On November 28, 2024, the Hellenic Law 5160/2024 was published, which transposes the Directive (EU) 2022/2555, widely known as NIS 2
1. What Does It Envision?
- Establishing measures for risk management, incident reporting obligations, and information sharing for cybersecurity.
- Ensuring effective supervision and enforcement of compliance with stringent penalties for non-compliance.
2. Who Does It Apply To?
Public and private entities operating in Greece, subject to specific conditions, based on:
- Size: Entities classified as medium-sized enterprises (employing fewer than 250 people and with an annual turnover not exceeding EUR 50 million or an annual balance sheet total not exceeding EUR 43 million) or entities exceeding these thresholds fall within the scope.
- Type of Activity: Entities offering services or conducting activities in specific critical and highly critical sectors.
- Importance of Activity: Entities whose services are critical to societal and economic functioning.
Entities are subject to the law if:
- They are established or provide services within Greek territory.
- Operate in the sectors listed below.
High-Criticality Sectors:
Energy:
- Management and distribution of electricity.
- Production and distribution of natural gas.
- Management of oil and petrochemical infrastructure.
Transport:
- Airlines and airports.
- Maritime transport (ports and shipping companies).
- Rail and road transport.
- Logistics companies operating cross-border.
Banking Sector:
- Providers of banking and financial services.
- Financial market infrastructures.
Health:
- Hospitals, clinics, and healthcare units.
- Laboratories and research centers in the health sector.
Water:
- Water supply and distribution entities.
Wastewater:
- Entities involved in the collection, treatment, or disposal of urban, domestic, or industrial wastewater.
Digital Infrastructure:
- Cloud computing service providers.
- Data centers.
- Providers of electronic communications services.
- ICT service management entities.
Public Administration:
- Public entities (public law and private law entities).
- Public enterprises.
- Local government organizations (municipalities and regional authorities).
- Independent administrative authorities with legal personality.
- Central government entities.
Space:
- Operators of terrestrial infrastructure, privately owned and managed, supporting space services.
Other Critical Sectors:
- Postal and Courier Services.
- Waste Management.
- Chemical Manufacturing, Production, and Distribution.
- Food Production, Processing, and Distribution.
- Manufacturing:
- Medical technologies.
- Computers, components, motorized equipment, transport machinery.
Digital Providers:
- Online marketplaces.
- Search engines.
- Social media platforms.
3. Who Is Excluded?
- Entities involved in national security, defense, or public order.
- Financial sector entities regulated under Regulation (EU) 2022/2554 (DORA).
4. What Are the Obligations?
Entities must adopt proportional technical, organizational, and operational measures to manage risks, considering all potential hazards (“all-hazards approach”). These measures include:
- Risk Analysis Policies and System Security:
- Assess risks threatening networks and information systems.
- Develop strategies for risk management and mitigation.
- Incident Management:
- Implement procedures for detecting, responding to, and recovering from cybersecurity incidents.
- Business Continuity:
- Prepare operational continuity plans to minimize disruptions.
- Supply Chain Security:
- Ensure security across suppliers and partners impacting critical functions.
- Encryption and Multi-Factor Authentication:
- Use encryption for data protection.
- Implement multi-factor authentication for system access.
- Asset Management:
- Maintain an inventory of communication and IT resources.
- Employee Training:
- Regular training on cybersecurity best practices to foster a security-aware culture.
Special Obligations
- Appointment of a CISO:
- Entities must appoint a Communication and Information Systems Security Officer (CISO) to oversee the implementation of cybersecurity measures.
- Cybersecurity Policy:
- Develop a unified cybersecurity policy approved by the National Cybersecurity Authority.
- Registration with the Authority:
- Certain entities (e.g., cloud providers, DNS registries) must register with the National Cybersecurity Authority by January 17, 2025.
- Incident Reporting:
- Report significant cybersecurity incidents to the CSIRT of the National Cybersecurity Authority.
- Notify affected customers of service disruptions.
- Management Obligations:
- Approve cybersecurity measures.
- Supervise their implementation.
- Undergo training and ensure employee training.
5. Penalties
- Administrative fines up to EUR 10,000,000, or up to 2% of the entity’s annual global turnover, depending on the severity of the violation.
- Personal liability for management:
- Senior executives may face penalties, including temporary bans on performing managerial duties.
6. Interaction with Other Regulations
- GDPR (Regulation EU 2016/679): Alignment on data protection and incident handling.
- CER Directive: Ensures resilience of critical entities.
- DORA: Digital operational resilience in the financial sector.
Why Compliance Matters
Compliance with Law 5160/2024 is a pivotal step for ensuring cybersecurity, protecting critical infrastructure, and avoiding severe penalties. SGKLegal specializes in data protection and cybersecurity, offering tailored solutions to guide your organization through the compliance process.
Our services include:
- Legal analysis and compliance guidance.
- Risk assessment and strategy development.
- Policy drafting and incident management planning.
- Collaboration with IT experts for technical alignment.
- Management training and support.
- Assistance with registration and reporting obligations.
- Representation during audits or inspections.
Contact us to ensure your organization’s seamless adaptation to the new regulatory framework and to safeguard against cybersecurity risks!