The draft law of the Ministry of Digital Governance which is under consultation concerns the obligations of public and private entities on issues related to cyber security.
According to the Governor of the Greek National Cybersecurity Authority, Michalis Bletsas, the implementation of the new legislation (incorporation of the EU Directive NIS 2) as regards controls and the imposition of fines, will begin with the obligation to report cyber security incidents as of 2025 and will gradually enforce inspections to companies in order to verify that the prescribed protection measures against cyber-attacks are observed.
The Ministry of Digital Governance refers to 2,000 entities that are subject to cyber security measures, however, it is possible that this number will grow in the future.
As “Naftemporiki” has already reported (14.10.24), specific cyber security measures must be taken by sectors of high criticality such as, among others, business, health, energy, transport, infrastructure, water, financial markets and digital infrastructure. For the first time, the obligations are extended to the public sector (central administration and local government) in the space and wastewater management companies.
Critical sectors are also identified as those related to postal services, manufacturing, production and distribution of chemical products, food processing and distribution, computer products, electronic and optical products and digital providers such as online shopping, search engines, social networking service platforms and research organizations.
From the private sector, the new legislation includes companies in the aforementioned sectors with more than 50 employees and a turnover of 10-50 million euros (small and medium-sized companies), however, the inclusion of smaller companies is also possible if it is considered that their contribution to the chain of activity of a critical entity is important.
Bletsas (researcher and director of computing systems at the MIT Media Lab) in a briefing pointed out that “cybersecurity is a team sport and if we don’t involve all the agencies we won’t be able to raise the level. The obligation to report cyber security incidents did not exist until now. Therefore, we did not have a good picture of the landscape and weaknesses. You can’t improve something you can’t measure.”
Regarding Greece’s level in terms of cyber security, he noted: “Cyber security is a huge area that is neglected both in Greece and in the EU, because it does not have a direct contribution to the final result. However, no damage has been done to our country because we are a small target.”