Skip to content
World Watch/Greece/Cybersecurity

Cybersecurity ยท Greece

Cybersecurity law in Greece: NIS2 compliance (2026)

Comprehensive lawLaw 5160/2024 (Government Gazette A'/195/27-11-2024) transposing EU NIS2 Directive (2022/2555); supervised by the National Cybersecurity Authority (NCSA / cyber.gov.gr)Country index 93 ยท A+

Greece shaded by its cybersecurity status

Cybersecurity in Greece: comprehensive law, anchored by Law 5160/2024 (Government Gazette A'/195/27-11-2024) transposing EU NIS2 Directive (2022/2555); supervised by the National Cybersecurity Authority (NCSA / cyber.gov.gr).

Greece enacted Law 5160/2024 on 27 November 2024, fully transposing the EU NIS2 Directive into national law, establishing binding cybersecurity obligations for essential and important entities across 18 sectors. The National Cybersecurity Authority (NCSA) is the sole competent authority for supervision, registration, and enforcement. Secondary legislation in early 2025 operationalised the regime with a mandatory 22-control security framework and a tiered incident-reporting timeline.

NIS2 & cybersecurity law in Greece

In Greece, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to โ‚ฌ10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Greece implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Greece: FAQ

Does NIS2 apply in Greece?

Yes. As an EU member, Greece has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Greece?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Greece?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Greece?

Up to โ‚ฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

Primary legislation

Law 5160/2024 (Gov. Gazette A'/195/27-11-2024) transposes NIS2 in full, repealing the prior NIS1 framework. It entered into force on 28 November 2024 and applies to both essential and important entities across sectors including energy, transport, banking, health, digital infrastructure, and public administration.

National Cybersecurity Requirements Framework

Ministerial Decision 1689/2025 (6 May 2025) establishes the binding National Cybersecurity Requirements Framework under Law 5160/2024, mandating 22 specific technical and organisational security controls. Entities must also register on the national portal (via Ministerial Decision 1645/2025) and appoint a dedicated security officer.

Incident reporting obligations

Under Article 16 of Law 5160/2024 (mirroring NIS2 Article 23), essential and important entities must submit an early warning to the NCSA/CSIRT within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month.

GDPR personal-data breach notification

Personal data breaches must be reported to the Hellenic Data Protection Authority (HDPA) within 72 hours under GDPR (Regulation 2016/679), as applied in Greece. Incidents affecting personal data in regulated sectors trigger dual notification to both the NCSA (NIS2 channel) and the HDPA (GDPR channel).

Supervisory authority and penalties

The NCSA (cyber.gov.gr) is the single competent authority for NIS2 supervision, registration, and sanctions. Fines reach up to โ‚ฌ10 million or 2% of global annual turnover for essential entities, and up to โ‚ฌ7 million or 1.4% for important entities.

National Cybersecurity Strategy 2026-2030

The NCSA published the National Cybersecurity Strategy 2026-2030 in December 2025 (Ministerial Decision No 2563/16-12-2025), structured around five pillars: resilient critical services, modern governance, skills development, EU/international cooperation, and practical solutions, aligning with the ENISA review cycle.

Timeline - major decisions & events

Feb 1, 2026enforcement
Athens Court Convicts Intellexa Founder in 'Predatorgate' Spyware Case

A Greek misdemeanor court sentenced four individuals, including Intellexa founder Tal Dilian, to eight years each for illegally deploying Predator spyware against politicians, journalists, and senior military officials. It marked Europe's first criminal conviction for commercial spyware abuse, reinforcing regulatory pressure on the surveillance-technology industry.

Amnesty International โ†—
Dec 18, 2025guidanceofficial
National Cybersecurity Strategy 2026-2030 Published by NCSA

The NCSA unveiled Greece's successor five-year strategy organised around five pillars, resilient critical services, modern governance, skills development, EU/international cooperation, and practical solutions, and created a National Cybersecurity Reserve to fund public and private sector resilience initiatives.

European Commission โ€“ Digital Skills & Jobs Platform โ†—
May 6, 2025guidance
JMD 1689/2025: National Cybersecurity Requirements Framework Adopted

Joint Ministerial Decision 1689/2025 (Government Gazette B' 2186) established mandatory technical and organisational cybersecurity obligations for essential and important entities under Law 5160/2024, covering risk assessments, penetration testing, supply-chain management, encryption, access controls, and mandatory appointment of an Information Security Officer.

Zepos & Yannopoulos Law Firm โ†—
Jan 1, 2025guidanceofficial
Ministerial Decision 1645/2025: NIS2 Entity Registration Process Established

Greece operationalised Law 5160/2024 by defining registration procedures and deadlines for essential and important entities (28 March 2025 for digital-service categories; 11 April 2025 for all others), activating NCSA's supervisory cycle over the expanded NIS2 entity universe.

European Commission โ€“ Digital Strategy โ†—
Apr 5, 2024decision
Council of State Strikes Down Blanket Surveillance Secrecy Provision

Greece's supreme administrative court ruled a 2021 amendment unconstitutional that barred ADAE from informing citizens about state surveillance on national-security grounds, finding it violated the Greek Constitution, the EU Charter of Fundamental Rights, and the European Convention on Human Rights.

Human Rights Watch โ†—
Feb 14, 2024lawofficial
Law 5086/2024: National Cybersecurity Authority (NCSA) Created as Independent Legal Entity

Published in the Government Gazette (A' 23/14-2-2024), Law 5086/2024 established NCSA as a standalone Legal Entity of Public Law supervised by the Minister of Digital Governance, consolidating cybersecurity strategy-setting, NIS supervision, technical-standard issuance, and national incident coordination under a single dedicated authority.

NCSA โ€“ National Cybersecurity Authority (cyber.gov.gr) โ†—
Aug 19, 2022incident
Ragnar Locker Ransomware Attack on National Gas Operator DESFA

The Ragnar Locker gang compromised DESFA, Greece's national natural gas system operator, exfiltrating 361 GB of data including engineering designs and financial documents; DESFA refused to pay and disabled most IT systems while maintaining gas supply. The attack highlighted critical-infrastructure vulnerability during the EU energy-security crisis triggered by the war in Ukraine.

The Record (Recorded Future News) โ†—
Mar 1, 2022incident
'Predatorgate': Predator Spyware Found on Journalist's and Opposition Leader's Phones

Journalist Thanasis Koukakis and subsequently opposition leader Nikos Androulakis discovered their phones were infected with Predator spyware; ADAE documented over 90 targets. The scandal drove EU parliamentary inquiries, export-control debates, and ultimately judicial and legislative reforms around surveillance and communications privacy.

Wikipedia โ€“ 2022 Greek surveillance scandal โ†—
Dec 7, 2020guidanceofficial
National Cybersecurity Strategy 2020-2025 Published

The Ministry of Digital Governance published Greece's first standalone national cybersecurity strategy, setting five strategic goals covering governance, critical infrastructure protection, incident management, research investment, and capacity development, embedded within the Digital Transformation Bible 2020-2025 framework.

Hellenic Ministry of Digital Governance โ†—
Dec 1, 2018law
Law 4577/2018: NIS1 Directive Transposed, First Binding Sectoral Cybersecurity Obligations

Greece incorporated EU Directive 2016/1148 (NIS1), establishing a national cybersecurity plan, designating a competent NIS authority within the Ministry of Digital Policy, creating a CSIRT, and imposing incident-reporting and risk-management obligations on operators of essential services and digital service providers.

CPA Law โ†—
Mar 1, 2004lawofficial
EU Regulation 460/2004: ENISA Established with Seat in Greece

The European Network and Information Security Agency (now ENISA) was created by EU Regulation 460/2004 with its headquarters in Heraklion, Crete, anchoring the EU's primary cybersecurity body on Greek soil. Its mandate was made permanent and strengthened under the EU Cybersecurity Act (Regulation 2019/881), which also established a second office in Athens.

ENISA โ€“ EU Agency for Cybersecurity โ†—
Jan 1, 2003lawofficial
Law 3115/2003: ADAE Established, Constitutional Watchdog for Communications Privacy

The Hellenic Authority for Communication Security and Privacy (ADAE) was created under Law 3115/2003, implementing Article 19(2) of the Greek Constitution, as an independent authority to safeguard confidentiality of all communications and oversee lawful interception, forming the institutional backbone of communications-level cybersecurity oversight.

ADAE โ€“ Hellenic Authority for Communication Security and Privacy โ†—

Greece - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’