NIS2 in Greece

1. Quick SME Applicability Snapshot in Greece

Does NIS2 apply to SMEs in Greece?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Greece and, in certain cases, foreign digital providers serving the Greek market.

SMEs should assess qualification under Greece's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Greece

Greece has transposed NIS2 through Law 5160/2024 ("Transposition of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union"), published in the Official Gazette (Government Gazette A'/195) on 27 November 2024 and in force since 28 November 2024. This is a comprehensive new statute, not an amendment, replacing the earlier Law 4577/2018 that implemented NIS1. For first-tier local government bodies, enforcement began on 27 November 2025.

The framework is supported by two key ministerial decisions: Ministerial Decision 1645/2025 (15 April 2025) establishing the entity registration process, and Ministerial Decision 1689/2025 (6 May 2025) defining the national cybersecurity requirements framework covering 22 specific security topics applicable to regulated entities.

Greece's implementation includes several requirements beyond the Directive baseline: mandatory appointment of an Information and Communication Systems Security Officer (ICSSO) — a role incompatible with that of the Data Protection Officer; mandatory annual cybersecurity training for management and employees; and a requirement to maintain a comprehensive inventory of tangible and intangible ICT assets. Management board approval of risk management measures was required within three months of the law's entry into force (deadline: 28 February 2025 — already passed).

3. Scope of Application in Greece

Greece's scope mirrors Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Greece

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria in covered sectors fall automatically within scope.

Small and micro enterprises may be designated where they are considered critical to public security, economic stability, or societal functioning.

Greek authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Greece

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including audits and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Greece follows the Directive's two-tier supervisory model.

6. Cybersecurity Risk Management Requirements in Greece

Greece's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Greece risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Greece has published a national cybersecurity requirements framework (Ministerial Decision 1689/2025) defining 22 specific security topics to be addressed by essential and important entities. Entities must also maintain a comprehensive inventory of tangible and intangible ICT assets and submit a cybersecurity policy to the NCSA. Risk assessments must be reviewed annually or after major changes. Alignment with ISO/IEC 27001 is encouraged.

7. Management Liability and Governance in Greece

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Greece's framework:

• Boards are accountable for compliance oversight. Management bodies were required to formally approve cybersecurity risk management measures within three months of the law's entry into force (deadline: 28 February 2025 — already passed).
• Senior management must ensure sufficient cybersecurity competence. Members of management bodies are required to follow special cybersecurity training and ensure similar training is provided to employees at least annually.
• Administrative sanctions may address governance failures.
• The NCSA may temporarily prohibit any natural person discharging managerial responsibilities at chief executive officer or legal representative level from exercising managerial functions in an essential entity. Management members may also be held personally liable for infringements of cybersecurity risk management and training obligations under Law 5160/2024.

NIS2 management liability Greece expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Greece

9. Supervisory Authorities and Enforcement Model in Greece

Primary authority: National Cybersecurity Authority (NCSA).

Greece operates a centralized supervisory model coordinated by the NCSA, with sector-specific regulators involved where necessary.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Greece

Greece applies Directive-aligned administrative penalties.

NIS2 fines Greece enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Greek legislation.

11. NIS2 Supply Chain and Vendor Security in Greece

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Greece's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Greece

Entities within scope must:

• Register via the NCSA digital platform (nis2register.cyber.gov.gr). The general registration deadline was 30 September 2025 (extended from earlier dates); DNS, cloud, CDN, managed service providers and similar digital infrastructure entities had an earlier deadline of 28 March 2025. Both deadlines have now passed — entities not yet registered should act immediately.
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts. Any changes to registered information must be reported to the NCSA within two weeks of the change.

In addition to registration, entities must appoint an ICSSO (Information and Communication Systems Security Officer) as the dedicated point of contact for the NCSA. This role is incompatible with the Data Protection Officer role. Qualification rules for the ICSSO became effective from 1 November 2025.

Self-identification is mandatory where entities meet statutory thresholds. The NCSA may also designate additional entities based on risk or criticality assessments.

13. Interaction With GDPR and Other Laws in Greece

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Greek cybersecurity legislation

A single cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Greece are supervised by Greek authorities for cross-border services.

Foreign digital providers offering services in Greece may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Greek market.

15. Implementation Timeline in Greece

• Directive adoption: 2022
• National legislative amendments: Law 5160/2024 enacted by Greek Parliament; published in Official Gazette 27 November 2024; supplemented by Ministerial Decision 1645/2025 (registration, 15 April 2025) and Ministerial Decision 1689/2025 (22-topic cybersecurity requirements framework, 6 May 2025).
• Entry into force: 28 November 2024; first-tier local government bodies: 27 November 2025.
• Commission notification: Fully notified; Greece is not among the Member States subject to an outstanding Commission reasoned opinion.
• Compliance milestones: Board approval of risk management measures: 28 February 2025 (passed); digital infrastructure provider registration: 28 March 2025 (passed); general entity registration: 30 September 2025 (passed); ICSSO qualification rules effective: 1 November 2025; NCSA audits commenced: Q4 2025.

Greece was among the first EU Member States to complete NIS2 transposition. All initial compliance milestones — board approval of risk management measures, entity registration, and ICSSO appointment — have passed. NCSA audits are underway.

16. Key Takeaways for SMEs in Greece

• Medium-sized entities in covered sectors are automatically within scope.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory. Management must have formally approved cybersecurity risk management measures (deadline: 28 February 2025) and ensures annual cybersecurity training for management and employees. Personal liability for management members is explicitly provided for under Law 5160/2024.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• All key deadlines have passed. Entities must also appoint a dedicated ICSSO (incompatible with the DPO role), implement the 22-topic national cybersecurity requirements framework (Ministerial Decision 1689/2025), and maintain a comprehensive ICT asset inventory. NCSA audits commenced in Q4 2025.

FAQ: NIS2 Greece SME Guide