Our Data Privacy, Cybersecurity and Technology Briefing aims to update businesses of this recent development in the field of cybersecurity in Greece and provide key takeaways that you need to know, including:
A. Introduction
B. Key Obligations and Deadlines for Essential and Important Entities
C. Specific Requirements for Specific Entities
D. Recent Updates
E. Actions to Take Now
A. Introduction
1. As of 27 November 2024, Greece has officially transposed the NIS 2 Directive into national law through the enactment of Law 5160/2024 (Greek Cybersecurity Law), which is already in effect (see our Briefing on the enactment of the Greek Cybersecurity Law, and its scope of application here). It is essential for legal entities to proactively assess their obligations and develop a compliance plan. This briefing highlights key obligations, deadlines and actions required for compliance, with a critical registration deadline with the National Cybersecurity Authority (NCSA) approaching on 11 April 2025.
2. Several key compliance obligations are now in place and many deadlines are coming up or have recently expired.
3. With the introduction of secondary legislation to further streamline the Law's implementation and clarify specific requirements pending, we continue to closely monitor developments and will keep you informed of any updates.
4. Recently, the NCSA launched a new website with valuable resources, including materials and tools to help entities, professionals and the public gain insight into cybersecurity compliance.
B. Key Obligations and Deadlines for Essential and Important Entities
1. Registration with the NCSA: An immediate requirement for affected entities is to register with the NCSA. Essential and important1 entities must submit specific information to the NCSA by 11 April 2025. The registration process is governed by secondary legislation2, which outlines the establishment of a dedicated online platform. While this platform is expected to launch in the near future, entities can currently submit the required registration information via email to register.ncsa@cyber.gov.gr.
2. Implementation of Cybersecurity Risk Management Measures3: Essential and important entities must implement appropriate technical, operational, and organisational measures to manage risks to the security of their network and information systems. These measures should prevent or minimise the impact of incidents on service recipients. The measures should align with state-of-the-art practices, relevant European and international standards and cost considerations. The security level must be appropriate to the risks, considering the entity's exposure and size, as well as the likelihood and severity of potential incidents. The risk management strategy should adopt an all-hazards approach to protect network systems and their physical environments. At a minimum, it must include:
a. risk analysis and system security policies;
b. incident handling;
c. business continuity, including backup, recovery and crisis management;
d. supply chain security;
e. security in system acquisition and maintenance;
f. policies to assess cybersecurity effectiveness;
g. cyber hygiene practices and training;
h. cryptography and encryption policies;
i. human resources security, access control and asset management; and
j. multi-factor authentication and secure communication systems.
3. Approval of Cybersecurity Risk Management Measures: Management bodies must, as a matter of priority, approve cybersecurity risk management measures (deadline was set for 27 February 2025) and oversee their implementation, with the risk of being held liable in case of infringement of Greek Cybersecurity Law4.
4. Cybersecurity Training & Awareness: Members of management bodies of essential and important entities must undergo training to develop the skills and knowledge needed to identify risks, assess cybersecurity practices and understand their impact on the entity's services5. They must also ensure that their employees receive similar training at least annually.
5. Appointment of a Cybersecurity Officer: A qualified Information and Communication Systems Security Officer must be designated to manage cybersecurity compliance and liaise with the NCSA6. Such role must be distinct from the role of the Data Protection Officer.
6. Integrated cybersecurity policy: Entities must develop and maintain, an integrated cybersecurity policy, addressing risk management and compliance requirements7. The policy must be submitted for approval to the NCSA at least annually for essential entities. This requirement may be extended to important entities via secondary legislation.
7. Inventory of information systems and communication assets: Essential and important entities must maintain a comprehensive and up-to-date inventory of their tangible and intangible information and communication assets, prioritized by criticality.
8. Incident reporting: Essential and important entities must report significant incidents to the NCSA and its Computer Security Incident Response Team (CSIRT) without undue delay. Each reporting step must include the minimum content prescribed by the Cybersecurity Law and be submitted within the following timeframes, starting from the time the entity becomes aware of the incident:
a. early warning within 24 hours;
b. incident notification within 72 hours (24 hours for trust service providers);
c. intermediate report (if requested);
d. final report within one month (or progress report if incident still ongoing, and final report within one month of resolution).
9. A cybersecurity incident is considered significant if:
a. it has caused or could cause severe operational disruption or financial loss for the entity; or
b. it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
10. Entities may also be required to inform their service recipients about the incidents.
C. Specific Requirements for Specific Entities
1. Special Registry: Certain entities should have registered with the NCSA by 28 March 20258.
2. Domain Name Registration Database: TLD name registries and entities providing domain name registration services must collect and maintain accurate and complete domain name registration data in a dedicated database.
3. Electronic Communications Providers: Providers of public communications networks and services may face additional cybersecurity requirements and incident reporting obligations to both the NCSA and the Hellenic Authority for Communication Security and Privacy (ADAE).
D. Recent Updates
1. The NCSA recently unveiled a new website providing a range of valuable resources, including materials and tools designed to support entities, professionals and users in understanding and enhancing cybersecurity compliance.
2. Among the new tools are:
a. a detailed brochure with guidance on the applicability of the NIS 2 Directive and Greek Cybersecurity Law;
b. a scoping test to swiftly determine whether a legal entity falls within the ambit of Greek Cybersecurity Law; and
c. a dedicated section for reporting cyber incidents with useful guidance on protection against such incidents.
E. Actions to Take Now
1. Given these developments, it is crucial for all affected entities to assess their obligations under the Greek Cybersecurity Law and begin preparing a comprehensive compliance plan. Timely preparation will ensure your entity is well-positioned to meet the evolving regulatory landscape.
2. We recommend that you take the following steps now:
a. Assess whether your entity falls within the scope of the Greek Cybersecurity Law.
b. Register your entity with the NCSA in a due and timely manner, as applicable.
c. Adopt and implement cybersecurity risk management measures.
d. Train employees and management to raise cybersecurity awareness.
e. Monitor developments in cybersecurity compliance and stay alert of any incidents.
3. Remember to seek legal guidance to understand your cybersecurity responsibilities and ensure compliance.
Footnotes
1. In other words, all entities falling within the scope of the Greek Cybersecurity Law, classified as essential or important based on size, sector, and criticality according to Articles 3 and 4 of Greek Cybersecurity Law.
2. Joint Ministerial Decision 1381/10.02.2025 (Government Gazette B' 463/10.02.2025).
3. Article 15(1) and (2) of Greek Cybersecurity Law.
4. Article 14(1) of Greek Cybersecurity Law.
5. Article 14(2) of Greek Cybersecurity Law.
6. Article 15(5)(a) of Greek Cybersecurity Law.
7. Article 15(5)(b) of Greek Cybersecurity Law.
8 Namely, DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, search engines and social networking services platforms.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
