Greece Transposes EU Directive 2022/2557 (Critical Entities Resilience Directive)

/in /by
Warning: count(): Parameter must be an array or an object that implements Countable in /home/seelegal/public_html/wp-content/plugins/team-showcase/tshowcase.php on line 3993
National Resilience

Greece Transposes EU Directive 2022/2557 (Critical Entities Resilience Directive)

October 2025

Irene Kyriakides, Partner, Natalia Soulia, Counsel, and Terpsithea Papanikolau, Junior Associate

Kyriakides Georgopoulos Law Firm

Introduction

Greece has recently enacted Law 5236/2025, transposing the Critical Entities Resilience Directive (Directive (EU) 2022/2557, “CERD”) into national law. The new regime introduces a comprehensive framework to identify and regulate “critical entities”, namely operators which belong to certain key sectors, such as energy, transport, finance, health, water, waste management, digital infrastructure, space, public administration and food supply and which provide essential services (i.e. services which are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment).

The General Secretariat for the Protection of Critical Entities (“G.S.P.C.E.”), under the Ministry for Citizen Protection, will act as the central authority, managing the National Register of Critical Entities and supervising their compliance.

Key Deadlines

  • 17 Jan 2026: Completion of national risk assessment.
  • 17 Jul 2026: Identification of critical entities by the G.S.P.C.E.
  • Within 1 month from designation: Notification to entities that they have been identified as critical.
  • Within 9 months from notification: Performance of risk assessments by entities aiming at assessing all relevant risks that could disrupt the provision of their essential services.

Key Obligations for Designated Entities

  • Conduct within nine months of receiving the notification, whenever necessary subsequently, and at least every four years, comprehensive criticality risk assessments.
  • Implement technical, security and organizational measures to ensure their resilience Report major incidents to the G.S.P.C.E.
  • Cooperate with authorities during inspections and investigations.

Sanctions

  • Fines of up to €1,000,000 for non-cooperation or information breaches.
  • Fines of up to €10,000,000 for major security or crisis management failures.
  • Corrective and remedial measures.

Interaction with NIS2

Law 5236/2025 complements Law 5160/2024 (NIS2), focusing on physical resilience, while NIS2 covers cybersecurity.

Conclusion

Entities active in key sectors should begin early assessments and compliance planning to align with the upcoming 2026 deadlines and mitigate regulatory and operational risks.

October 2025

Irene Kyriakides, Partner, Natalia Soulia, Counsel, and Terpsithea Papanikolau, Junior Associate

Kyriakides Georgopoulos Law Firm

Introduction

Greece has recently enacted Law 5236/2025, transposing the Critical Entities Resilience Directive (Directive (EU) 2022/2557, “CERD”) into national law. The new regime introduces a comprehensive framework to identify and regulate “critical entities”, namely operators which belong to certain key sectors, such as energy, transport, finance, health, water, waste management, digital infrastructure, space, public administration and food supply and which provide essential services (i.e. services which are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment).

The General Secretariat for the Protection of Critical Entities (“G.S.P.C.E.”), under the Ministry for Citizen Protection, will act as the central authority, managing the National Register of Critical Entities and supervising their compliance.

Key Deadlines

  • 17 Jan 2026: Completion of national risk assessment.
  • 17 Jul 2026: Identification of critical entities by the G.S.P.C.E.
  • Within 1 month from designation: Notification to entities that they have been identified as critical.
  • Within 9 months from notification: Performance of risk assessments by entities aiming at assessing all relevant risks that could disrupt the provision of their essential services.

Key Obligations for Designated Entities

  • Conduct within nine months of receiving the notification, whenever necessary subsequently, and at least every four years, comprehensive criticality risk assessments.
  • Implement technical, security and organizational measures to ensure their resilience Report major incidents to the G.S.P.C.E.
  • Cooperate with authorities during inspections and investigations.

Sanctions

  • Fines of up to €1,000,000 for non-cooperation or information breaches.
  • Fines of up to €10,000,000 for major security or crisis management failures.
  • Corrective and remedial measures.

Interaction with NIS2

Law 5236/2025 complements Law 5160/2024 (NIS2), focusing on physical resilience, while NIS2 covers cybersecurity.

Conclusion

Entities active in key sectors should begin early assessments and compliance planning to align with the upcoming 2026 deadlines and mitigate regulatory and operational risks.