Cybersecurity ยท Greece
Cybersecurity law in Greece: NIS2 compliance (2026)
Greece shaded by its cybersecurity status
Cybersecurity in Greece: comprehensive law, anchored by Law 5160/2024 (Government Gazette A'/195/27-11-2024) transposing EU NIS2 Directive (2022/2555); supervised by the National Cybersecurity Authority (NCSA / cyber.gov.gr).
Greece enacted Law 5160/2024 on 27 November 2024, fully transposing the EU NIS2 Directive into national law, establishing binding cybersecurity obligations for essential and important entities across 18 sectors. The National Cybersecurity Authority (NCSA) is the sole competent authority for supervision, registration, and enforcement. Secondary legislation in early 2025 operationalised the regime with a mandatory 22-control security framework and a tiered incident-reporting timeline.
NIS2 & cybersecurity law in Greece
In Greece, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to โฌ10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Greece implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Greece: FAQ
Yes. As an EU member, Greece has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to โฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
Law 5160/2024 (Gov. Gazette A'/195/27-11-2024) transposes NIS2 in full, repealing the prior NIS1 framework. It entered into force on 28 November 2024 and applies to both essential and important entities across sectors including energy, transport, banking, health, digital infrastructure, and public administration.
Ministerial Decision 1689/2025 (6 May 2025) establishes the binding National Cybersecurity Requirements Framework under Law 5160/2024, mandating 22 specific technical and organisational security controls. Entities must also register on the national portal (via Ministerial Decision 1645/2025) and appoint a dedicated security officer.
Under Article 16 of Law 5160/2024 (mirroring NIS2 Article 23), essential and important entities must submit an early warning to the NCSA/CSIRT within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month.
Personal data breaches must be reported to the Hellenic Data Protection Authority (HDPA) within 72 hours under GDPR (Regulation 2016/679), as applied in Greece. Incidents affecting personal data in regulated sectors trigger dual notification to both the NCSA (NIS2 channel) and the HDPA (GDPR channel).
The NCSA (cyber.gov.gr) is the single competent authority for NIS2 supervision, registration, and sanctions. Fines reach up to โฌ10 million or 2% of global annual turnover for essential entities, and up to โฌ7 million or 1.4% for important entities.
The NCSA published the National Cybersecurity Strategy 2026-2030 in December 2025 (Ministerial Decision No 2563/16-12-2025), structured around five pillars: resilient critical services, modern governance, skills development, EU/international cooperation, and practical solutions, aligning with the ENISA review cycle.
Timeline - major decisions & events
A Greek misdemeanor court sentenced four individuals, including Intellexa founder Tal Dilian, to eight years each for illegally deploying Predator spyware against politicians, journalists, and senior military officials. It marked Europe's first criminal conviction for commercial spyware abuse, reinforcing regulatory pressure on the surveillance-technology industry.
Amnesty International โThe NCSA unveiled Greece's successor five-year strategy organised around five pillars, resilient critical services, modern governance, skills development, EU/international cooperation, and practical solutions, and created a National Cybersecurity Reserve to fund public and private sector resilience initiatives.
European Commission โ Digital Skills & Jobs Platform โJoint Ministerial Decision 1689/2025 (Government Gazette B' 2186) established mandatory technical and organisational cybersecurity obligations for essential and important entities under Law 5160/2024, covering risk assessments, penetration testing, supply-chain management, encryption, access controls, and mandatory appointment of an Information Security Officer.
Zepos & Yannopoulos Law Firm โGreece operationalised Law 5160/2024 by defining registration procedures and deadlines for essential and important entities (28 March 2025 for digital-service categories; 11 April 2025 for all others), activating NCSA's supervisory cycle over the expanded NIS2 entity universe.
European Commission โ Digital Strategy โGreece's supreme administrative court ruled a 2021 amendment unconstitutional that barred ADAE from informing citizens about state surveillance on national-security grounds, finding it violated the Greek Constitution, the EU Charter of Fundamental Rights, and the European Convention on Human Rights.
Human Rights Watch โPublished in the Government Gazette (A' 23/14-2-2024), Law 5086/2024 established NCSA as a standalone Legal Entity of Public Law supervised by the Minister of Digital Governance, consolidating cybersecurity strategy-setting, NIS supervision, technical-standard issuance, and national incident coordination under a single dedicated authority.
NCSA โ National Cybersecurity Authority (cyber.gov.gr) โThe Ragnar Locker gang compromised DESFA, Greece's national natural gas system operator, exfiltrating 361 GB of data including engineering designs and financial documents; DESFA refused to pay and disabled most IT systems while maintaining gas supply. The attack highlighted critical-infrastructure vulnerability during the EU energy-security crisis triggered by the war in Ukraine.
The Record (Recorded Future News) โJournalist Thanasis Koukakis and subsequently opposition leader Nikos Androulakis discovered their phones were infected with Predator spyware; ADAE documented over 90 targets. The scandal drove EU parliamentary inquiries, export-control debates, and ultimately judicial and legislative reforms around surveillance and communications privacy.
Wikipedia โ 2022 Greek surveillance scandal โThe Ministry of Digital Governance published Greece's first standalone national cybersecurity strategy, setting five strategic goals covering governance, critical infrastructure protection, incident management, research investment, and capacity development, embedded within the Digital Transformation Bible 2020-2025 framework.
Hellenic Ministry of Digital Governance โGreece incorporated EU Directive 2016/1148 (NIS1), establishing a national cybersecurity plan, designating a competent NIS authority within the Ministry of Digital Policy, creating a CSIRT, and imposing incident-reporting and risk-management obligations on operators of essential services and digital service providers.
CPA Law โThe European Network and Information Security Agency (now ENISA) was created by EU Regulation 460/2004 with its headquarters in Heraklion, Crete, anchoring the EU's primary cybersecurity body on Greek soil. Its mandate was made permanent and strengthened under the EU Cybersecurity Act (Regulation 2019/881), which also established a second office in Athens.
ENISA โ EU Agency for Cybersecurity โThe Hellenic Authority for Communication Security and Privacy (ADAE) was created under Law 3115/2003, implementing Article 19(2) of the Greek Constitution, as an independent authority to safeguard confidentiality of all communications and oversee lawful interception, forming the institutional backbone of communications-level cybersecurity oversight.
ADAE โ Hellenic Authority for Communication Security and Privacy โGreece - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ