Fined Up to €10M: How Greece’s NCSA Issues Binding Orders, Runs Security Audits, and Disciplines Executives Under Law 5160/2024
When Greece published Law 5160/2024 on 27 November 2024, it handed the National Cybersecurity Authority (NCSA) an enforcement toolkit that is broader than most entities expect. The NCSA can now arrive unannounced for on-site inspections, issue binding orders with fixed compliance deadlines, suspend licences when those orders go unheeded, and temporarily prohibit executives from exercising managerial functions — without waiting for a formal investigation cycle to conclude.
One feature makes Greece’s model distinctive among EU member states: the NCSA is the sole competent authority for NIS2 supervision. Unlike Germany, which distributes enforcement across the BSI and twelve sector regulators, or France, where ANSSI shares jurisdiction with financial and communications authorities, every Greek essential and important entity answers to a single regulator. That concentration means faster enforcement decisions — and fewer routes to delay them.
This article maps the NCSA’s supervisory powers, the fine tiers under Article 26 of Law 5160/2024, the three-stage escalation path from audit to executive ban, and the appeal rights available when challenging an enforcement decision.
Greece’s Enforcement Architecture Under Law 5160/2024
Law 5160/2024 replaced the NIS1 framework (Law 4577/2018) and brought roughly 3,500 Greek organisations into scope. Scope depends on two tests: sector classification and size. Entities with 50 or more employees, or annual turnover above €10 million, that operate in a covered sector are in scope.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
Sector classification determines the supervisory track. Annex I sectors — energy, transport, maritime port services, banking, healthcare, water, digital infrastructure, and space — produce essential entity status. Annex II sectors — manufacturing, postal services, food production, waste management, digital providers, and research — produce important entity status. The difference is not merely terminological: it determines whether the NCSA applies proactive or reactive supervision and affects the applicable fine ceiling.
Greece added three obligations beyond the EU baseline in Law 5160/2024:
- YASPE designation — every in-scope entity must appoint an Information and Communication Systems Security Officer (known by the Greek acronym YASPE). The role is legally incompatible with the Data Protection Officer role, requires operational autonomy, and carries a direct NCSA liaison function.
- Annual cybersecurity policy submission — unlike the EU baseline, Greek entities must submit their cybersecurity policy to the NCSA annually, not only on initial registration.
- Asset inventory — a comprehensive catalogue of tangible and intangible assets, ranked by criticality, must be maintained and available for NCSA inspection at any time.
Registration was required within two months of enactment (or of first meeting the threshold criteria), with Ministerial Decision No. 1990/2025 extending the general deadline to 30 September 2025. Registration is not a formality: it triggers active supervisory engagement under what the NCSA terms a “register-then-supervise” model.
NCSA Supervisory Powers: Audits, Spot Checks, and Binding Orders
Article 32 of the NIS2 Directive, implemented through Law 5160/2024, gives the NCSA a layered toolkit that operates differently depending on entity classification.
For essential entities — ex-ante (proactive) supervision
The NCSA applies ongoing oversight without requiring a triggering event. Under Article 32(2) of the NIS2 Directive, the authority may deploy on-site inspections and off-site supervision — including random checks by trained NCSA professionals — at any point. It may schedule regular security audits independently or through a commissioned independent auditor (costs paid by the entity). Ad hoc audits can be triggered by a significant incident, a known infringement, or information received via NCSA’s CSIRT-GR incident notification chain. Targeted security audits are scoped to specific risk areas identified through the NCSA’s own risk assessment. Security scans based on objective, non-discriminatory risk criteria are also available, as are information requests requiring access to documented cybersecurity policies, audit results, and underlying technical documentation.
Refusal to provide requested documentation is itself an infringement: obstruction of audits is explicitly listed in Article 32(7) as a factor that increases fine severity.
For important entities — ex-post (reactive) supervision
Under Article 33 of the NIS2 Directive, the NCSA does not schedule regular audits for important entities by default. Supervision is triggered by incident notification, a complaint, or evidence of non-compliance. Once triggered, the toolkit mirrors the essential entity approach: on-site inspections, targeted audits, security scans, and document access. The same binding instruction authority applies.
What to have ready for an NCSA engagement
The documents most likely to be requested in any supervisory engagement include: documented cybersecurity risk-management measures (Article 21 evidence), the YASPE appointment record and terms of reference, the annual cybersecurity policy submitted to the NCSA, the asset inventory, incident records and CSIRT-GR notification logs, and results of any internal or external security audits conducted in the prior 12 months.
Binding instructions — authorised under both Article 32(4)(b) and Article 33(4) — are formal orders specifying the deficiency, the required remedy, and a fixed compliance deadline. Failure to comply moves the entity to the enforcement escalation track. Before any enforcement measure is adopted, Article 32(8) of the NIS2 Directive requires the NCSA to give the entity advance notice of its preliminary findings and a reasonable period to submit observations. Except in urgent cases where immediate action is required to prevent or respond to an incident, the entity must have the opportunity to respond before any binding order or fine is formalised.
Fine Tiers and Penalty Structure Under Article 26 of Law 5160/2024
Article 26 of Law 5160/2024 implements the fine ceilings from Article 34 of the NIS2 Directive. The penalty structure is two-tiered by entity classification, with the ceiling determined by whichever figure is higher: the absolute euro amount or the turnover percentage.
| Entity type | Primary violations (Art. 21 / Art. 23) | Standard |
|---|---|---|
| Essential entity | Up to €10,000,000 or 2% of total worldwide annual turnover | Whichever is higher |
| Important entity | Up to €7,000,000 or 1.4% of total worldwide annual turnover | Whichever is higher |
| Public administration | Lower ceilings set by Greek law | State-level discretion |
Primary violations are breaches of the risk-management obligations under Article 21 of the NIS2 Directive (implemented in Article 15 of Law 5160/2024) or the incident reporting obligations under Article 23 (implemented in Article 16). Secondary violations — breaches of obligations outside these two articles — attract lower ceilings.
How the NCSA calibrates the actual fine
The ceilings are maximums, not defaults. Article 32(7) of the NIS2 Directive sets out the factors the NCSA must weigh when determining the actual fine amount:
| Factor | Direction of influence |
|---|---|
| Repeated violations; failure to report significant incidents; obstruction of audits; providing false information | Aggravating — these are “serious infringement” per se under Art. 32(7)(a) |
| Duration of the infringement | Aggravating if prolonged |
| Prior infringements | Aggravating |
| Deliberate rather than negligent conduct | Aggravating |
| Damage caused (financial, number of users affected) | Aggravating if significant |
| Self-disclosure and steps taken to limit harm | Mitigating |
| Full cooperation with NCSA investigation | Mitigating |
| Adherence to ISO 27001 or ENISA certification schemes | Mitigating |
An entity that self-discloses a gap, takes immediate corrective action, and cooperates fully with the NCSA faces a materially different outcome than one that obstructs an inspection or repeats the same infringement. No NIS2 fine decision in Greece has completed a full enforcement cycle as of mid-2026, so there is no national precedent calibrating where fines typically land within the ceiling range.
Management Liability: Personal Accountability Under Article 24
NIS2 pushes cybersecurity accountability to the board. Article 32(5)(b) of the NIS2 Directive, implemented through Article 24 of Law 5160/2024, enables the NCSA Director to impose a temporary prohibition on named individuals from exercising managerial functions.
This measure is personal. It applies to natural persons acting as CEO or in any role carrying the authority to represent the entity, make decisions on its behalf, or exercise control over it. The standard is intentionally broad: anyone whose position gives them de facto authority to ensure NIS2 compliance is in scope.
Two conditions must be met before the prohibition applies. First, enforcement measures under Article 32(4) — warnings, binding instructions, compliance orders — must have been issued and proved ineffective. The managerial ban is a Stage 3 escalation tool, not a first response. Second, the entity must have been given a remediation deadline and failed to meet it.
Management bodies also carry affirmative obligations under Law 5160/2024. They must formally approve the entity’s cybersecurity risk-management measures, oversee their implementation, and complete dedicated cybersecurity training. The same training obligation extends to employees with security-relevant functions. Failure to fulfil these governance duties is itself an infringement that triggers enforcement independently of any underlying technical security gap.
Law 5160/2024 does not provide criminal sanctions for NIS2 non-compliance — personal liability is administrative. However, a temporary management ban imposed against a named individual, potentially combined with a public disclosure order under Article 32(4)(h), carries reputational consequences that a monetary fine alone does not.
The Three-Stage Enforcement Escalation Path
The NCSA’s enforcement model follows a defined sequence. Understanding the escalation path helps entities anticipate their position in any supervisory engagement.
Stage 1 — Supervisory engagement
Regular or triggered supervision: on-site visits, document requests, security audits. No penalty at this stage; the purpose is assessment and verification. The entity receives preliminary findings and can submit observations under Article 32(8) before any formal action is taken.
Stage 2 — Enforcement instructions
Where a deficiency is confirmed, the NCSA issues a warning and then a binding instruction specifying the required remedy and compliance timeline. Additional tools available at this stage include compliance orders, monitoring officer appointments, requirements to disclose the infringement publicly, and administrative fines under Article 26. Fines supplement — they do not replace — binding instructions.
Stage 3 — Coercive escalation
If Stage 2 measures prove ineffective after the compliance deadline expires, Article 32(5) of the NIS2 Directive activates two additional powers: temporary suspension of the entity’s relevant certification or authorisation, and temporary prohibition of named executives from exercising managerial functions. Both measures are lifted as soon as the entity complies with the relevant requirement. Both are subject to the procedural safeguards in Article 32(5): the right to an effective remedy, the right to a fair trial, the presumption of innocence, and the rights of the defence.
The €10M / 2% ceiling is a maximum — not a presumptive outcome. No NIS2 case in Greece has yet established where the NCSA calibrates fines within the ceiling range.
Maritime and Energy Sectors: Heightened Enforcement Exposure
Greece’s sectoral profile makes NIS2 enforcement particularly consequential in two areas.
Maritime
Greek-owned or Greek-flagged vessels represent roughly 20% of the global merchant fleet. Port infrastructure operators — port authorities, terminal operators, and vessel traffic services — are classified as essential entities under NIS2 Annex I, meaning proactive ex-ante supervision by the NCSA: regular audits can be scheduled without any triggering incident. Maritime logistics systems are deeply interconnected with cargo management software, customs IT, and critical national infrastructure databases. A cybersecurity event that cascades across this chain qualifies as a “significant incident” under Article 23, triggering the mandatory 24-hour early warning and 72-hour detailed notification to NCSA’s CSIRT-GR under the incident reporting chain.
Energy
Greece sits at the intersection of Eastern Mediterranean LNG routing and Balkan energy transit networks. Electricity transmission and distribution operators, gas pipelines, and LNG terminal operators are all Annex I essential entities subject to proactive NCSA oversight. Energy entities commonly operate OT (operational technology) environments — SCADA systems, industrial control networks — that fall within Article 21’s risk-management scope but lack the centralised endpoint visibility typical of IT environments. NCSA audits targeting critical infrastructure are calibrated to identify OT documentation gaps. For energy operators, the asset inventory and network segmentation documentation required by Law 5160/2024 are audit-priority items.
Appeals and Procedural Rights
Entities facing NCSA enforcement have three layers of protection before a decision becomes unchallengeable.
Layer 1: Preliminary findings notice (Article 32(8))
Before any enforcement measure is adopted, the NCSA must communicate its preliminary findings and allow a reasonable period for the entity to submit observations. This is the primary administrative right of reply. It should be used to submit documented technical evidence — audit results, policy records, incident logs — that directly addresses each finding. The window is typically more effective than a later judicial challenge because it operates before the decision is formalised, when the NCSA can still modify or withdraw its preliminary position.
Layer 2: Procedural safeguards for Stage 3 measures (Article 32(5))
Where the NCSA applies certification suspension or executive prohibition, the NIS2 Directive explicitly requires that “appropriate procedural safeguards in accordance with the general principles of Union law and the Charter” apply, “including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defence.” These measures are also temporary and are lifted on compliance.
Layer 3: Judicial review
NCSA enforcement decisions are administrative acts subject to judicial review under Greek administrative law. Entities may challenge fines and enforcement orders through the Greek administrative court system. Matters of law ultimately fall within the jurisdiction of the Council of State (Συμβούλιο της Επικρατείας), Greece’s supreme administrative court. A stay of execution — suspension of the contested measure pending judgment — can be sought alongside the substantive challenge. No NIS2 enforcement case in Greece has been litigated to judgment as of mid-2026.
The practical implication: the most effective challenge to an NCSA enforcement decision happens at Layer 1, during the preliminary findings stage, not after a fine has been formally imposed.
Frequently Asked Questions
Is the NCSA really the only NIS2 regulator in Greece?
For Law 5160/2024 supervision, yes. Greece consolidated NIS2 enforcement into the NCSA as the sole national competent authority — it also serves as CSIRT-GR, cyber crisis management authority, and national certification body. The Hellenic Data Protection Authority (HDPA) retains GDPR jurisdiction, but NIS2 supervisory authority sits exclusively with the NCSA.
Can a fine be imposed without a prior warning?
Under the standard enforcement track, the NCSA must issue a preliminary findings notice and allow the entity to respond before imposing a fine. In cases involving the serious infringement factors listed in Article 32(7) — obstruction of audits, repeated violations, failure to report significant incidents — those factors increase the fine amount but do not eliminate the procedural notice requirement.
Does the €10M ceiling apply to every violation?
No. The €10M / 2% ceiling applies to primary violations: failure to implement Article 21 risk-management measures or failure to meet Article 23 incident reporting obligations. Other infringements attract lower ceilings. The NCSA must also weigh the Article 32(7) calibration factors before setting the actual fine within the applicable ceiling.
When do Greek municipalities fall under Law 5160/2024?
First-tier local government bodies have a deferred implementation date of 27 November 2026. After that date they become subject to Law 5160/2024 obligations, though public administration entities may attract lower penalty ceilings than private-sector equivalents under Greek law.
Key Takeaways
Three features define Greece’s NIS2 enforcement landscape under Law 5160/2024.
First, the NCSA’s consolidated authority eliminates the jurisdictional ambiguity that affects entities in multi-authority member states. One regulator, one supervisory track, one penalty ceiling per entity type.
Second, the escalation path from supervisory engagement to executive prohibition is legally defined but not automatic. An entity that engages constructively at Stage 1 and Stage 2 — producing documented compliance evidence at each step — has materially lower exposure than one that waits for a formal enforcement order before responding.
Third, the Article 32(7) factor table — cooperation, self-disclosure, prior infringements, adherence to certification schemes — is the most actionable intelligence available while Greek NIS2 enforcement precedent develops. How the NCSA applies these factors in its first enforcement decisions will calibrate expectations across all in-scope sectors.
For entities classified as essential under Annex I — particularly those in maritime, energy, and digital infrastructure — ex-ante supervision means the NCSA does not need a triggering incident to schedule an audit. Documenting your Article 21 compliance posture before an unannounced inspection is the most cost-effective risk-management step available.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Greece enters the NIS2 era — Bernitsas Law
- Law 5160/2024: Transposition of Directive NIS 2 — EY Greece
- Cybersecurity Laws and Regulations 2026, Greece — ICLG
- NIS2 Greece Guide: Compliance, Deadlines & Fines — Copla
- NIS2 Transposition in Greece — Advisera
- Cybersecurity 2026, Greece — Chambers and Partners
- Article 32, NIS2 Directive (EU) 2022/2555
- Article 33, NIS2 Directive (EU) 2022/2555
- Article 34, NIS2 Directive (EU) 2022/2555
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
