NIS2 Country Guide

NIS2 Greece: Law 5160/2024 on Cybersecurity

Learn how Greece has transposed the NIS2 Directive through Law 5160/2024, what it means for essential and important entities, the central role of the National Cyber Security Authority (NCSA), and which steps you should take to comply with the new cybersecurity obligations.

Get Ready Checklist Get Consultation
Greece NIS2 law in force: 2024 Competent authority: NCSA

Introduction: NIS2 Directive & the Greek context

Greece had already implemented the original NIS Directive through Law 4577/2018, establishing a first generation of cybersecurity rules for operators of essential services and digital service providers.

With the adoption of Law 5160/2024, Greece has moved to a NIS2-aligned model, expanding the number of entities in scope, strengthening risk-management and incident-reporting duties, and giving a central role to the National Cyber Security Authority (NCSA) in supervision and enforcement.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Greece

Greece has fully transposed NIS2 through Law 5160/2024, which incorporates Directive (EU) 2022/2555 into the national legal framework and replaces the earlier NIS-based regime.

The law was published in the Government Gazette at the end of November 2024 and entered into force shortly thereafter, creating a modernised cybersecurity framework for essential and important entities.

In 2025, Greece complemented Law 5160/2024 with secondary legislation, including ministerial decisions on entity registration and detailed cybersecurity requirements, and introduced staggered registration periods for different categories of entities.

Status

NIS2 is fully implemented in Greece. Law 5160/2024 is in force and secondary legislation on registration and security measures has been adopted.

Legal structure

Law 5160/2024 is the core NIS2 law and is supported by ministerial decrees that define registration obligations, security controls, incident-reporting procedures and supervisory mechanisms.

Supervisory approach

The National Cyber Security Authority (NCSA) oversees compliance, runs the national CSIRT, and works with sectoral regulators to supervise thousands of entities brought into scope by the new law.

NIS2 Greece: what you need to know about compliance

Greece follows the NIS2 model of essential and important entities and significantly expands the list of organisations subject to cybersecurity obligations, including both public and private sector operators.

Who is in scope?

  • Entities in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Medium-sized and large organisations that meet NIS2 thresholds for staff and turnover.
  • Certain providers regardless of size (e.g. DNS, TLD registries, trust services, major cloud and data-centre operators).

Core obligations

  • Implement NIS2-aligned cybersecurity risk-management measures and policies.
  • Maintain asset inventories, network diagrams and documented security procedures.
  • Detect, manage and report significant incidents within strict deadlines (early warning, incident notification, final report).
  • Manage supply-chain risks and include security and notification clauses in contracts with key providers.
  • Ensure management bodies approve cybersecurity policies and receive regular training.

Registration & reporting

In-scope entities must register with the NCSA during designated registration windows and provide information on their services, critical systems and NIS2 contacts. Once registered, they must comply with ongoing reporting and supervision requirements.

Practical note: Greece’s NIS2 implementation brought a large number of additional organisations into scope. Many entities that were not regulated under the previous law now have clear obligations to assess their status, register and upgrade their cybersecurity posture.

Competent authorities & CSIRTs

Greece operates a centralised model where the National Cyber Security Authority coordinates supervision, incident handling and EU-level cooperation under NIS2.

Role Authority Notes
National competent authority & Single Point of Contact National Cyber Security Authority (NCSA) Responsible for monitoring and supervising implementation of NIS2, acting as single point of contact and national cyber crisis management authority.
National CSIRT CSIRT-GR (operated under the NCSA) Receives incident notifications, provides technical guidance and coordinates response at national level.
Sectoral regulators Various authorities (e.g. energy, telecom, finance) Support or share supervisory tasks with the NCSA in specific sectors, especially where EU sectoral rules interact with NIS2.

NIS2 timeline & key dates (Greece)

August 2024 — Draft NIS2 transposition law published for public consultation.
27 November 2024 — Law 5160/2024 published in the Government Gazette, formally transposing NIS2 into Greek law.
Late 2024 — Law 5160/2024 enters into force, replacing the previous NIS regime.
Early 2025 — Ministerial decisions set out detailed cybersecurity requirements and establish the national registration platform.
30 September 2025 — Deadline for submission of entity information to the national NIS2 register.
2025–2026 — Registration, supervision and initial compliance checks carried out by the National Cybersecurity Authority (NCSA).

Sector-specific notes for Greece

  • Energy: electricity and gas operators, as well as key energy infrastructure, are treated as essential entities.
  • Transport: air, maritime and port services are especially important given Greece’s role in regional and international shipping.
  • Tourism & services: while not a separate NIS2 sector, many tourism-related operators rely on digital infrastructure that can fall under NIS2 categories (e.g. data centres, cloud, payment services).
  • Public administration: central ministries and key public bodies are included to strengthen the resilience of digital public services.
  • Digital infrastructure: cloud providers, data centres, telecom networks and trust-service providers are a major focus of the Greek law.

Penalties for non-compliance

Law 5160/2024 introduces significant administrative fines and enforcement powers, in line with NIS2 ceilings, and gives the NCSA a central role in supervising and sanctioning non-compliant entities.

  • Turnover-based fines for serious breaches of cybersecurity and reporting obligations.
  • Corrective orders and mandatory remediation measures imposed by NCSA.
  • Increased supervision and follow-up in case of repeated or systemic deficiencies.
  • Potential management accountability where governance failures or negligence are identified.

How to prepare for NIS2 in Greece

  1. Determine if you are in scope: map your services and size against NIS2 Annex I & II and Law 5160/2024.
  2. Confirm registration obligations: check if you must register with NCSA and by which deadline.
  3. Perform a NIS2 gap assessment: compare current cybersecurity measures with the requirements of Law 5160/2024 and related decrees.
  4. Strengthen incident readiness: establish monitoring, escalation and reporting procedures aligned with NIS2 timelines.
  5. Review supply-chain risk: update contracts with critical suppliers to include cybersecurity and incident-notification clauses.
  6. Align with recognised frameworks: use ISO/IEC 27001 or similar to structure governance, risk management and documentation.
  7. Train leadership and staff: ensure management and key teams understand their roles under the new Greek NIS2 regime.
Run Eligibility Check Start Readiness Test

Official links & resources

🇬🇷 National Cyber Security Authority (NCSA) — Official website
📊 European Commission — NIS2 implementation in Greece
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Greece

Has Greece fully transposed NIS2?
Yes. Greece has fully transposed the NIS2 Directive through Law 5160/2024, complemented by secondary legislation on registration and cybersecurity requirements.
Who is the NIS2 competent authority in Greece?
The National Cyber Security Authority (NCSA) is the main NIS2 competent authority, single point of contact, national CSIRT operator and cyber crisis management authority.
Do we need to register with NCSA?
Entities that qualify as essential or important under Law 5160/2024 are required to register with NCSA within the applicable registration windows and keep their data up to date.
Is ISO 27001 certification mandatory?
ISO/IEC 27001 is not mandatory by law, but alignment with recognised standards is strongly recommended to structure and demonstrate NIS2 compliance.
Information provided for general guidance; always consult the official Greek legislation, NCSA publications and legal counsel for definitive NIS2 compliance requirements.