The transposition of NIS2 Directive on cybersecurity into Greek legislation

Recently (on the 27^th of November 2024), the highly anticipated Greek Law 5160/2024 implemented Directive (EU) 2022/2555 (“NIS2 Directive”), which aims to achieve a high common level of cybersecurity across the European Union (EU). More specifically, NIS2 Directive updates and strengthens the existing legal framework set out by the previous EU Directive on security of information and communication systems 2016/1148 (NIS Directive), which is thereby repealed as of 18^th October 2024.

Overview

In general, NIS2 Directive and the newly enacted Law 5160/2024 expand the number of entities to be subject to cybersecurity obligations, introduce robust cybersecurity risk-management measures, lay down tightened incident reporting obligations and ensure effective supervision and enforcement by enhancing the role of oversight authorities. Most of all, the new legislation streamlines compliance with cybersecurity rules across the European Union.

Which entities are subject to cybersecurity obligations under Law 5160/2024?

NIS2 Directive and Law 5160/2024 broaden the scope of cybersecurity rules to include new sectors and both public and private entities meeting certain requirements fall under the scope of the new legislation.

Specifically, entities which i) belong to a highly critical or critical sector (as those are referred to Annexes of Law 5160/2024), ii) are considered medium-sized enterprises (i.e. employ more than fifty (50) people and have an annual turnover exceeding 10 million euros) or as large entities (i.e. exceed the maximum limit for medium-sized enterprises) and iii) are established in Greece or provide their services or perform activities in Greece, are subject to the current cybersecurity obligations.

Highly critical sectors include, among others, energy, transport, banking, health, financial markets infrastructure, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.

Other critical sectors include, among others, postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, research.

Furthermore, under certain circumstances, entities belonging to the above-mentioned sectors are within the scope of Law, irrespective of their size (e.g. the entity is the only provider for services that are essential for the maintenance of critical or financial activities). Also, critical entities identified under Directive (EU) 2022/2557 as well as entities providing domain name registration services are also subject to Law 5160/2024, regardless of their size.

At this point, it is important to stress that Law 5160/2024 classifies entities falling within its scope into “essential” and “important” entities based on certain criteria (e.g. size, criticality of sector). Overall, essential entities face stricter cybersecurity obligations, supervisory oversight and administrative sanctions than important entities, however the latter shall abide by robust legal provisions too.

Which entities are excluded therefrom?

Law 5160/2024 does not apply to:

• public administration entities operating in national security, public order, defense or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences;
• financial entities covered by Regulation (EU) 2022/2554 (DORA Regulation).

Which is the competent Authority and its role?

The National Cybersecurity Authority (“NCSA”), which was established by Law 5086/2024 and is supervised by the Minister of Digital Governance, is designated as the competent Authority on cybersecurity in Greece and is responsible for the supervision and enforcement of Law 5160/2024.

In addition, NCSA is designated as the single point of contact on cybersecurity regarding cross-border cooperation within the EU (with competent authorities of other Member States or with EU Commission and ENISA), as well as cross- sector cooperation within the country (with other local competent authorities). The Authority also participates in the Cooperation Group established by NIS2 Directive to provide support and facilitate strategic cooperation and the exchange of information among Member States.

NCSA is also designated as competent authority for large-scale cybercrisis management and in principle, as Computer Security Incident Response Team (CSIRT).

Furthermore, NCSA is responsible for developing the national cybersecurity strategy, including the determination of strategy purposes, the resources necessary to achieve these objectives and of appropriate policy and regulatory measures.

Lastly, NCSA shall draw a list of essential and important entities under Law 5160/2024 as well as entities providing domain name registration services, based on their respective declarations that shall take place within two (2) months of the entry into force of the Law through an online platform.

Which are the key obligations imposed by Law 5160/2024 to essential and important entities?

• Risk-management measures:

The entities concerned shall take appropriate and proportionate technical, operational as well as organizational measures based on an all-hazards approach, to manage the risks posed to the security of network and information systems used for their operations or for the provision of their services, and to prevent or minimize the impact of cybersecurity incidents. These measures include at least the following, depending on the overall risk assessment for the protection of information systems:

(a) policies and procedures on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management; and

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

• Governance:

The management bodies of the entities concerned shall, within three (3) months of the entry into force of Law 5160/2024, approve the cybersecurity risk-management measures taken by those entities to comply with the requirements of the Law, and shall oversee their implementation. Furthermore, members of the management bodies of said entities are required to follow special training and ensure that these entities provide similar training to their employees at least on an annual basis. Finally, these members may also be held personally liable for infringements by the entities of the above obligations.

• Appointment of an ICS Security Officer:

Entities within the scope of Law shall appoint an Information and Communication Systems Security Officer (ICSSO) responsible for liaising with the NCSA and ensuring compliance with cybersecurity measures and incident reporting obligations. It is important to note that the above Officer’s capacity and duties are incompatible with the role and responsibilities of the Data Protection Officer under the EU General Data Protection Regulation 2016/679 (GDPR). Apart from that, they need to be granted an appropriate level of autonomy in decision-making and incident, policy and procedure management.

• Unified cybersecurity policy & asset record:

Law 5160/2024 obliges the entities concerned to adopt a unified cybersecurity policy to be submitted to the NCSA for approval; additionally, to keep a record of all their tangible and intangible information and communication assets, hierarchically structured based upon criticality.

• Incident reporting:

The above entities are obliged to report significant incidents to the NCSA, as those are defined by the provisions of this Law, as soon as they become aware of said incidents and in any case without undue delay. This involves a multi-step reporting process as described below:

1. an early warning shall be sent within 24 hours from the time the entity became aware of the incident;
2. an incident notification shall be sent within 72 hours from the time the entity became aware of the incident;
3. an intermediate report shall be submitted on relevant status updates, upon request of the NCSA;
4. a final report shall be submitted at the latest within one (1) month from the date the above incident notification under (b) is sent.

Furthermore, the obliged entities that have suffered a cybersecurity threat, shall without undue delay notify the recipients of their services that could be affected by that threat, of the potential corrective actions they could take to deal with the above threat as well as of the nature of that threat.

• Registration to the NCSA’s registry of entities:

Certain entities, including providers of cloud computing, data centers, online marketplaces, search engines etc., shall register with the competent registry of the NCSA by 17^th January 2025.

Which are the supervision and enforcement mechanisms adopted by the new legislation?

Supervision and enforcement mechanisms provided for in the applicable legislation vary depending on the type of the infringing entity (essential or important).

In broad terms, the NCSA may proceed to on-site inspections and off-site supervision, regular and targeted security audits, security scans, information requests, requests to access data, documents and information, request for evidence of implementation of cybersecurity mechanisms, while essential entities may be also subject to ad-hoc audits.

In terms of enforcement measures, the NCSA may issue warnings, recommendations, binding instructions and guidelines, compliance orders, may impose fines etc.

Indeed, infringements of the applicable legislation may lead to monetary penalties imposed on liable entities. Specifically, essential entities may face administrative fines up to ten million euros (10.000.000€) or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking, whichever is higher. The respective fines for important entities are set up to seven million euros (7.000.000€) or 1.4% of the total worldwide annual turnover, whichever is higher.

Moreover, under certain circumstances, the NCSA may prohibit temporarily any natural person discharging managerial responsibilities at chief executive officer or legal representative level in the essential entity from exercising managerial functions in that entity.

Final remarks

In light of the above, entities subject to the scope of Law 5160/2024 shall promptly prepare for demonstrating compliance with the above-mentioned rigorous measures and procedures, in order to avoid heavy fines and personal liability of their managing officers. It is without doubt that the new legislation adds an additional “burden” of corporate compliance to companies meeting the requirements of Law 5160/2024, which shall be responsible for, and be able to demonstrate compliance with the current legislation.

Brief roadmap for compliance

27.11.2024: Entry into force of Greek Law 5160/2024