The NIS2 Directive (Network and Information Security Directive 2) is the most important European cybersecurity legislation. It has been in force since October 2024, and Greece has transposed its provisions into national law. Which businesses are affected, what are their obligations, and what penalties are foreseen?
🛡️ What is the NIS2 Directive?
NIS2 is the second version of the European directive on network and information security. It replaces the original NIS from 2016 and introduces stricter requirements, a broader scope, and higher fines.
📋 Critical Sectors
18
critical infrastructure sectors
🏢 Businesses in the EU
160.000+
affected by NIS2
🇬🇷 Greek Businesses
~3.500
fall under the obligations
🏭 Which businesses are affected in Greece?
NIS2 classifies businesses into two categories: Essential Entities and Important Entities. The criteria are the sector of activity and company size.
🔴 Essential Entities
Large enterprises (>250 employees or >€50M turnover) in the following sectors:
- Energy (electricity, natural gas, oil)
- Transport (aviation, rail, maritime)
- Banking sector
- Financial market infrastructure
- Healthcare (hospitals, clinics)
- Drinking water & wastewater
- Digital infrastructure (DNS, TLD, cloud)
- Public administration
- Space
🟡 Important Entities
Medium-sized enterprises (50–250 employees or €10–50M turnover) in the following sectors:
- Postal services
- Waste management
- Chemical products
- Food (production, distribution)
- Medical device manufacturing
- Electronic equipment
- Machinery & vehicles
- Digital services (marketplaces, search engines)
📋 The 10 Key Obligations
1. Risk Management
Cybersecurity risk analysis and assessment
2. Incident Management
Procedures for responding to cyberattacks
3. Business Continuity
Backup, disaster recovery, crisis management
4. Supply Chain Security
Vetting of suppliers and partners
5. Secure Systems Development
Security by design in new projects
6. Effectiveness Assessment
Regular effectiveness audits
7. Staff Training
Cyber hygiene training for everyone
8. Encryption
Use of encryption where required
9. Access Control
Multi-factor authentication, access control
10. Incident Reporting
24 hours for initial notification
⚠️ Fines and Penalties
| Category | Maximum Fine | % of Turnover |
|---|---|---|
| Essential Entities | €10,000,000 | or 2% of global turnover |
| Important Entities | €7,000,000 | or 1.4% of global turnover |
⚠️ The higher of the two amounts applies
Beyond financial penalties, NIS2 also provides for personal liability of senior management. In cases of negligence, board members may face a ban from exercising managerial duties.
📅 Compliance Timeline
🇬🇷 What Greek businesses should do now
- Assess whether you fall under NIS2
Check your sector of activity and company size.
- Register with the National Authority Registry
Registration is mandatory by April 2026.
- Conduct a gap analysis
Identify the gaps between your current state and NIS2 requirements.
- Appoint a security officer
Appoint a CISO or assign the role to an external consultant.
- Implement an action plan
Prioritize actions based on risk and cost.
💡 The Bottom Line
NIS2 is not just another regulatory obligation – it is an opportunity for Greek businesses to truly strengthen their cybersecurity. With fines reaching €10 million and personal liability for executives, compliance is no longer optional. Those who prepare early will be at a competitive and regulatory advantage.
