On November 27, 2024, Greece published Law 5160/2024 (“Greek NIS2 Law”) to transpose the EU NIS2 Directive (Directive (EU) 2022/2555) into Greek legislation. The new law adopts the core principles of the NIS2 Directive and introduces various local nuances concerning public administration, deadlines, and enforcement methods. Below is an overview of its key provisions, focusing on how it aligns with or differs from the NIS2 Directive and what organizations need to do to comply.
The Greek NIS2 Law follows the EU NIS2 Directive closely; however, it does specify some new requirements — for example, nominating the security officer, submitting a cybersecurity policy to the authorities, and keeping a comprehensive inventory.
Basics of the Greek NIS2 Law
The full title of the law is “Incorporation of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity throughout the Union,” and it can be found at this link: https://search.et.gr/el/fek/?fekId=774154.
Greece’s NIS2 Law replaces earlier cybersecurity rules, such as those in Law 4577/2018, and aims to safeguard critical infrastructure and essential services. It designates a National Cybersecurity Authority for oversight and sets out technical, organizational, and governance measures.
Similarities and differences
The following table highlights major aspects in which the Greek NIS2 Law compares to the NIS2 Directive:
Aspect | Greek NIS2 Law (Law 5160/2024) compared to the EU NIS2 Directive |
Which companies must comply | The same criteria as in NIS2, but only for companies that are registered in Greece; the exceptions are electronic communication networks or services. Explicitly defines which smaller companies also need to comply with the law. |
Deadlines for compliance | Took effect in late November 2024. Entities newly within scope must register with the National Cybersecurity Authority within two months of the law’s entry into force. |
Responsibilities of senior management | The same as NIS2. |
Importance of training | The same as NIS2. |
Risk-based approach | The same as NIS2. |
Cybersecurity measures | The same as NIS2. |
Supply chain security | The same as NIS2. |
Incident reporting | The same as NIS2, but National CERT is the main contact point. |
Using certified IT products/services | The same as NIS2. |
Supervision & enforcement | The National Cybersecurity Authority may conduct audits, request documentation, and impose corrective measures. Joint or sectoral oversight may be applied. |
Fines | The same as NIS2. |
Completely new requirements | Appointing an Information and Communication Systems Security Officer (ICSECO) and the main person responsible for compliance. Submitting cybersecurity policy to the National Cybersecurity Authority. Keeping a comprehensive inventory of tangible and intangible assets. Appointing a representative in the European Union for digital infrastructure companies. |
Which companies must comply
All of the same sectors listed in Annexes I and II of the NIS2 Directive are included in the Greek law, so medium and large companies involved in energy, transport, financial services, health care, digital infrastructure, and similar areas are affected.
Smaller organizations also fall within scope if they provide a unique or critical service. The legislation explicitly refers to public administration entities, including certain municipalities and other state bodies, if they deliver essential public services or are deemed critical for the country’s functioning.
Deadlines
The legislation became effective upon publication in November 2024. Entities newly designated as essential or important under the law must register specific details, such as contact information, IP ranges, and domain names, with the National Cybersecurity Authority.
A two-month window is generally set for that registration, although in practice the Authority may extend or refine the timeline for various compliance steps. Beyond registration, the law’s obligations (risk management, governance, and incident reporting) start applying once an entity is formally identified or self-declares its in-scope status.
Supervision and enforcement
Articles 23 to 25 grant the National Cybersecurity Authority extensive powers. The Authority can request risk assessment reports, carry out onsite inspections, and coordinate with other regulators to ensure a consistent approach across multiple sectors. Where there is evidence of noncompliance, formal notices may be issued and specific corrective actions mandated. If an entity fails to implement those measures or commits repeated violations, more stringent steps might be imposed, possibly including the suspension of an operating license for a critical service.
Fines
Article 26 sets up the penalty regime, which aligns with NIS2 thresholds. For essential entities, administrative fines can go as high as 10 million euros or two percent of global annual turnover, whichever is higher. Important entities face fines up to seven million euros or 1.4 percent of turnover.
While these maximum levels are meant to deter severe breaches, the law also allows for lower fines or warnings in less serious cases. It additionally permits higher sanctions if offenses reoccur or if an organization displays willful noncooperation.
New requirements
There are a couple of new requirements in Article 15 of the Greek NIS2 law when compared to the NIS2 Directive:
- Appointing an Information and Communication Systems Security Officer – entities must appoint a dedicated ICSECO with appropriate qualifications and expertise, who liaises with the National Cybersecurity Authority, oversees risk-management compliance and incident reporting, and is granted autonomy and resources.
- Submitting a cybersecurity policy to the National Cybersecurity Authority at least annually – this policy must refer to a set of measures, policies, and procedures for cybersecurity.
- Keeping a comprehensive inventory of tangible and intangible assets – these are information and communication assets that are prioritized according to their criticality.
Article 18 requires appointing a representative in the European Union for digital infrastructure companies if they are registered outside of the European Union.
Requirements that are the same as in NIS2
Many things in the Greek NIS2 Law are the same as in the EU NIS2 Directive:
- Responsibilities of the senior management – see the details here: What is the NIS 2 Directive? A detailed and straightforward guide
- Importance of training – learn more: How to perform training and awareness according to NIS 2
- Risk-based approach to cybersecurity – learn more: The 8 most important cybersecurity and reporting requirements in NIS2
- Cybersecurity as a mixture of technical, operational, and organizational measures – see also: List of required documents according to NIS 2
- Supply chain security
- Incident reporting obligations – see also: What are reporting obligations according to NIS 2?
- Using certified IT products and services
However, Article 30 specifies various regulations that will be based on this NIS2 Law, which will specify more precisely cybersecurity and other obligations.
Greece’s NIS2 Law vs. the EU NIS2 Directive
Law 5160/2024 ensures that Greece meets the EU’s expectations under NIS2, bringing consistency to how essential and important entities manage cybersecurity risks, report incidents, and face potential sanctions. Certain local distinctions, such as explicit coverage of additional public administration bodies and detailed registration, adapt the directive’s requirements to Greece’s administrative context. For the companies and organizations involved, timely registration with the National Cybersecurity Authority and a thorough implementation of risk-based security are now paramount, backed by considerable enforcement powers and significant fines for breaches or negligence.
To find all the documents needed for complying with the NIS2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.