More than 2,000 public and private sector entities will be required by 2025 to comply with the regulations brought by the implementation of NIS 2, the European Union’s latest cybersecurity directive.

Otherwise, as the commander of the National Cybersecurity Authority (NCA), Michalis Bletsas, pointed out in an informal briefing yesterday, sanctions may be imposed, such as administrative fines to private sector entities, administrative fines and public administration bodies, temporary suspension of certification concerning part or all of the relevant services, a temporary ban on any natural person responsible for the exercise of managerial duties.

The new directive, which Greece incorporates into its national law, adopts the obligation to report cyber security incidents.

Her obligation first report it must be done by businesses and agencies within 24 hours from the moment they detect the outbreak, but now the responsibility for digital security is transferred to the highest echelons.

“Until now, the responsibility rested with the security managers of the information systems. Now, this responsibility is transferred to the management of a company”, explained officials of the National Cybersecurity Authority in an informal information meeting.

The relevant bill is in the phase of public consultation and is expected to be passed by the end of the year, although it will take some time until the decisions regarding the specifications for the cyber security systems of the companies are formed, which will be determined according to the specificities of the sectors covered by this directive.

Who does it concern?

The list of organizations, agencies and businesses that are required to comply is quite long as, as was pointed out, it includes all those whose shutdown would create a problem in society.

In particular, the list includes all companies, which employ between 50 and 250 employees and have a turnover of between 10 and 250 million euros, or even large companies active in sectors such as:

•Public Administration

• ICT Service Management (Information and Communication Technologies)

•Space

•Effluent

•Postal services

•Waste management

•Food

•Chemical products (preparation, production, distribution)

•Construction sector

Basic obligations

Regarding obligations, public sector organizations and private sector companies will have:

1. Obligations to take cyber security measures

Public sector organizations and private sector enterprises take detailed risk management measures based on a holistic approach to risk and aim to protect network and information systems and the physical environment of these systems from incidents.

2. Obligations to report cyber security incidents to EAK

Agencies must report cyber security incidents to EAK ensuring timely communication and response to threats

We should mention that these incidents will be made public

Penalties in case of non-compliance

An effective and dissuasive sanctioning mechanism is established, which ensures the implementation of the relevant regulations. The sanctions are effective and fully respect the principle of proportionality.

Mr. Bletsas said that the point that the EAK will focus on will be the reporting of cyber security incidents, as only in this way will there be a complete picture of the cyber attacks that occur in Greece and it will be possible to take measures to deal with them. Failure to report may result in penalties in the form of fines provided for in the bill, which can reach €10 million or 2% of a company’s global turnover.

As highlighted, the legislation will strengthen control mechanisms and ensure that organizations comply with security standards, reducing the risk of cyber-attacks and safeguarding the rights of citizens and the security of businesses.

The measures to be taken by agencies and businesses

Indicative:

a. Policies and procedures for risk analysis and information systems security

b. Incident management

c. Business continuity, such as backup and disaster recovery management, as well as cyber incident management

d. Supply chain security to adequately manage the risks arising from the relationships between each entity and its direct suppliers or service providers

e. Security in the acquisition, development and maintenance of network and information systems, including the handling and disclosure of vulnerabilities

f. Policies and procedures for evaluating the effectiveness of cybersecurity risk management measures