Cybersecurity is no longer only a matter for the technical department. For many businesses in Greece it has become a legal obligation, a management issue and a business continuity issue. The NIS2 Directive and the Greek Law 5160/2024 change the way cyber risks are handled in critical sectors: energy, transport, health, financial services, digital infrastructure, food, courier services, manufacturing, research, production of specific products and other activities that may affect economic and social life.
In simple terms, the state no longer asks only "do you have antivirus?". It asks whether the business knows which systems it has, which suppliers have access, who decides during an incident, when the authority is notified, whether backups exist, whether management has approved policies and whether all this can be proved.
NIS2 is not just a technical checklist
Management needs a documented picture of systems, suppliers, backups, roles, incidents and reports. This means decisions, records and control of implementation, not only the purchase of new software.
This article explains in practical terms who NIS2 concerns in Greece, what a business must check and which first steps make sense before the issue becomes urgent.
What NIS2 is and why it matters now
NIS2 is the second European directive on the security of network and information systems. It replaced the older NIS1 and significantly expanded the scope of application. Greece incorporated it into national law with Law 5160/2024, published in Government Gazette A' 195/27.11.2024.
The basic idea is simple: when a business or body provides a service that is critical for the market, society or public functions, it cannot treat cybersecurity as an optional expense. It must have an organized system for prevention, risk management, incident handling and reporting of serious events.
NIS2 does not concern only "large banks" or "state bodies". It also concerns private businesses that operate in specific sectors and meet size criteria or more specific conditions. That is why the first practical question for every business is: "Am I within the scope or not?"
Which businesses may be affected
The Greek law is built around two categories: "essential entities" and "important entities". These are not simple labels. The category affects the level of supervision, the obligations and the way in which the business must organize its compliance.
As a rule, two things are examined: the sector of activity and the size of the business. Medium-sized and large businesses in critical sectors are the first that need to carry out a scope assessment. There are also cases where inclusion may apply regardless of size, such as certain providers of digital or electronic services, trust service providers, top-level domain name registries and DNS services.
Indicative control table
| Question | Why it matters | Practical action |
|---|---|---|
| In which sector does the business operate? | NIS2 applies to specific sectors of high or other criticality. | Compare activity codes, actual activity and contracts with the Annexes of Law 5160/2024. |
| Is it a medium-sized or large business? | Size is a basic inclusion criterion for many categories. | Check employees, turnover and balance sheet against the SME criteria. |
| Does it provide a critical service to other businesses? | The impact of an interruption may increase the entity's importance. | Map customers, SLAs, public services and critical dependencies. |
| Does it have digital infrastructure, cloud, managed services or security services? | Digital providers are especially important under NIS2. | Check whether you fall under DNS, cloud, data center, MSP, MSSP or online marketplace providers. |
| Is there an obligation to register on the self-declaration platform? | Registration is a legal obligation for entities that fall within the scope. | Carry out a documented assessment and, where required, register at nis2register.cyber.gov.gr. |
Examples of businesses that should look seriously at NIS2
A courier company with an extensive delivery network is not exposed only to loss of email. If the routing, parcel tracking or invoicing system goes down, the interruption may affect customers, partners and the market. A food company with industrial production does not only have commercial risk. If an incident affects a production line, traceability or the cold chain, the problem may become operational and regulatory.
The same applies to technology providers. A company that offers managed IT to many customers may become the "central corridor" of an attack. If the remote management tool is compromised, not only the company itself is affected, but also its customers. This is where NIS2 insists on supply-chain security and on relationships with direct suppliers or service providers.
In practice, many Greek businesses will not find the answer only from their title. They will need to examine what they actually do. A "technology company" that sells retail equipment is different from a company that operates cloud, data center, cybersecurity or infrastructure management services for critical customers.
What "essential" and "important" entity mean
Essential entities are linked to a higher degree of criticality. In practice this means increased attention, a greater likelihood of proactive supervision and higher documentation requirements. Important entities are not a "light" category. They also have substantial obligations; simply, the method of supervision and the intensity of checks may differ.
The distinction also matters for fines. For breaches related to risk-management measures or incident reporting obligations, Law 5160/2024 provides maximum limits that may reach, for essential entities, EUR 10,000,000 or 2% of worldwide annual turnover, and for important entities EUR 7,000,000 or 1.4% of worldwide annual turnover, depending on which is higher.
These amounts do not mean that every breach automatically leads to the maximum fine. They do mean, however, that compliance cannot remain in a folder of generic policies. Management must be able to show that it has understood the risk, approved measures, allocated resources and monitors implementation.
The self-declaration platform and the first administrative obligation
The National Cybersecurity Authority has put into operation an entity registration platform for Law 5160/2024. Registration does not concern natural persons, but legal persons and bodies that fall within the scope. The platform asks for information such as basic entity details, legal representative, type of services, IP ranges and domain names.
This is important because it shows the logic of the law. The authority does not only want to know "who exists". It wants to have a picture of the digital surfaces that support critical services. A business that has not recorded its domains, systems, public IPs, providers and access points will struggle both with registration and with substantive compliance.
The right approach is not "let us register quickly and see later". It is to carry out an internal review: inclusion, category, services, systems, responsible persons, suppliers, data to be submitted and a process for updating it when things change.
What a business must do in practice
NIS2 does not require the same tools from all businesses. It does, however, require appropriate and proportionate technical, operational and organizational measures. This means that a business with 250 employees, cloud ERP, production systems and dozens of suppliers cannot have the same maturity as a small office. Proportionality is not an excuse for inaction. It is a way to design measures that fit the real risk.
First compliance steps
| Step | What we do | What should remain as evidence |
|---|---|---|
| 1. Scope assessment | We check sector, size, services and special categories. | A short inclusion memo with legal and technical documentation. |
| 2. System mapping | We record critical systems, domains, IPs, applications, cloud and backups. | Asset register, network diagram, list of providers and responsible persons. |
| 3. Risk assessment | We assess probability, impact and risk priorities. | Risk table, date, participants and management decision. |
| 4. Risk treatment plan | We choose measures: MFA, backups, logging, patching, endpoint security, incident response. | Action plan with owner, deadline and status. |
| 5. Incident response procedure | We define who does what during an incident. | Playbook, contact list, reporting template and exercises. |
| 6. Training | We train management and staff at least annually. | Attendance lists, training material and short knowledge checks. |
| 7. Supplier control | We place security requirements on IT, cloud, ERP, MSP, MSSP, payroll and logistics. | Contract clauses, security questionnaires, SLAs and DPA where needed. |
The measures are not only technical
Many businesses hear "cybersecurity" and think of a firewall. NIS2 is broader. It includes risk-analysis policies, incident management, business continuity, backups and recovery, supply-chain security, secure development and maintenance of systems, assessment of measure effectiveness, cyber hygiene, training, encryption, access control, asset management and multi-factor authentication.
The critical point is the connection between technical measures and management responsibility. If the business has MFA but does not know on which accounts it is not applied, there is a gap. If it has backups but has not tested restore, there is a gap. If it has an IT provider but no contract saying when the provider must notify it of an incident, there is a gap. If it has a security policy but employees do not know it, there is a gap.
Joint Ministerial Decision 1689/2025 on the National Cybersecurity Requirements Framework makes this logic even more practical. It refers to technical, operational and organizational measures, to a holistic risk approach, proportionality and evidence: policies, procedures, board minutes, contracts, training certificates, network diagrams, business continuity plans, audit reports and other material showing that compliance is actually implemented.
Incident reporting: the 24-hour and 72-hour deadlines
One of the most practical and difficult points is the reporting of significant incidents. The law provides that essential and important entities notify significant incidents to the competent CSIRT of the National Cybersecurity Authority. A significant incident is, among other things, an incident that has caused or may cause serious operational disruption or financial loss, or that may affect other natural or legal persons with significant material or non-material damage.
The time pressure is high. An early warning must be submitted without undue delay and, in any event, within 24 hours from the moment the entity became aware of the significant incident. A more complete incident notification must follow within 72 hours. A final report is submitted, as a rule, no later than one month after the notification.
This means that incident response cannot be written after the event. It must exist before. Who decides that an incident is "significant"? Who speaks with the technical team? Who informs legal counsel, the DPO, management, customers or the authority? Who preserves evidence without altering it? If these points are not decided in advance, the first 24 hours are lost.
NIS2, GDPR and personal data
NIS2 does not repeal the GDPR. They will often operate together. Ransomware in an ERP may be both a cybersecurity incident and a personal data breach. A customer data leak may need assessment under both the GDPR and Law 5160/2024, if the business is an essential or important entity.
The practical consequence is that the business must coordinate three roles: the technical team or external IT, legal counsel and the data protection officer where one exists. It is not enough for IT to "close the hole". It must be assessed whether there is a notification obligation, what evidence exists, who was affected, what must be said and within what timeframe.
Supplier contracts: the point that is forgotten
The supply chain is one of the most important points of NIS2. In practice, many attacks pass through suppliers: remote access tools, cloud consoles, ERP software, email services, hosting, domain management, outsourced support and backup services. If the supplier has weak access control, poor update management or delays notification, the main business is exposed.
Contracts with IT providers must become more specific. They should define security levels, the obligation to notify incidents, response times, responsibilities in forensic review, access to logs, backup policy, data storage geography, subcontractor obligations and exit procedure. This is not a "legal detail". It is the difference between a business that knows who does what and a business that searches for contracts during a crisis.
Practical example
Let us take a medium-sized Greek logistics business that uses cloud ERP, an ordering application, a tracking system, corporate email, handheld devices in warehouses and an external IT provider. Management believes that "the provider has it covered". In reality, the business must know whether it falls under NIS2, which systems are critical, what data it holds, which interruption would stop deliveries and who has administrator rights.
The first serious step is not to buy yet another tool. It is to create a map: systems, roles, suppliers, risks, backups, access, contracts and incident plan. Then it can set priorities: MFA on all critical accounts, restriction of admin rights, backup restore testing, logging, endpoint protection, patch management, staff training, supplier clauses and an incident-response exercise.
If an incident occurs, the business will be able to answer: when it became aware of it, what was affected, whether it is significant, who was notified, what measures were taken, what evidence was kept and whether there is a reporting obligation. This is the practical value of compliance.
What a business should do tomorrow morning
It does not need to start with a perfect program. It needs to start in the right order.
First, carry out a scope assessment based on sector, size and actual services. Second, appoint a project owner with management participation, not only IT. Third, record critical systems, suppliers, domains and IP ranges. Fourth, prepare a risk assessment and action plan. Fifth, check whether there is an obligation to register on the self-declaration platform. Sixth, create an incident-response playbook with a 24/72-hour procedure. Seventh, review contracts with key providers.
The most useful test is simple: if access to email, ERP or a production system is lost tomorrow, do we know who decides, who informs, who restores and what must be reported? If the answer is no, the business has work to do.
Frequently asked questions
Does NIS2 concern small businesses?
As a rule, it mainly targets medium-sized and large businesses in specific critical sectors. There are, however, special cases where inclusion may apply regardless of size, especially in certain digital services. A small business that is a supplier of an essential or important entity may also face stricter contractual requirements, even if it is not directly within the scope.
If we have ISO 27001, are we covered?
ISO 27001 helps a great deal, but it is not an automatic exemption. The controls must be mapped against the requirements of Law 5160/2024 and Joint Ministerial Decision 1689/2025, especially for reporting, management responsibility, supply chain and documentation.
Do we always have to notify the authority about every technical problem?
No. The obligation concerns significant incidents, meaning incidents with serious operational, financial or other impact as defined by the law. That is why an internal assessment criterion is needed, not panic at every alert.
Who should take responsibility inside the company?
The technical team is essential, but responsibility is not only technical. Participation is needed from management, legal counsel, finance management, the DPO where one exists, operations managers and procurement. NIS2 is a risk-management program, not an isolated IT project.
What might a business have to pay?
The law provides high maximum fine limits, especially for breaches of risk-management measures and incident reporting. Beyond fines, there is also real cost: business interruption, loss of customers, compensation, audits, publication of breaches and recovery cost.
Conclusion
NIS2 in Greece is not just another compliance paper. It is a change of mindset. The business must know its systems, assess risks, train people, control suppliers, have an incident plan and be able to prove that all this is implemented.
For affected businesses, the worst scenario is to wait for the first serious incident before getting organized. The best approach is to start with a clear scope assessment and a practical compliance plan. Not to fill folders, but to be able to keep operating when something goes wrong.
Sources and useful references
- National Cybersecurity Authority, NIS2 Directive: National Cybersecurity Authority - NIS2 Directive
- Entity registration platform under Law 5160/2024: NIS2 entity registration platform
- NIS2 platform FAQ: https://nis2register.cyber.gov.gr/app/content/faq/FAQs_NIS2.pdf
- Law 5160/2024, Government Gazette A' 195/27.11.2024: Law 5160/2024 - transposition of NIS2 in Greece
- Joint Ministerial Decision 1689/2025, National Cybersecurity Requirements Framework: https://cyber.gov.gr/wp-content/uploads/2025/05/20250202186.pdf
- European Commission, NIS2 Directive: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
- EUR-Lex, Directive (EU) 2022/2555: Directive (EU) 2022/2555 - NIS2
Comments
Share your thoughts about this article.
No comments yet. Be the first to comment.
Submit a comment