#NIS2
#NIS2
NIS2: What Greek Businesses Need to Know About the New Cybersecurity Law
Background
The NIS2 Directive became national law in Greece as Law 5160/2024, effective November 28, 2024. It introduces comprehensive cybersecurity obligations for a wide range of private and public entities. Here’s what it means and what to do next.
Who Does NIS2 Apply To?
- Scope expanded significantly:
- Medium and large organizations (50+ employees or €10M+ turnover)—in sectors like energy, transport, finance, healthcare, telecom, digital infrastructure, food, post, waste, chemicals, public administration, and more.
- Essential entities (e.g., energy, banking, healthcare, large public bodies).
- Important entities (e.g., waste, courier services, manufacturing, research).
- Certain smaller entities also apply, especially public comms, DNS registries, TLD registrars, etc.
- Applies to non-EU companies operating in Greece/EU—must appoint an EU rep.
In Greece, that’s around 10,000 companies now subject to NIS2.
What Does NIS2 Require?
NIS2 sets out mandatory requirements for governance, risk, incident, and supply chain security:
| Requirement | Summary |
|---|---|
| Governance & management | Senior leaders must sign off on policies; appoint an ICS-Security Officer (ICSECO) |
| Risk management | Perform periodic cybersecurity risk assessments, aligned with ISO/NIST |
| Incident reporting | Report major incidents to CERT within 24h; follow-up required |
| Asset & supply chain | Maintain accurate inventories; enforce security across vendors |
| Technical measures | Enforce MFA, patching, logging, vulnerability scanning, backups, encryption |
| Training & awareness | Staff must be trained regularly, not just once |
| Audits & supervision | The Greek Cybersecurity Authority will audit compliance; non-compliance carries fines |
What You Should Do Now
- Determine applicability. Do you meet the size and sector criteria? Consider public comm, DNS, and trust services even if smaller.
- Register with the Authority. Greek entities must report contact info, systems, IPs, etc., within 2 months of being in scope.
- Appoint an ICS-Security Officer (ICSECO). A recognized expert responsible for compliance and incident coordination.
- Establish governance. Document cybersecurity policy annually, approved by leadership.
- Conduct a risk assessment. Identify critical assets, threats, and controls needed.
- Implement baseline controls. Enforce MFA, patch management, asset tracking, logging, backups, supply chain checks.
- Develop & test incident response. Have a plan plus tabletop exercises; know how to report to CERT.
- Train your team. Regular phishing drills, awareness sessions, and clear escalation paths.
- Monitor and audit. Keep evidence of controls; review quarterly and prepare for Greek Authority audits.
Myths vs. Reality
- Myth: "If we're ISO or GDPR certified, we're covered." Reality: those standards provide frameworks—but NIS2 is a separate legal obligation with incident reporting and C-suite accountability.
- Myth: "It applies only to banks or hospitals." Reality: any medium/large entity in scope sectors—and even smaller specialized providers—is applicable.
- Myth: "We can scramble later, the deadline is far off." Reality: registration was due early 2025, with policies and control enforcement ongoing now, and audits are already underway.
Quick Compliance Checklist
- Do we meet size/sector criteria?
- Are we registered with the National Authority?
- Do we have an ICSECO?
- Is our cybersecurity policy drafted and leadership-approved?
- Have we done a full risk assessment?
- Are MFA, patching, logging, backups, and supply-chain checks live?
- Do we have a tested incident response plan?
- Is regular staff training in place?
- Are we ready for supervisory audits?
Bottom Line
For Greek SMBs, NIS2 is a compulsory, enforceable cybersecurity law, not a suggestion. Ignoring it risks fines of up to €10M (or 2% turnover), legal exposure for executives, and operational disruption.
If you’re unsure whether it applies—or how to address it—Spacerok can provide a NIS2 readiness assessment, gap analysis, and compliance roadmap tailored to your business context. No jargon, no fluff—just clear, actionable steps to keep you secure and compliant.
Reach out today to get ahead.
