Greece
(a) What is the NIS2 implementation status?
Law 5160/2024 was officially published on 27 November 2024, transposing NIS2 (the “Law”).
(b) What is the envisaged NIS2 implementation timeline?
Registration obligations
- 28 March 2025: DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms should submit certain information to the National Cybersecurity Authority (“NCA”), including corporate details (name, address), entity’s General Commercial Registry number, name and address of entity’s legal representative, the relevant sector, subsector and type of entity referred to in Annex I or II, etc.
- 11 April 2025: Entities within scope should notify to the NCA, using a digital platform or the email address, with certain information, including corporate details (name, address), entity’s General Commercial Registry number, IP ranges within the Greek territory, domain name(s) the entity uses within the Greek territory, name and address of entity’s legal representative, etc.
Obligations related to cybersecurity risk-management measures
- 27 February 2025: Management to approve the cybersecurity risk-management measures taken by the entity within scope.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The Law has repealed and effectively replaced Law 4577/2018, which had transposed NIS1, as well as articles 148 (“Security of networks and services”) and 149 (“Implementation and enforcement”) of Law 4727/2020, which has transposed Directive (EU) 2018/1972 on establishing the European Electronic Communications Code.
(d) Who will be the supervisory authority and how are they preparing the market?
The NCA. We are not aware of any initiatives taken so far to raise awareness or prepare the market.
(e) What should you be doing/on the lookout for?
Clients should adopt appropriate and proportionate technical, operational and organisational measures including, inter alia, the adoption of a unified cybersecurity policy, the maintenance of a comprehensive inventory of tangible and intangible information and communication assets, and the appointment of an Information Technology Systems and Communications Security Officer.
Contact
Theodore Konstantakopoulos E: t.konstantakopoulos@zeya.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page