ARTICLE
18 August 2025

National Cybersecurity Requirements Framework Adopted: Key Requirements And Responsibilities For Essential And Important Entities

BL
Bernitsas Law

Contributor

Bernitsas Law logo

Bernitsas Law is a market leader in the provision of commercial law services in Greece and one of the largest firms in the country. We count industry frontrunners, listed and private companies, supranational, global and national entities and corporations, and small and medium sized enterprises from all the major industry sectors among our clients.

Explore Firm Details
Our Data Privacy, Cybersecurity and Technology Briefing aims to update businesses of recent developments in the field of cybersecurity in Greece and provide key takeaways...
Greece Technology
Tania Patsalia

Our Data Privacy, Cybersecurity and Technology Briefing aims to update businesses of recent developments in the field of cybersecurity in Greece and provide key takeaways that you need to know, including:

A. Introduction

  1. Greece adopted a new set of cybersecurity requirements complementing in essence the provisions of the Greek Cybersecurity Law (Law 5160/2024)1 by means of Joint Ministerial Decision 1689/2025 (JMD)2.
  2. The JMD establishes the national cybersecurity framework for essential and important entities3 in Greece (the National Cybersecurity Requirements Framework). It aims to set out technical, organisational, and operational measures for risk management, security policies, control and evaluation procedures, and obligations involving management and staff.

B. Scope and General Provisions

  1. The National Cybersecurity Requirements Framework is designed to ensure that essential and important entities adopt a holistic, all-hazards approach to risk management, protecting both their network and information systems and their physical environment.
  2. The principle of proportionality governs the application of measures, taking into account the size and complexity of the entity, the criticality of the data, risk exposure, the likelihood and severity of incidents, their social and economic impact and cost-benefit considerations.
  3. Important entities are encouraged to implement additional measures addressed solely to the essential entities considering their risk assessment outcome.

C. Senior Management Obligations

  1. Senior management bodies have specific obligations and responsibilities, namely to:
    1. develop and implement a comprehensive cybersecurity risk management programme, which includes policies, procedures, roles, responsibilities and a set of technical, organisational, and operational measures to secure network and information systems;
    2. approve the cybersecurity risk management programme and ensure its overall implementation, monitoring, periodic evaluation and continuous improvement;
    3. ensure the provision of necessary resources for the implementation of the cybersecurity risk management programme and for adopting appropriate technical, operational and organisational measures to manage cybersecurity risks;
    4. ensure that all personnel are informed of their responsibilities regarding compliance with security policies, thematic security policies and related procedures;
    5. ensure the entity's compliance with the cybersecurity programme requirements and take accountability for any deficiencies in its implementation, including the failure to adopt appropriate cybersecurity measures; and
    6. monitor and ensure periodic cybersecurity training for staff to maintain ongoing awareness of cybersecurity issues.
  2. This is particularly important, as the Greek Cybersecurity Law mandates that members of management bodies may be held personally liable for any infringements of the rule4 .

D. Key Requirements

  1. The National Cybersecurity Requirements Framework sets out specific requirements to be adopted by essential and important entities.
  2. These are set out analytically in the Key Requirements table below.
  3. The National Cybersecurity Requirements Framework sets out in detail the minimum content of each measure/ policy to be adopted by the obliged entities.
  4. The list included in the table is not exhaustive but provides a general overview and must be read in conjunction with the JMD.
KEY REQUIREMENTS
Cybersecurity Risk Management Framework
  • Develop and maintain a cybersecurity risk management framework, including regular risk assessments and treatment plans.
  • Essential entities: Risk assessments must also consider cyber threat intelligence and vulnerability assessments.
Information Security Policies and Procedures
  • Implement a general information security policy and specific thematic policies covering areas such as access control, asset management, data usage, removable media, incident management, supply chain security, network security, security audits, backups, encryption and physical/environmental security.
  • Policies must be approved by senior management and regularly reviewed.
Cybersecurity Roles and Responsibilities
  • Define and allocate cybersecurity responsibilities and powers within the organization, including the appointment of an Information and Communication Systems Security Officer.
  • Must be reviewed and updated by senior management at scheduled intervals, with corrective actions initiated if any deficiencies are identified.
Compliance Monitoring Procedures
  • Implement procedures to monitor and evaluate compliance with cybersecurity obligations, report results to senior management, and initiate corrective actions in case of non-compliance.
  • Essential entities: must also regularly conduct independent audits, as well as following a serious cybersecurity incident.
Human Resources Security
  • Apply suitability checks for prospective staff and disciplinary procedures for policy violations.
  • Essential entities: must also perform background checks for staff.
Asset and Software Management
  • Maintain an up-to-date inventory of IT assets and proper use and secure disposal of assets and removable media policies.
Supplier and ICT Service Provider Risk Management
  • Establish cybersecurity policies and procedures for suppliers and ICT service providers.
Access Control and Secure Configuration
  • Implement logical access control policies and enforce secure configuration procedures.
Application Security, Change and Vulnerability Management
  • Define security requirements for applications from the design stage (security by the design and by default) and conduct security testing before deployment.
  • Put in place change management procedures for network and information systems and processes for identifying, assessing, and addressing technical vulnerabilities (including security patches, regular vulnerability scans and disclosure of zero-day vulnerabilities to the relevant CSIRT).
Effectiveness Evaluation, Network Security, and Malware Protection
  • Put in place policies for conducting security controls, including annual external penetration tests and self-assessments, with corrective action plans.
  • Establish network protection policies and procedures.
  • Deploy technologies to detect and neutralise malware application.
  • Essential entities: must also conduct internal penetration tests.
Training and Awareness
  • Maintain regular cybersecurity training and awareness programmes for all staff and management.
Cryptography and Physical Security
  • Put in place policies for cryptography, as well as physical and environmental security policies and measures for access control, perimeter security, internal zoning and protection against environmental risks such as fire, flood and crime, with regular reviews.
Incident Management, Business Continuity, and Crisis Management
  • Develop incident management policies, with regular policy updates.
  • Maintain detailed business continuity and disaster recovery plans, with regular reviews.
  • Essential entities: must also develop crisis management procedures for handling severe incidents.

E. Documenting and Demonstrating Cybersecurity Compliance

  1. To demonstrate compliance with cybersecurity risk management measures under the principle of accountability, especially during audits and inspections5, obliged entities must be able to document and provide evidence of their adherence through the following three methods:
    1. Documentation in Physical or Digital Forms: Retain records such as security policies, procedures, board meeting minutes, financial documents, contracts, training certificates, network diagrams, business continuity plans, periodic evaluation reports, security audit reports and relevant emails. These records must be comprehensive and sufficient to verify compliance with applicable cybersecurity obligations.
    2. Physical Observation of Information Systems: Competent officials may conduct inspections on a representative sample of information systems to assess the effectiveness of implemented security measures and procedures. This includes evaluating network security technologies, security measures on end-user devices and servers, access control rights and physical security protocols.
    3. Interviews with Management and Employees: Competent officials may also interview a representative sample of management and staff to gather insights into the practical application of security measures and procedures.

F. Next Steps

  1. With the adoption of the National Cybersecurity Requirements Framework, obliged entities must align with the new requirements as set out in the framework.
  2. This Briefing aims to provide you with high level information and alert you to the newly adopted requirements. It is not meant as an exhaustive analysis of the National Cybersecurity Requirements Framework and its applicability to individual businesses. Please do not hesitate to reach out for more information.

* This Briefing was prepared with the assistance of Trainee Attorney Eirini Vyzirgiannaki

Download our Data Privacy, Cybersecurity and Technology Briefing.

Footnotes

1. Paragraph 2 of Article 15 of Law 5160/2024.

2. Joint Ministerial Decision 1689/30.04.2025 (Government Gazette B' 2186/06.05.2025). For further details on the entities impacted by the Greek Cybersecurity Law and the key responsibilities outlined within its framework, please refer to our previous briefings here and here.

3. As per definitions of Article 4 of the Greek Cybersecurity Law.

4. Article 14.

5. See Articles 24 and 25 of the Greek Cybersecurity Law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Tania Patsalia
Tania Patsalia
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More