When Greece passed Law 5160/2024 last November, it didn’t just tweak its cyber rules—it launched a sweeping reset. The law, now at the center of the country’s digital security strategy, formally transposes the Network and Information Security Directive 2 (NIS2), officially Directive (EU) 2022/2555, into national legislation. The scale of this overhaul is hard to overstate. With the number of in-scope organizations jumping from around 1,000 under the original NIS directive to nearly 10,000, the transformation is deep and wide.
Without further ado, let me take you through what NIS2 implementation in Greece really looks like: what’s already in place, what deadlines are looming, which industries are most affected, and—crucially—what steps organizations should be taking now.
Key developments shaping NIS2 Greece transposition
Greece’s approach to NIS2 is codified in Law 5160/2024, published on 27 November 2024 and effective from 17 December. The law not only repeals its predecessor (Law 4577/2018) but introduces a far more granular framework. Two tiers of regulated entities—essential entities (ΕΕ) and important entities (ΕΙ)—are defined based on size and sectoral impact.
From critical infrastructure and digital services to sectors like food production and construction, the scope has broadened dramatically. Crucially, Greece also implemented a fast-paced legislative timeline that other EU countries could learn from.
Key milestones in Greece NIS2 implementation
| Date | Milestone |
| 23 Aug 2024 | Draft law published for consultation on OpenGov |
| 13 Nov 2024 | Law tabled in the Hellenic Parliament |
| 27 Nov 2024 | Law 5160/2024 published in the Government Gazette |
| 17 Dec 2024 | Law officially entered into force |
| 14 Feb 2025 | Ministerial decision established registration process & extended deadlines |
| 31 May 2025 | First data submissions due to the National Cybersecurity Authority (NCSA) |
| Q4 2025 | First wave of supervisory audits scheduled |
This structured rollout gives both regulators and affected entities a window to prepare, but the deadlines are firm and the audit regime is imminent.
How Greece is implementing the NIS2 directive
Central to Greece’s enforcement of the directive is the National Cybersecurity Authority (NCSA), operating under the Ministry of Digital Governance. It retains operational control of CSIRT-GR, the national computer emergency response team, and is backed by sectoral regulators such as the Hellenic Competition Commission and the Regulatory Authority for Energy.
The structure of Law 5160/2024 reflects the layered approach of the EU’s directive, but aligns closely with local realities. Chapters cover risk management obligations (aligned with ISO/IEC 27001), structured incident reporting, supervisory authority powers, and sanctions.
Legal structure of Greece’s NIS2 law (Law 5160/2024)
| Law section | Focus area |
| Chapters A–B | Definitions and expanded sectoral scope |
| Chapter Γ | Risk management based on ISO 27001 and national cybersecurity guidelines |
| Chapter Δ | Incident reporting: 24 h alert → 72 h update → 30-day final report |
| Chapter Ε | Supervision and enforcement by NCSA and sector-specific regulators |
| Chapter ΣΤ | Sanctions and executive liability, including director disqualification |
| Transitional | Migration from previous law and compliance grace periods |
These legal mechanics enable regulators to fine-tune responses to specific sectoral needs while standardizing baseline expectations.
Sanctions and executive accountability
Non-compliance with the Greece NIS2 directive carries real financial and reputational risk. Penalties range from €500,000 to €10 million depending on the severity and classification of the entity. More importantly, organizations face progressive enforcement—starting with warnings and escalating to fines, or even licence suspensions for essential entities.
Board-level accountability is no longer theoretical. Directors are now legally required to approve cybersecurity programs. Repeated failure to comply can lead to personal sanctions under Company Law 4548/2018, including disqualification for up to three years.
Public bodies, while exempt from monetary fines, are subject to binding corrective actions and direct oversight by Parliament.
Impact on strategic sectors
The expansion of scope under Greece’s NIS2 implementation significantly reshapes obligations for several industries. For some, like cloud providers and DNS services, inclusion is unconditional. For others, such as food processing or regional government entities, the thresholds now include operations that would previously have flown under the radar.
Sector-specific obligations under NIS2 in Greece
| Sector | Impact vs. 2018 Law | Key new requirements |
| Manufacturing | Newly in-scope (EI/EE based on size) | Annual pen-tests, supply chain contracts, board-level reporting |
| Energy & Utilities | Expanded to include LNG, hydrogen, etc. | Software bill of materials, continuous monitoring, dual reporting |
| Healthcare | Coverage expands from ~70 to >250 providers | ISO 27001 governance, backup drills, HDIKA+NCSA dual reporting |
| Finance | Subject to both NIS2 and DORA | Threat-led penetration testing (TLPT), dual ICT oversight |
| Public sector | All central/local gov. >50k population | Appoint CISO, follow NCSA baseline, report within 24 h |
For a deep dive into each sector’s evolving obligations, Lawspot’s breakdown offers a strong legal reference.
Practical guidance for organizations in Greece
By now, it’s clear that organizations can’t afford to wait. The first practical step is identifying whether your entity qualifies as an EE or EI using the upcoming NCSA assessment tool. This status will dictate the level of compliance needed.
Once confirmed, organizations should:
- File core registration data with NCSA by 31 May 2025 (currently via email).
- Conduct a gap analysis against Article 21 obligations—covering everything from multi-factor authentication (MFA) to supply chain controls.
- Prepare an incident response protocol in line with the directive’s 24 h and 72 h notification requirements—ensuring alignment with GDPR obligations.
- Secure board approval of the cyber-program and document it thoroughly to mitigate future liability.
Organizations that invest in early compliance will not only avoid sanctions but may also gain competitive advantage by demonstrating digital resilience.
What comes next?
With audits due to begin in the last quarter of 2025, the window for unprepared organizations is closing fast. For companies in Greece, NIS2 compliance isn’t just about avoiding fines—it’s about embracing a future where operational resilience is foundational to business integrity. As Greece continues to scale its cybersecurity maturity, those who align early with the national agenda stand to benefit the most.
From legislative momentum to sector-specific mandates, the Greece NIS2 implementation journey is a bellwether for how other EU countries might proceed. The question now is: will your organization be ready when the auditors come calling?
