Cybersecurity regulation in Greece (2026)

A Greek misdemeanor court sentenced four individuals — including Intellexa founder Tal Dilian — to eight years each for illegally deploying Predator spyware against politicians, journalists, and senior military officials. It marked Europe's first criminal conviction for commercial spyware abuse, reinforcing regulatory pressure on the surveillance-technology industry.

The NCSA unveiled Greece's successor five-year strategy organised around five pillars — resilient critical services, modern governance, skills development, EU/international cooperation, and practical solutions — and created a National Cybersecurity Reserve to fund public and private sector resilience initiatives.

Joint Ministerial Decision 1689/2025 (Government Gazette B' 2186) established mandatory technical and organisational cybersecurity obligations for essential and important entities under Law 5160/2024, covering risk assessments, penetration testing, supply-chain management, encryption, access controls, and mandatory appointment of an Information Security Officer.

Greece operationalised Law 5160/2024 by defining registration procedures and deadlines for essential and important entities (28 March 2025 for digital-service categories; 11 April 2025 for all others), activating NCSA's supervisory cycle over the expanded NIS2 entity universe.

Greece's supreme administrative court ruled a 2021 amendment unconstitutional that barred ADAE from informing citizens about state surveillance on national-security grounds, finding it violated the Greek Constitution, the EU Charter of Fundamental Rights, and the European Convention on Human Rights.

Published in the Government Gazette (A' 23/14-2-2024), Law 5086/2024 established NCSA as a standalone Legal Entity of Public Law supervised by the Minister of Digital Governance, consolidating cybersecurity strategy-setting, NIS supervision, technical-standard issuance, and national incident coordination under a single dedicated authority.

The Ragnar Locker gang compromised DESFA, Greece's national natural gas system operator, exfiltrating 361 GB of data including engineering designs and financial documents; DESFA refused to pay and disabled most IT systems while maintaining gas supply. The attack highlighted critical-infrastructure vulnerability during the EU energy-security crisis triggered by the war in Ukraine.

Journalist Thanasis Koukakis and subsequently opposition leader Nikos Androulakis discovered their phones were infected with Predator spyware; ADAE documented over 90 targets. The scandal drove EU parliamentary inquiries, export-control debates, and ultimately judicial and legislative reforms around surveillance and communications privacy.

The Ministry of Digital Governance published Greece's first standalone national cybersecurity strategy, setting five strategic goals covering governance, critical infrastructure protection, incident management, research investment, and capacity development, embedded within the Digital Transformation Bible 2020–2025 framework.

Greece incorporated EU Directive 2016/1148 (NIS1), establishing a national cybersecurity plan, designating a competent NIS authority within the Ministry of Digital Policy, creating a CSIRT, and imposing incident-reporting and risk-management obligations on operators of essential services and digital service providers.

The European Network and Information Security Agency (now ENISA) was created by EU Regulation 460/2004 with its headquarters in Heraklion, Crete, anchoring the EU's primary cybersecurity body on Greek soil. Its mandate was made permanent and strengthened under the EU Cybersecurity Act (Regulation 2019/881), which also established a second office in Athens.

The Hellenic Authority for Communication Security and Privacy (ADAE) was created under Law 3115/2003, implementing Article 19(2) of the Greek Constitution, as an independent authority to safeguard confidentiality of all communications and oversee lawful interception — forming the institutional backbone of communications-level cybersecurity oversight.