NIS 2 Status Griechenland

NIS 2 Status in Greece

What the directive requires, how Greece transposes it, and where the National Cybersecurity Authority sits in the picture.

Simon OrzelSimon Orzel·

Overview

The NIS 2 Directive is the EU layer. It binds every Member State, Greece included, with a single minimum level for essential and important entities. Greece had to translate that level into Greek law and operate a supervisor underneath.

Greece transposes NIS 2 through Law 5160/2024, published in Government Gazette A' 195 on 27 November 2024. The text arrived after the EU deadline of 17 October 2024, which is why Greece appears on the European Commission's November 2024 letter of formal notice list. The infringement procedure was closed after the law entered into force.

The National Cybersecurity Authority (Εθνική Αρχή Κυβερνοασφάλειας), under the Ministry of Digital Governance, is the single point of contact and the competent authority. The Hellenic CSIRT is the national incident response team referenced on the European Commission's NIS 2 country page.

Where the rules live
Three layers anyone reading the Greek NIS 2 picture has to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. It sets the obligations every Member State must transpose, including the size and sector test for essential and important entities.

EU implementing act

Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Greece without national transposition.

Greek transposition

Law 5160/2024, Government Gazette A' 195 of 27 November 2024

Greece's NIS 2 transposition. It designates the National Cybersecurity Authority, defines essential and important entities, sets supervisory powers, reporting duties and sanctions. Secondary acts and authority guidance fill in operational detail.

Three points to know
What changes for entities with activity in Greece.
Transposition

Law 5160/2024

Brings NIS 2 obligations into Greek law. Defines essential and important entities, the supervisory powers of the National Cybersecurity Authority, incident reporting duties and sanctions. Operational detail is set by secondary acts and authority guidance.

Supervisor

National Cybersecurity Authority as supervisor and contact point

The Εθνική Αρχή Κυβερνοασφάλειας, sitting under the Ministry of Digital Governance, is the single point of contact, the national competent authority and the addressee for cooperation with ENISA and other Member States. Sector regulators keep their role where lex specialis applies, in particular in finance under DORA.

Timing

Registration and reporting

The directive requires entities to be identifiable to the Member State, with the EU-level reference date of 17 April 2025. In Greece the registration channel runs through the National Cybersecurity Authority. Significant incidents follow the directive: early warning within 24 hours, notification within 72 hours, final report within one month.

Two principles that settle every edge case
Read before any Greek commentary on NIS 2.

In Greece, Greek law applies

Activities on Greek territory follow the Greek transposition. A German managing director with a Greek subsidiary reads Law 5160/2024 for that subsidiary, not the BSIG. The directive obligations are identical. The procedure, the contact point and the sanctions sit in Greek law.

Greece cannot fall below the EU floor

The directive is minimum harmonisation. Greece may go stricter. Greece may not fall below the directive, neither on obligations for essential and important entities, nor on reporting deadlines, nor on management body accountability.

Who does what in Greece
Three institutions that show up in almost every NIS 2 question.
GR

National Cybersecurity Authority

Lead competent authority, single point of contact and supervisor under the Ministry of Digital Governance. Handles registration, guidance, audits and sanction proposals. Carries the cooperation channel into ENISA and the NIS Cooperation Group.

GR

Hellenic CSIRT

The national incident response team referenced on the European Commission's NIS 2 Greece page. Receives technical incident notifications under the directive's reporting timeline. Operational placement is documented on the official Greek cybersecurity portal rather than restated here.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, runs the European vulnerability database and coordinates across borders. No supervisor for Greek entities. That role sits with the National Cybersecurity Authority.

Pitfalls
Mistakes we see when entities with Greek activity read NIS 2 for the first time.

  • Our German parent is compliant under BSIG, so the Greek subsidiary is covered.

    The Greek subsidiary follows Law 5160/2024, registers with the Greek authority and reports incidents to the Greek contact point. The directive obligations match. The procedure, portal and sanctions sit in Greek law. Group-level documentation helps but does not replace the local registration and reporting channel.

  • Greece was late, so registration does not apply yet.

    Law 5160/2024 entered into force on 27 November 2024. The transposition delay does not suspend the directive's substantive obligations. Once an entity meets the size and sector test, registration, incident reporting, supply chain duties and management body accountability run on the directive's clock.

  • Only the sectors listed in the old NIS 1 regime are in scope.

    NIS 2 widens the sector list beyond NIS 1. Wastewater, food production, manufacturing of medical devices, postal and courier services, public administration and several digital sub-sectors come in fresh. Each entity in Greece has to run the new sector and size test, not the NIS 1 list.

From practice

Most Greek mid-market operators we meet still read NIS 2 as a continuation of NIS 1. The supervisor sits in the same ministry, but the scope is wider and the management body sits on the hook personally. The Greek managing director, the διαχειριστής or νόμιμος εκπρόσωπος, signs off on risk management and on their own training.

The practical step is the same as everywhere in the EU: run applicability against the directive, register with the national authority, set up the four ongoing duties (keep registration data current, incident reporting, supply chain risk, management body oversight) and document the minimum. The late transposition does not change that ordering.

What the platform delivers

We build the NIS 2 obligation register on the EU layer, not on a single national transposition. The same checklist fits a Greek subsidiary under Law 5160/2024, a German parent under BSIG and a French sister under Ordonnance n° 2024-1093. The article references change per country, the obligations in substance do not.

For the Greek scope, start with the applicability check, then the reporting cadence, supply chain clauses and management body sign-off. Where the National Cybersecurity Authority publishes sector guidance, we link it. We do not copy it.

Sources
  • Directive (EU) 2022/2555 (NIS 2), EUR-Lex
  • Implementing Regulation (EU) 2024/2690, EUR-Lex
  • Law 5160/2024, Government Gazette A' 195 of 27 November 2024
  • National Cybersecurity Authority (Εθνική Αρχή Κυβερνοασφάλειας), Ministry of Digital Governance
  • European Commission, NIS 2 Directive country page for Greece (digital-strategy.ec.europa.eu)
  • European Commission, November 2024 letter of formal notice on NIS 2 transposition
Clarify the Greek scope in under five minutes
The applicability check applies the directive's size and sector test. If the Greek subsidiary is in scope, the next step is registration with the National Cybersecurity Authority.
Start applicability check