Enacted

The NIS2 has been transposed by virtue of Law 5160/2024. 

• Closely modeled on the NIS2 Directive.
• First-tier and second-tier local government bodies are within scope; the list of sectors and/or subsectors falling within the scope of Law 5160/2024 may be extended by virtue of a Ministerial Decision.
• Certain obligations for entities within scope are introduced (e.g., appointment of an Information Technology Systems and Communications Security Officer, adoption of unified cybersecurity policy, maintenance of a comprehensive inventory of tangible and intangible information and communication assets).
• Management of essential and important entities is liable for infringements of provisions in relation to the adoption of cybersecurity risk-management measures and training.
• Non-compliance can result in significant sanctions, ranging from EUR 100,000 to EUR 10,000,000, depending on the nature and severity of the breach.
• Secondary legislation is expected, which will specify certain important aspects of Law 5160/2024.

Law 5160/2024 has been in force since 27 November 2024 (for first-tier local government bodies the law’s enforcement begins on 27 November 2025).