Cybersecurity - Greece

Law 5160/2024 (Gov. Gazette A'/195/27-11-2024) transposes NIS2 in full, repealing the prior NIS1 framework. It entered into force on 28 November 2024 and applies to both essential and important entities across sectors including energy, transport, banking, health, digital infrastructure, and public administration.

Ministerial Decision 1689/2025 (6 May 2025) establishes the binding National Cybersecurity Requirements Framework under Law 5160/2024, mandating 22 specific technical and organisational security controls. Entities must also register on the national portal (via Ministerial Decision 1645/2025) and appoint a dedicated security officer.

Under Article 16 of Law 5160/2024 (mirroring NIS2 Article 23), essential and important entities must submit an early warning to the NCSA/CSIRT within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month.

Personal data breaches must be reported to the Hellenic Data Protection Authority (HDPA) within 72 hours under GDPR (Regulation 2016/679), as applied in Greece. Incidents affecting personal data in regulated sectors trigger dual notification to both the NCSA (NIS2 channel) and the HDPA (GDPR channel).

The NCSA (cyber.gov.gr) is the single competent authority for NIS2 supervision, registration, and sanctions. Fines reach up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities.

The NCSA published the National Cybersecurity Strategy 2026–2030 in December 2025 (Ministerial Decision No 2563/16-12-2025), structured around five pillars: resilient critical services, modern governance, skills development, EU/international cooperation, and practical solutions — aligning with the ENISA review cycle.