Greek Draft Law Transposing the NIS 2 Directive on Cybersecurity Open for Public Consultation

/in /by
Warning: count(): Parameter must be an array or an object that implements Countable in /home/seelegal/public_html/wp-content/plugins/team-showcase/tshowcase.php on line 3993
Cybersecurity2

Greek Draft Law Transposing the NIS 2 Directive on Cybersecurity Open for Public Consultation

October 2024

Irene Kyriakides, Partner, Natalia Soulia, Senior Associate, Eleni Kyratzi, Associate, Terpsithea Papanikolaou, Junior Associate

Kyriakides Georgopoulos Law Firm

On October 19th, 2024, the Ministry of Digital Governance released for public consultation the draft Law transposing into Greek legislation Directive 2022/2555 (NIS2 Directive) on measures for a high common level of cybersecurity across the EU. The proposed draft Law aims to address the gaps identified in the NIS1 Directive, which is repealed by NIS2.

More specifically, both the NIS2 Directive and the draft Law apply to a wider scope of entities in comparison to NIS1 (for example, businesses in the water supply and distribution, the food supply, and the digital infrastructure sectors) and introduce stricter and more comprehensive rules on cybersecurity risk management, incident reporting obligations, enforcement, and cooperation between stakeholders.

Key Provisions

1. Distinction between “essential” and “important” entities

Τhe draft Law applies to both public and private entities that provide services in critical sectors. The new measures will apply to medium-sized enterprises and larger organizations, while even smaller entities may be included if their services are vital for societal or economic stability.

Entities are classified into two main categories, “essential” and “important”, based on their size and their importance for the provision of critical services, the functioning of the market or their particular importance, irrespective of their size.

Essential entities in principle encompass undertakings that belong to a specific list of critical sectors, in particular:

Energy Transport
Banking Financial Market Infrastructures
Health Drinking and Waste Water
Digital Infrastructure (including Trust Service Providers and TLD Name Registries) ICT Service Management (B2B)
Public administration Space

These entities face stricter cybersecurity obligations, more frequent audits, and greater supervisory oversight due to their crucial role in maintaining societal functions.

Important entities include:

Postal and Courier Services Waste Management
Manufacture, Production and Distribution of Chemicals Production, Processing and Distribution of Food
Manufacturing Digital Providers
Research  

These entities face lighter regulatory oversight but must still implement robust cybersecurity measures and adhere to essential reporting obligations.

2. NCSA as the competent cybersecurity authority

The National Cybersecurity Authority (“NCSA”), which was established by Law 5086/2024 (see our newsletter here), is designated as

  • the competent authority for cybersecurity to monitor the implementation of the Law;
  • the single point of contact to facilitate cross-border and cross-sector, horizontal cooperation with other competent authorities within Greece;
  • the Cyber Crisis Management Authority and Computer Security Incident Response Team (CSIRT) (it is though possible that in the future more CSIRTs may be established).

The NCSA is also entrusted with the adoption of the National Cybersecurity Strategy, which shall, among others, set out the strategic objectives and appropriate policy and regulatory measures to achieve a high level of cybersecurity. Moreover, the NCSA will establish a list of essential and important entities to accurately identify the entities falling within the scope of the Law.

3. Governance

The management bodies of essential and important entities are obligated to approve the cybersecurity risk management measures taken by their entities within three (3) months of the entry into force of the draft Law, and to oversee their implementation. They are also required to undergo dedicated cybersecurity trainings and offer similar training programs to the employees of their entities and may also be held personally liable for infringements by the entity, such as lack of compliance with implementing cybersecurity risk-management measures.

4. Risk Management Measures

Essential and important entities must implement appropriate technical, operational, and organizational measures to manage risks associated with network and information systems used for their activities or the provision of their services and to prevent or minimize the impact of incidents on the recipients of their services. Measures should be proportionate to the level of risk exposure of the entity and the social impact that an incident could have, as well as appropriate to the category of the entity (“risk-based and all-hazards approach”), including:

  • policies on risk analysis and information security;
  • incident management and business continuity planning (e.g., backup management, disaster recovery, and crisis management);
  • supply chain security and secure acquisition of systems;
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures and basic cyber hygiene practices;
  • human resources security, access control policies and asset management.

Entities are also required to take corrective actions without delay if found non-compliant with established measures and continuously update their policies and procedures as necessary.

5. Appointment of IT Security Officer

Essential and important entities must designate an Information and Communication Systems Security Officer (ICSECO) responsible for managing communications with the NCSA and ensuring compliance with cybersecurity measures. It is noted that the role of the ICSECO is incompatible with that of the Data Protection Officer (DPO) under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and that the ICSECO should have an appropriate level of decision-making autonomy in the exercise of his or her functions. 

6. Reporting Obligations

The cyber incident reporting is streamlined and tightened as the draft Law establishes a multi-step approach: an “early warning” obligation to notify the CSIRT of the NCSA a significant incident within 24 hours, a more comprehensive notification within 72 hours, followed by an additional report if requested by the NCSA, and a final notification within one (1) month at the latest. An incident shall be considered “significant” if:

(a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;

(b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

In addition to notification obligations toward the regulator, when entities face a security incident, where appropriate, they shall inform without undue delay the recipients of their services (a) of the existence of a significant cyber threat, (b) that they are potentially affected by it and (c) of any measures or remedies that those recipients are able to take in response to that threat.

7. Enforcement

The investigation and supervision powers available to NCSA towards both essential and important entities include on-site inspections, targeted security audits, security scans and requests for information. Essential entities may also face regular audits.
The draft Law also establishes a wide framework for supervision and enforcement. The enforcement measures range from non-monetary remedies (such as warnings, compliance orders, orders for public disclosure of violations of law, in case of essential entities temporary suspensions of certifications or licenses) to administrative fines.

The draft Law, following the fining mechanism of the GDPR, DMA (Regulation 2022/1925 known as “Digital Markets Act – DMA”) and DSA (Regulation 2022/2065 known as “Digital Services Act – DSA”), provides that essential entities may incur fines of up to €10 million or 2% of their total worldwide annual turnover, whichever is higher, while important entities can be fined up to €7 million or 1.4% of their total worldwide annual turnover, whichever is higher.

Final remarks

Overall, the draft Law does not substantially deviate from the corresponding provisions of the NIS2 Directive. Two notable discrepancies are 1) the obligation to appoint an IT Security Officer (ICSECO) and 2) that the draft Law does not encompass educational institutions that undertake critical research activities in its scope.

The draft Law imposes stricter and more comprehensive obligations to a wider number of entities compared to the previous law. Businesses are therefore required to take immediate steps to be prepared, as the forthcoming legislation, when finally adopted, will come into force upon publication in the Government Gazette. The public consultation will be open until 2 November 2024.

October 2024

Irene Kyriakides, Partner, Natalia Soulia, Senior Associate, Eleni Kyratzi, Associate, Terpsithea Papanikolaou, Junior Associate

Kyriakides Georgopoulos Law Firm

On October 19th, 2024, the Ministry of Digital Governance released for public consultation the draft Law transposing into Greek legislation Directive 2022/2555 (NIS2 Directive) on measures for a high common level of cybersecurity across the EU. The proposed draft Law aims to address the gaps identified in the NIS1 Directive, which is repealed by NIS2.

More specifically, both the NIS2 Directive and the draft Law apply to a wider scope of entities in comparison to NIS1 (for example, businesses in the water supply and distribution, the food supply, and the digital infrastructure sectors) and introduce stricter and more comprehensive rules on cybersecurity risk management, incident reporting obligations, enforcement, and cooperation between stakeholders.

Key Provisions

1. Distinction between “essential” and “important” entities

Τhe draft Law applies to both public and private entities that provide services in critical sectors. The new measures will apply to medium-sized enterprises and larger organizations, while even smaller entities may be included if their services are vital for societal or economic stability.

Entities are classified into two main categories, “essential” and “important”, based on their size and their importance for the provision of critical services, the functioning of the market or their particular importance, irrespective of their size.

Essential entities in principle encompass undertakings that belong to a specific list of critical sectors, in particular:

Energy Transport
Banking Financial Market Infrastructures
Health Drinking and Waste Water
Digital Infrastructure (including Trust Service Providers and TLD Name Registries) ICT Service Management (B2B)
Public administration Space

These entities face stricter cybersecurity obligations, more frequent audits, and greater supervisory oversight due to their crucial role in maintaining societal functions.

Important entities include:

Postal and Courier Services Waste Management
Manufacture, Production and Distribution of Chemicals Production, Processing and Distribution of Food
Manufacturing Digital Providers
Research  

These entities face lighter regulatory oversight but must still implement robust cybersecurity measures and adhere to essential reporting obligations.

2. NCSA as the competent cybersecurity authority

The National Cybersecurity Authority (“NCSA”), which was established by Law 5086/2024 (see our newsletter here), is designated as

  • the competent authority for cybersecurity to monitor the implementation of the Law;
  • the single point of contact to facilitate cross-border and cross-sector, horizontal cooperation with other competent authorities within Greece;
  • the Cyber Crisis Management Authority and Computer Security Incident Response Team (CSIRT) (it is though possible that in the future more CSIRTs may be established).

The NCSA is also entrusted with the adoption of the National Cybersecurity Strategy, which shall, among others, set out the strategic objectives and appropriate policy and regulatory measures to achieve a high level of cybersecurity. Moreover, the NCSA will establish a list of essential and important entities to accurately identify the entities falling within the scope of the Law.

3. Governance

The management bodies of essential and important entities are obligated to approve the cybersecurity risk management measures taken by their entities within three (3) months of the entry into force of the draft Law, and to oversee their implementation. They are also required to undergo dedicated cybersecurity trainings and offer similar training programs to the employees of their entities and may also be held personally liable for infringements by the entity, such as lack of compliance with implementing cybersecurity risk-management measures.

4. Risk Management Measures

Essential and important entities must implement appropriate technical, operational, and organizational measures to manage risks associated with network and information systems used for their activities or the provision of their services and to prevent or minimize the impact of incidents on the recipients of their services. Measures should be proportionate to the level of risk exposure of the entity and the social impact that an incident could have, as well as appropriate to the category of the entity (“risk-based and all-hazards approach”), including:

  • policies on risk analysis and information security;
  • incident management and business continuity planning (e.g., backup management, disaster recovery, and crisis management);
  • supply chain security and secure acquisition of systems;
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures and basic cyber hygiene practices;
  • human resources security, access control policies and asset management.

Entities are also required to take corrective actions without delay if found non-compliant with established measures and continuously update their policies and procedures as necessary.

5. Appointment of IT Security Officer

Essential and important entities must designate an Information and Communication Systems Security Officer (ICSECO) responsible for managing communications with the NCSA and ensuring compliance with cybersecurity measures. It is noted that the role of the ICSECO is incompatible with that of the Data Protection Officer (DPO) under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and that the ICSECO should have an appropriate level of decision-making autonomy in the exercise of his or her functions. 

6. Reporting Obligations

The cyber incident reporting is streamlined and tightened as the draft Law establishes a multi-step approach: an “early warning” obligation to notify the CSIRT of the NCSA a significant incident within 24 hours, a more comprehensive notification within 72 hours, followed by an additional report if requested by the NCSA, and a final notification within one (1) month at the latest. An incident shall be considered “significant” if:

(a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;

(b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

In addition to notification obligations toward the regulator, when entities face a security incident, where appropriate, they shall inform without undue delay the recipients of their services (a) of the existence of a significant cyber threat, (b) that they are potentially affected by it and (c) of any measures or remedies that those recipients are able to take in response to that threat.

7. Enforcement

The investigation and supervision powers available to NCSA towards both essential and important entities include on-site inspections, targeted security audits, security scans and requests for information. Essential entities may also face regular audits.
The draft Law also establishes a wide framework for supervision and enforcement. The enforcement measures range from non-monetary remedies (such as warnings, compliance orders, orders for public disclosure of violations of law, in case of essential entities temporary suspensions of certifications or licenses) to administrative fines.

The draft Law, following the fining mechanism of the GDPR, DMA (Regulation 2022/1925 known as “Digital Markets Act – DMA”) and DSA (Regulation 2022/2065 known as “Digital Services Act – DSA”), provides that essential entities may incur fines of up to €10 million or 2% of their total worldwide annual turnover, whichever is higher, while important entities can be fined up to €7 million or 1.4% of their total worldwide annual turnover, whichever is higher.

Final remarks

Overall, the draft Law does not substantially deviate from the corresponding provisions of the NIS2 Directive. Two notable discrepancies are 1) the obligation to appoint an IT Security Officer (ICSECO) and 2) that the draft Law does not encompass educational institutions that undertake critical research activities in its scope.

The draft Law imposes stricter and more comprehensive obligations to a wider number of entities compared to the previous law. Businesses are therefore required to take immediate steps to be prepared, as the forthcoming legislation, when finally adopted, will come into force upon publication in the Government Gazette. The public consultation will be open until 2 November 2024.