On November 29, 2024, the Government of Greece announced the publication of Law No. 5160/2024 Incorporating the Directive on measures for a high common level of cybersecurity across the Union (the NIS 2 Directive) in the Government Gazette. 

What are the key provisions of the Law?

The Law provides for the National Cybersecurity Authority (NCA) to effectively exercise its powers as the competent authority for the implementation of the NIS 2 Directive, gaining expanded supervisory and audit powers. The NCA is also designated as the competent Computer Security Incident Response Team (CSIRT). Specifically for the organizations referred to in Article 3(2)(f) of the Law, the competent CSIRT shall be the Cyber Attack Response Team (National CERT) of the Cyber Directorate of the National Intelligence Service.

The Government further states that the NIS 2 Directive broadens the scope of the entities that have to take specific measures for their cybersecurity, based on the size of the entities as well as by including new sectors such as postal services, waste management, food, chemicals (manufacturing, production, distribution), the construction sector as well as central Government, regions, and municipalities.

Further, there are obligations to report major incidents, based on a multi-stage approach. It provides, firstly, an obligation to provide early warning within 24 hours, followed by a more complete notification of the incident within 72 hours of knowledge of the incident. This is followed by an interim report to update the response and the extent of the incident. The reporting obligation culminates in the mandatory submission of a final report within one month. Additionally, measures to be taken by the entities relate to:

• policies and procedures for risk analysis and security of information systems;
• incident management;
• business continuity, such as backup and disaster recovery management and cyber incident management;
• supply chain security, to adequately manage the risks arising from the relationships between each entity and its direct suppliers or service providers;
• security in the acquisition, deployment, and maintenance of network and information systems, including the handling and disclosure of vulnerabilities; and
• policies and procedures for evaluating the effectiveness of cybersecurity risk management measures.

Next steps

The Law provides entry into force upon its publication in the Government Gazette. 2. However, Article 3(2)(fb) comes into effect one year from the date of publication of the Article in the Government Gazette.

According to the Government, with the passage of the Law, the demand for cybersecurity services, products, and experts is expected to increase. For this purpose, it is foreseen that it will prepare relevant training programs, providing the possibility of certification, in cooperation with co-competent bodies and thus contributing to the creation of a domestic cybersecurity ecosystem.

You can read the press release here and the Law here, both only available in Greek.