Where there is evidence of noncompliance, formal notices may be issued and specific corrective actions mandated. If an entity fails to implement those measures or commits repeated violations, more stringent steps might be imposed, possibly including the suspension of an operating license for a critical service.

Fines

Article 26 sets up the penalty regime, which aligns with NIS2 thresholds. For essential entities, administrative fines can go as high as 10 million euros or two percent of global annual turnover, whichever is higher. Important entities face fines up to seven million euros or 1.4 percent of turnover.

While these maximum levels are meant to deter severe breaches, the law also allows for lower fines or warnings in less serious cases. It additionally permits higher sanctions if offenses reoccur or if an organization displays willful noncooperation.

New requirements

There are a couple of new requirements in Article 15 of the Greek NIS2 law when compared to the NIS2 Directive:

  • Appointing an Information and Communication Systems Security Officer – entities must appoint a dedicated ICSECO with appropriate qualifications and expertise, who liaises with the National Cybersecurity Authority, oversees risk-management compliance and incident reporting, and is granted autonomy and resources.
  • Submitting a cybersecurity policy to the National Cybersecurity Authority at least annually – this policy must refer to a set of measures, policies, and procedures for cybersecurity.
  • Keeping a comprehensive inventory of tangible and intangible assets – these are information and communication assets that are prioritized according to their criticality.

Article 18 requires appointing a representative in the European Union for digital infrastructure companies if they are registered outside of the European Union.

Requirements that are the same as in NIS2

Many things in the Greek NIS2 Law are the same as in the EU NIS2 Directive:

However, Article 30 specifies various regulations that will be based on this NIS2 Law, which will specify more precisely cybersecurity and other obligations.

Greece’s NIS2 Law vs. the EU NIS2 Directive

Law 5160/2024 ensures that Greece meets the EU’s expectations under NIS2, bringing consistency to how essential and important entities manage cybersecurity risks, report incidents, and face potential sanctions. Certain local distinctions, such as explicit coverage of additional public administration bodies and detailed registration, adapt the directive’s requirements to Greece’s administrative context. For the companies and organizations involved, timely registration with the National Cybersecurity Authority and a thorough implementation of risk-based security are now paramount, backed by considerable enforcement powers and significant fines for breaches or negligence.

To find all the documents needed for complying with the NIS2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic