NIS2 in Greece: NCSA Requirements, Greek Transposition Law, and What Your Organisation Must Do Now

Greece took a different path from most of its EU neighbours when implementing NIS2. While countries like Germany, France, and the Netherlands distributed supervisory responsibilities across multiple sector-specific agencies, Greece created a single authority — the National Cybersecurity Authority (NCSA) — and assigned it the combined roles of competent authority, national CSIRT, and cyber crisis management body. That consolidation makes Greece’s NIS2 architecture simpler on paper, but it means every covered organisation reports to the same regulator, which is already running proactive audits.

Enacted on 27 November 2024, Law 5160/2024 is Greece’s full transposition of Directive (EU) 2022/2555. It replaces the country’s previous NIS framework, expands the scope of regulated entities to an estimated 3,500 organisations, and introduces three requirements that go beyond the EU Directive’s baseline. The entity registration deadline is 30 September 2025. If your organisation operates in Greece across energy, transport, maritime, digital infrastructure, or more than a dozen other sectors, this guide covers what the law requires, who the regulator is, and how to register.

Law 5160/2024: What Greece’s NIS2 Transposition Changed

Law 5160/2024 is a comprehensive overhaul, not an amendment. It replaces Law 4577/2018 — Greece’s NIS1 framework — and rebuilds the national cybersecurity architecture around the expanded scope and stronger enforcement model of the EU Directive. The law was published on 27 November 2024, just over five weeks after the EU’s October 17, 2024 transposition deadline, completing a full legislative reform rather than a minimal compliance update.

The law adopts the EU NIS2 structure of two entity categories tied to sector and size criteria. Annex I high-criticality sectors — energy, transport (including maritime), banking, health, digital infrastructure, public administration, and space — face mandatory ex-ante supervision with proactive NCSA audits. Annex II critical sectors — manufacturing, postal services, food, digital providers, research — operate under ex-post supervision triggered by incidents or risk signals. This supervision intensity difference is not marginal: essential entities should assume they are being monitored continuously, while important entities face scrutiny after a reportable event.

The expansion from NIS1 is significant. Organisations in food production, chemical manufacturing, research, and digital marketplaces that had no cybersecurity obligations under Law 4577/2018 now face binding requirements. Two 2025 ministerial decisions operationalise the framework: Ministerial Decision 1645/2025 establishes the entity registration process, and Ministerial Decision 1689/2025 defines 22 national cybersecurity requirements that in-scope entities must implement.

The NCSA: Greece’s Single Competent Authority and National CSIRT

Established by Law 5086/2024 and supervised by Greece’s Minister of Digital Governance, the National Cybersecurity Authority concentrates four distinct NIS2 functions under one institution:

Function	What the NCSA does
Competent authority	Monitors and enforces Law 5160/2024 across all covered sectors
National CSIRT (CSIRT-GR)	Receives incident notifications; coordinates national cyber response
Cyber crisis management authority	Leads national response to large-scale cybersecurity incidents
Certification authority	National Cybersecurity Certification Authority under EU Regulation 2019/881

This centralised model means Greek organisations have one registration portal, one incident reporting destination, and one enforcement body to manage. The practical benefit is no inter-agency confusion about who to notify or who has jurisdiction. The risk is that a single authority has broad audit powers — the NCSA can run regular, ad hoc, or targeted inspections at any point without waiting for a triggering incident. Enforcement is ongoing, not future-tense.

For incident reporting, CSIRT-GR receives notifications directly. Unlike fragmented models in other member states, there is no need to route initial notifications through a sector-specific regulator before escalating to the national authority. Notifications go to CSIRT-GR first and last.

Is Your Organisation in Scope?

The two-factor test under Law 5160/2024 is sector plus size. An organisation that clears both gates must register with the NCSA and implement the required security measures. Certain entity types are in scope regardless of size.

Entity type	Size threshold	Classification
Energy, transport, banking, health, digital infrastructure, public administration, space (Annex I)	50+ employees OR €10M+ annual turnover	Essential Entity
DNS operators, TLD registries, trust service providers, qualified trust service providers	Any size	Essential Entity
Central and regional public administration bodies	Any size	Essential Entity
Manufacturing, postal, food, chemicals, digital marketplaces, research (Annex II)	50+ employees OR €10M+ annual turnover	Important Entity
Entities providing critical services by exception	NCSA determination on case-by-case basis	Essential or Important

Important note for Greek SMEs: Size alone does not guarantee exemption. The critical services exception means an SME operating as the sole DNS resolver for a regional network, or a small logistics firm providing critical services to a major port, may be brought within scope by NCSA determination regardless of headcount or revenue. If there is any doubt about applicability, the prudent step is to verify scope proactively before the registration deadline rather than wait for an NCSA inquiry.

The distinction between essential and important entities determines supervision intensity and penalty exposure. Essential entities face proactive audits, mandatory compliance demonstrations, and the higher penalty tier. Important entities face reactive oversight but the same technical requirements. The classification affects when the regulator comes to you — not whether it eventually will.

Why Maritime, Energy, and Tourism Are Primary NIS2 Sectors in Greece

NIS2 defines covered sectors abstractly at the EU level. Greece’s industrial structure makes some of them disproportionately significant, which shapes where NCSA enforcement attention lands in practice.

Maritime and Shipping

Greece operates the world’s largest merchant shipping fleet by carrying capacity — approximately 20% of global deadweight tonnage is either Greek-flagged or Greek-owned. Port operators at Piraeus, Thessaloniki, Patras, and Volos; shipping companies managing vessel fleets; maritime classification societies; and port service providers are all essential entities under the transport category of Annex I. A cyberattack disrupting Greek port operations or vessel management systems would cascade across European supply chains — a risk profile that places this sector under direct and continuous NCSA scrutiny. Shipping companies and port operators above the size threshold should treat scope determination as settled, not uncertain.

Energy Infrastructure

Greece sits at the intersection of Eastern Mediterranean LNG flows, Balkan energy transit corridors, and the Trans-Adriatic Pipeline (TAP) terminal at Thesprotia. Electricity distribution operators, gas network operators, and oil infrastructure entities are Annex I essential entities. The ADMIE/IPTO electricity system operator and DESFA gas transmission system operator are the most prominent examples, but the sector extends to regional electricity distribution companies, independent power producers above the size threshold, and energy storage operators. With Greece positioned as an energy gateway between producer regions and Central European markets, cybersecurity vulnerabilities in Greek energy infrastructure carry consequences well beyond national borders.

Tourism and Digital Infrastructure

Tourism contributes approximately 25% of Greek GDP and is heavily dependent on digital systems — hotel property management platforms, booking engines, payment processors, and the data centres and cloud providers that underpin the sector. There is no standalone tourism sector in NIS2’s annexes, but the digital dependencies of Greece’s tourism economy mean a substantial number of hospitality technology providers qualify as important entities under the digital providers or ICT service management categories. Accommodation platforms, travel aggregators, and digital payment processors operating above the size threshold should evaluate their classification against Annex II criteria rather than assuming they are outside scope.

Three Requirements Greece Added Beyond the NIS2 Directive

Law 5160/2024 introduces three obligations that exceed what Directive (EU) 2022/2555 mandates at the EU level. These are enforceable requirements under Greek law — not recommendations. Organisations relying solely on generic EU-level NIS2 gap analysis checklists will underestimate what Greek compliance actually requires.

1. Mandatory YASPE Appointment

Every in-scope entity must appoint a dedicated Information and Communications Systems Security Officer — the YASPE (Υπεύθυνος Ασφάλειας Συστημάτων Πληροφοριών και Επικοινωνιών). The YASPE role is distinct from the EU Directive’s general requirement for management oversight of cybersecurity. Detailed qualifications, duties, and restrictions are set out in Ministerial Decision 1899/2025 (Government Gazette B’ 4250, 05.08.2025), which entered into force on 1 November 2025.

Critical incompatibility rule: The YASPE role is explicitly incompatible with the Data Protection Officer (DPO) role. Organisations that currently have one person serving both functions must separate the appointments before regulatory scrutiny arrives.

2. Annual Cybersecurity Policy Submission

In-scope entities must prepare a formal cybersecurity policy and submit it to the NCSA annually. This goes beyond the EU baseline requirement to have a policy in place — it creates a recurring documentation cycle that functions as an audit evidence anchor. Missing a submission year creates a visible compliance gap in the NCSA’s records, independent of any incident or breach.

3. Mandatory Asset Inventory

A comprehensive register of tangible and intangible assets, prioritised by criticality, is a standalone Greek requirement under Ministerial Decision 1689/2025. The inventory must be maintained continuously and is subject to NCSA review. The 22 security controls framework in Decision 1689/2025 defines the structure and content requirements for this register. Organisations that do not currently maintain a systematic asset inventory face a significant documentation effort before they can demonstrate compliance with this requirement.

How to Register with the NCSA

Registration is mandatory for all essential and important entities. The NCSA operates a dedicated online platform for entity registration. Organisations that submitted details by email during earlier compliance phases are not considered fully registered — they must complete the full platform process, including their earlier NCSA protocol number as reference.

The registration process on the NCSA platform at nis2register.cyber.gov.gr requires the following steps:

1. Verify applicability — confirm your organisation falls within the scope of Law 5160/2024 based on sector and size criteria before starting the registration form
2. Gather required information — company registration details, description of services and systems in scope, NIS2 contact point details, and information about the designated YASPE officer
3. Complete the platform form — submit all required fields on nis2register.cyber.gov.gr; email-based prior submissions are insufficient and must be supplemented with full platform registration
4. Record confirmation — retain the registration protocol number; this reference number will be required for subsequent regulatory interactions and audit documentation
5. Update on material changes — registration is a continuous obligation; any significant change to organisational structure, services, or the YASPE designation must be updated on the platform without undue delay

Current deadline: 30 September 2025. The NCSA has issued clear warnings that failure to register or to designate a YASPE officer exposes the entity to regulatory scrutiny and administrative sanctions. Early registration — rather than waiting for the deadline — provides a buffer for resolving any platform issues or applicability questions.

Incident Reporting: The 24/72-Hour Clock

Significant incidents must be reported directly to NCSA’s CSIRT-GR. Law 5160/2024 adopts the three-stage reporting timeline from Article 23 of Directive (EU) 2022/2555:

Notification stage	Deadline from awareness	Required content
Early warning	24 hours	Incident occurred; suspected cause category; whether cross-border impact is possible
Incident notification	72 hours	Updated severity assessment; indicators of compromise; initial impact scope
Final report	1 month from notification	Complete incident analysis; confirmed root cause; remediation and recovery steps taken

A “significant incident” is defined by impact threshold: incidents that cause or could cause severe operational disruption, significant financial loss, or effects on other entities or member states. The NCSA may request interim updates between the 72-hour and one-month marks for high-severity events. Organisations should ensure their incident response procedures explicitly trigger the 24-hour clock — waiting for internal investigation results before notifying CSIRT-GR will push early warning past the deadline.

Penalties and Management Personal Liability

Administrative fines under Law 5160/2024 align with the EU Directive maximums:

Entity classification	Maximum administrative fine
Essential entities	€10,000,000 or 2% of total annual global turnover — whichever is higher
Important entities	€7,000,000 or 1.4% of total annual global turnover — whichever is higher

Beyond monetary fines, Law 5160/2024 introduces personal liability for senior management. Board members and executives can face a temporary prohibition from exercising managerial functions if the organisation’s non-compliance resulted from management-level failures in cybersecurity governance. This mechanism follows Article 20 of the EU Directive, which holds senior management directly accountable for approving and overseeing cybersecurity risk management measures — not just delegating them.

The NCSA can also impose non-monetary sanctions: corrective orders, mandatory audits conducted at the entity’s cost, and public disclosure of non-compliance findings. Public disclosure is a reputational consequence that falls outside the financial penalty calculation and can have significant commercial impact in sectors where trust is a competitive differentiator — particularly relevant for Greek maritime, financial, and tourism operators.

NIS2 Greece Compliance Checklist

• Determine whether your organisation falls within Annex I or Annex II scope of Law 5160/2024
• Classify as essential entity or important entity based on sector and size criteria
• Register on the NCSA platform at nis2register.cyber.gov.gr by 30 September 2025
• Appoint a YASPE officer — confirm the appointee is not also serving as DPO
• Implement the 22 security controls defined in Ministerial Decision 1689/2025
• Prepare your first annual cybersecurity policy submission for the NCSA
• Build and maintain a prioritised asset inventory covering tangible and intangible assets
• Establish a documented incident response procedure with explicit 24-hour and 72-hour escalation triggers
• Brief the board on management personal liability under Article 20 of the NIS2 Directive
• Review third-party and supply chain security arrangements against NIS2 requirements

Frequently Asked Questions

Does the 30 September 2025 registration deadline apply to all entity types?

Not all entities share the same deadline. Greece introduced staggered registration periods: DNS operators, cloud providers, online marketplaces, and certain digital infrastructure providers faced earlier deadlines in January and March 2025. The 30 September 2025 deadline applies to most other essential and important entities. If your organisation falls into a specialised digital infrastructure category, verify whether an earlier deadline applied to your entity type.

Can a small Greek tourism business be in scope for NIS2?

Yes, in specific circumstances. If the business operates as a digital service provider, data centre operator, or managed ICT service above the size threshold, it qualifies under Annex II. Smaller operators may also be brought within scope by NCSA determination if they provide services identified as critical to national infrastructure or the functioning of other regulated entities.

What happened to NIS1 registrations under Law 4577/2018?

Law 4577/2018 is fully replaced by Law 5160/2024. Entities that registered under the previous NIS framework must re-register on the new NCSA platform. Prior registrations do not carry over automatically, and the expanded scope under Law 5160/2024 means organisations that were outside NIS1 scope may now be within NIS2 scope.

Is the YASPE the same as the NIS2 “senior management” accountability requirement?

No — these are distinct obligations. The NIS2 Directive (Article 20) requires senior management to approve and oversee cybersecurity risk management measures. The YASPE is a separate, operationally dedicated security officer role required under Greek law that goes beyond the Directive’s baseline. Both obligations apply; satisfying one does not satisfy the other.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

• Directive (EU) 2022/2555 (NIS2 Directive) — EUR-Lex
• National Cybersecurity Authority (NCSA) of Greece — cyber.gov.gr
• Law 5160/2024: Transposition of Directive NIS 2 — EY Greece
• NIS 2: Law 5160/2024 the Hellenic Transposition — SGK Legal
• NIS2 Greece Country Profile — NIS Solutions
• NIS2 Transposition in Greece — Advisera
• NIS2 Directive Transposition — Greece — nis-2-directive.com
• The NIS2 Platform is now live in Greece — Ballas Pelecanos Law
• NIS2 Greece Guide: Compliance, Deadlines & Fines — Copla