Beyond the well-known international standard ISO/IEC 27001:2022, which addresses data security and cybersecurity, there are also binding requirements from the European Union, as outlined in the NIS2 Directive.
What is the NIS2 Directive?
Directive (EU) 2022/2555, also known as the NIS2 (Network and Information Security) Directive, came into effect on October 18, 2024, aiming to enhance the EU’s cyber resilience by establishing a high common level of cybersecurity across the European Union. Law 5160/2024, recently enacted, incorporates the NIS2 directive into Greek legislation.
Where does NIS2 apply?
The NIS2 Directive applies to a broader and more extensive range of entities compared to the original NIS Directive, including:
- Highly critical sectors: healthcare, energy, transport, drinking water, digital infrastructure, wastewater, space, public administration, Managed ICT services, banking, and financial market infrastructure.
- Other critical sectors: digital providers, research, food production, processing and distribution, postal and courier services, waste management, chemical manufacturing and distribution, and construction.
Organizations subject to NIS2 are classified based on criteria such as size and sector of activity, (e.g., number of employees, annual turnover, and balance sheet total).
Penalties for Non-Compliance with NIS2 and Law 5160/2024
Failure to comply with the provisions of Law 5160/2024 entails strict administrative and financial penalties, (e.g., high fines, revocation or restriction of operating licenses), depending on the severity and recurrence of the violations.
“Directive (EU) 2022/2555 of the European Parliament and Council, dated December 14, 2022, commonly known as the NIS2 Directive (Network and Information Security Directive), is the revised version of the original NIS Directive established in 2016 to enhance cybersecurity across the EU. NIS2 focuses on protecting critical networks and information systems from cyber threats and ensures a coherent cybersecurity approach throughout the European Union.”
Thanasis Mitsakos, Head of Information Systems Inspection Division της TÜV AUSTRIA Hellas
The NIS2 Directive was incorporated into Greek legislation on November 27, 2024, through Law 5160/2024. It expands its scope to include food sector companies (involved in production, processing, and distribution), especially those classified as “essential” or “important” entities based on size, turnover, and balance sheet data.
These companies must comply with the NIS2 Directive, the Greek implementing Law 5160/2024, and adopt appropriate technical and organizational measures, as outlined in the recent Ministerial Decision 1689/2025.
In case of non-compliance, strict sanctions will be imposed by the National Cybersecurity Authority, including significant fines, depending on the severity of the violation and its impact on the company and its customers.