The NIS2 Directive (EU Directive 2022/2555) is the new fundamental European regulation in the field of cybersecurity, replacing the original NIS Directive (2016/1148/EU).
Its aim is to enhance the resilience of critical and important entities against cybersecurity threats through stricter requirements on governance, risk management, and incident reporting.
New Requirements of NIS2
The NIS2 Directive expands its scope by including new sectors based on their level of digitization, interconnectivity, and importance to the economy and society, imposing new obligations focused on three main pillars:
- Member State Obligations (e.g., national authorities and cybersecurity strategies, crisis management frameworks for cyber incidents).
- Risk Management (e.g., organizations subject to NIS2 must take security measures and report incidents within specific timeframes).
- Cooperation and Information Sharing (e.g., creation of CSIRT networks – Computer Security Incident Response Teams, CyCLONe – Cyber Crisis Liaison Organizations Network, ENISA cybersecurity reports).
Key changes compared to the original NIS Directive include:
- Inclusion of more and new sectors.
- Inclusion of more entities.
- Introduction of new deadlines for incident notification.
- Addition of further requirements and obligations.
NIS2 will apply to a broader and more extensive range of entities than the original directive. It includes:
Highly Critical Sectors: Health – Energy – Transport – Drinking Water – Digital Infrastructure – Wastewater – Space – Public Administration – Managed ICT Services – Banks – Financial Market Infrastructures.
Other Critical Sectors: Digital Providers – Research – Food Production, Processing and Distribution – Postal and Courier Services – Waste Management – Chemical Manufacturing and Distribution – Construction Sector.
Entities under NIS2 are defined based on categorization criteria including size and sector (e.g., number of employees, annual turnover, annual balance sheet).
Th. Mitsakos, Head of Information Systems Inspection Division of TÜV AUSTRIA Hellas
Specification of the Measures in Greek Legislation
In Greece, NIS2 was transposed into national law through Law 5160/2024, while Ministerial Decision 1689/2025 specifies the technical and organizational measures required and serves as the main implementation tool.
It was issued by the Ministries of Digital Governance and Interior, in cooperation with the National Cybersecurity Authority (NCA). It constitutes the executive framework of NIS2 in Greece and includes, among others:
Minimum Technical and Organizational Security Measures:
Security governance and leadership – Risk management – Access control – Encryption and data protection – Patching and vulnerability management – System monitoring – Incident management – Supply chain security – Staff training – Secure software development – Business continuity and recovery.
Specific provisions of MD 1689/2025
Article 5 – Risk Management Framework
“Essential and important entities shall implement the following:
- The entity shall periodically and proportionally conduct risk assessments, using procedures to identify, analyze, and evaluate risks that threaten the security of their network and information systems. These procedures must follow methodologies based on international standards and/or best practices.”
How TÜV AUSTRIA can help:
We offer organizations the ability to be audited and certified according to international standards:
- ISO/IEC 27001:2022, the internationally recognized standard for information security.
- ISO/IEC 22301:2019, the internationally recognized standard for business continuity.
Certification with these standards significantly supports compliance with NIS2 by providing a structured framework for information security risk management, business continuity requirements, technical and organizational security measures, and continuous monitoring and improvement procedures aligned with many NIS2 requirements.
Article 5 – Cyber Threat Intelligence
“Essential entities, in addition to the measures in paragraph 1, conduct in-depth risk assessments periodically, considering cyber threat intelligence from reliable and technically specialized sources, as well as the results of full vulnerability assessments of their network and information systems.”
How TÜV AUSTRIA can help:
Through TÜV AUSTRIA Trust IT, we provide Security Operation Center as a Service (SOCaaS), with 24/7 monitoring of IT and OT infrastructures.
Supported by expert analysts and cutting-edge SOC technology, we enable real-time detection of cyber threats and fast incident response while identifying potential gaps existing security controls.
Article 8 – Independent Information Security Audits
“Essential and important entities shall implement the following:
- The entity shall periodically conduct independent audits of all parameters of its information security management program, including personnel, policies, procedures, and technologies used. These audits may be conducted by internal or external auditors.
- Independent audits shall be conducted at scheduled intervals, as well as in the event of serious cybersecurity incidents, significant operational changes, or changes in the current international cyber threat landscape.”
How TÜV AUSTRIA Can Help
We offer comprehensive NIS2 Gap Assessment services to help Organizations identify and document gaps or non-compliance areas based on current compliance requirements.
Article 17 – Vulnerability Management and Reporting
“Essential and important entities shall implement the following:
- The entity shall periodically perform vulnerability scans on its network and information systems using automated tools, with the results recorded in a detailed report.”
How TÜV AUSTRIA can help:
We offer organizations the ability to conduct Vulnerability Assessments. The benefits of performing a Vulnerability Assessment include:
- Timely detection of security weaknesses
- Reduced risk of data breaches from cyberattacks
- Enhanced preparedness against malicious attacks
- Support for continuous information security improvement
- Compliance with legal and regulatory frameworks
Article 18 – Cyber Risk Management Effectiveness Evaluation
“Essential and important entities shall implement the following:
- The entity shall periodically, at least once a year or following a serious cybersecurity incident, conduct internal penetration tests on its network and information systems, based on the classification scheme of assets and data.
b. The entity shall periodically, at least once a year or following a serious cybersecurity incident, conduct external penetration tests on its network and information systems.”
How TÜV AUSTRIA can help:
We offer organizations the ability to conduct Penetration Tests. TÜV AUSTRIA, with its experienced and specialized personnel, performs penetration tests to help organizations:
- Identify and prioritize security gaps and vulnerabilities
- Strengthen network and information security
- Meet regulatory, compliance and legal requirements
Article 21 – Cybersecurity Training and Awareness
“Essential and important entities shall implement the following:
- The entity shall periodically conduct training and awareness programs for all personnel, as well as members of the highest governing body, on cybersecurity topics.”
How TÜV AUSTRIA can help:
We offer in-person or remote training services (live or asynchronous) in topics such as information security, personal data protection, and business continuity.
We also help organizations build a corporate culture of continuous learning in cybersecurity.
Non-Compliance Consequences
Failure to comply with the provisions of NIS2 and Law 5160/2024 results in strict administrative and financial penalties, such as high monetary fines, license revocations, operational restrictions, depending on the severity and recurrence of violations by organizations.