If you’ve been feeling a bit of “compliance fatigue” lately, I have some news that might require a double espresso. Greece hasn’t just talked about cybersecurity; I can confirm the country has officially shifted gears into high-enforcement territory.
On 27 November 2024, Greece enacted Law No. 5160/2024, transposing the Network and Information Security Directive (NIS2). This isn’t just a minor update to the old NIS1-era rules; it is a total overhaul of how we protect the digital backbone of the Hellenic Republic.
I’ve analyzed the legislative landscape, and the message from the Ministry of Digital Governance is clear: the grace period for “figuring it out” is rapidly closing. Whether you are running a hospital in Athens or managing a logistics hub in Thessaloniki, this law likely touches your operations.
Because Greece chose a highly centralized model under the National Cyber Security Authority (NCSA), you now have a single, very powerful regulator watching your digital perimeter.
TL;DR: The Greek NIS2 Essentials
Greece is officially under the Law 5160/2024 regime, with NIS2 obligations now very real in practice. (And yes, DORA is still a thing, and it’s the reason many financial entities don’t sit under NIS2 for overlapping requirements. Different rulebook, same headache.)
You must register your entity on the national portal, appoint a dedicated security officer, and implement 22 specific security controls.
- Registration: The deadlines moved more than once. If you had “May 30, 2025” in your calendar, you were not mistaken, but the submission deadline was later extended to 30 September 2025.
- Enforcement: The NCSA doesn’t need to wait for some magical “enforcement quarter.” The law gives it the power to run audits and inspections (regular, ad hoc, targeted) when it wants, so treat “enforcement phase” as ongoing, not future tense.
- Fines: Non-compliance can cost you up to €10 million or 2% of global turnover (essential entities) and up to €7 million or 1.4% (important entities). And yes, management can be personally exposed.
I’ll break down the specifics below so you can move from “compliance-anxious” to “audit-ready” without losing your mind.
Timelines and Legislative Milestones
I know keeping track of “Government Gazette” updates is nobody’s idea of fun, but these dates are the bedrock of your legal defense. Greece moved surprisingly fast, moving from a draft-y feeling in 2024 to a fully enacted framework by the end of that year.
| Date | Milestone | Significance |
| Nov 27, 2024 | Law 5160/2024 Published | The official birth of NIS2 Greece; replaces the old NIS1-era framework in practice. |
| Jan 23, 2025 (published Feb 2025) | JMD 1381/2025 | Set up the online registration platform + mechanics for submission. |
| ≈ Late Feb 2025 | Management approval window | Boards had a “3-month” clock from entry into force to approve initial measures (i.e., this was meant to happen early). |
| Apr 30, 2025 | Decision 1689/2025 | The “Big One” defined the 22 specific cybersecurity requirements framework. |
| Mar 28 & Apr 11, 2025 | Initial submission deadlines | Early deadlines for certain digital sectors vs broader entity categories (before the extensions kicked in). |
| May 30, 2025 | Deadline extension | A widely communicated extended deadline (but not the last one). |
| Sep 30, 2025 | Further extension (latest) | Submission deadline extended again to 30 September 2025. |
| July 2025 | EU status updated to “Transposed” | The Commission’s page shows Greece as transposed (last update in early July 2025). |
If you missed the deadline(s), I suggest addressing that immediately. The “wait and see” approach ended when the EU status started showing Greece as Transposed in July 2025, and Greece has had the platform and secondary rules in place for a while now.
Structure and National Specificities of the Law
One thing I noticed about the Greek approach is its refreshing lack of “red tape” regarding who is in charge. Unlike some neighbors who split duties between five different agencies, Greece puts the National Cyber Security Authority (NCSA) in the driver’s seat for everything.
They are your Single Point of Contact, your auditor, and a key hub for incident handling (with national CSIRT functions in the ecosystem, so incident reporting is not a “nice to have,” it’s a built-in expectation).
Essential vs. Important Entities
I’ll keep this simple: your classification determines how much the NCSA breathes down your neck.
- Essential Entities: Generally large companies in “high-criticality” sectors (energy, health, banking, etc.) and public administration. You get ex-ante supervision, meaning they can audit you whenever they feel like it.
- Important Entities: Other sectors like manufacturing, food, or postal services. You get ex-post supervision, which usually triggers if something goes wrong or a specific risk is identified.
The 22 Security Commandments
Under Decision 1689/2025, Greece specified exactly what you need to do. You won’t need a law degree for this, but you will need a good IT team. These 22 requirements cover the fundamentals and then some: risk management, incident handling, business continuity, supply chain security, secure development/maintenance, access control, MFA/secure comms…the whole “adult cybersecurity” starter pack.
The Greek-specific quirk: the Security Officer (Υ.Α.Σ.Π.Ε. / YASPE)
You must appoint a dedicated security officer, formally referred to as the Υ.Α.Σ.Π.Ε. (YASPE).
Two details people keep missing:
- It’s not optional, and it’s not just a “title.” This role is the NCSA-facing point of accountability.
- It is incompatible with the DPO role. In plain English: you can’t just slap this on your Data Protection Officer and call it a day.
Also worth noting: the detailed “qualifications/duties/incompatibilities” rulebook for the YASPE (and the related declaration mechanics) has an effective date of 1 November 2025, so if your internal plan was “we’ll worry about that later,” later already has a calendar date.
Real Implementation Roadmap
Since the law is already in force, your roadmap isn’t a “future plan”—it’s a checklist of things that should already be in motion. If you are starting today, here is the ground you need to cover to catch up.
- Platform Registration: Verify your status on nis2register.cyber.gov.gr. If you aren’t there, you’re not “waiting,” you’re late.
- Governance Setup: Formalize your YASPE role and get the Board of Directors to sign off on a unified cybersecurity policy.
- The 22 Controls: Audit your current tech and processes against Decision 1689/2025. This is where most teams realize their supply chain vetting is… let’s say “optimistic.”
- Reporting Drills: NIS2 reporting is a sprint, not a marathon. You have 24 hours for an early warning and 72 hours for a full notification, plus the follow-up reporting cadence. You should practice this like a fire drill.
The Cost of Staying Quiet: Fines and Penalties
I hate to be the bearer of bad news, but the Greek legislature didn’t hold back on the “dissuasive” part of the EU mandate. You can face major administrative fines—and the law explicitly pushes accountability upward.
Here’s what you can safely anchor to without getting cute with unverified sub-fine numbers:
| Violation Type | Maximum Fine / Penalty |
| Essential Entity (General) | Up to €10M or 2% of annual global turnover |
| Important Entity (General) | Up to €7M or 1.4% of annual global turnover |
| Management liability | Management can face personal consequences, including temporary prohibition from exercising executive functions (yes, that’s as serious as it sounds). |
So yeah, it turns “cyber risk” into “career risk” real fast.
Short Checklist: How to Prepare for the NCSA
I’ve condensed the entire Law 5160/2024 into a “cheat sheet” to help you survive an audit.
- Confirm Applicability: Are you medium-sized or larger? In a critical sector? If yes, you’re in scope.
- Register Now: If you haven’t used the NCSA portal, do it today.
- Appoint Your Liaison: Name your YASPE and ensure they have a direct line to the Board.
- Update Your Inventory: You need a list of every network and information system asset you own, categorized by how “critical” it is.
- Draft the “Big Policy”: Create a unified cybersecurity policy that covers everything from business continuity to how you handle passwords.
- Set the Stopwatch: Ensure your team knows the reporting sequence by heart.
- Audit Readiness: Keep your training logs and risk assessment records in a “break glass in case of audit” folder.
If this feels like a lot to manage manually, this is where a tool like Copla comes into play. I’ve seen how Copla can automate the visibility you need for audit readiness, helping you track these 22 requirements without needing a fleet of consultants. It essentially acts as a central nervous system for your compliance, ensuring you don’t miss those 24-hour reporting windows.
Make NIS2 Compliance a Calm, Continuous Operating System, Not a Last-Minute Audit Project
Copla is built for teams that need NIS2 compliance without burning out staff or blowing the budget. It combines an automation-first GRC platform with experienced CISO oversight. That gives you four clear advantages:
- Cuts compliance workload by up to 80%
- Automates key NIS2 tasks across controls, evidence, and registers
- Guides execution step by step with clear ownership and built-in prompts
- Gives you CISO-level leadership without hiring a full internal team
On top of that, teams typically save €60K+ per year versus adding in-house capacity for the same workload, while staying continuously audit-ready, not “ready when the audit starts.”
The only compliance management platform you’ll need
Copla brings together capabilities such as asset and risk registries, evidence mapping, audit verification, regulatory reporting, vulnerability management, awareness training, and incident tracking — all in one place.
Moving Toward Resilience
The NIS2 directive in Greece isn’t just another box to tick; it is a fundamental shift in how businesses are expected to act in the digital age. While the fines are scary, the ultimate goal is to make sure our essential services, from the energy grid to our hospitals, don’t go dark because of a preventable exploit.
I’ve broken down the “what” and the “when,” but the “how” depends on your internal culture. Start by getting your leadership on board; when the C-suite treats cyber risk as a business priority, the rest usually falls into place.
