Security Alert
The National Cybersecurity Requirements Framework for Essential and Important entities (under Law 5160/2024, transposing NIS2 Directive) (“Cybersecurity Requirements Framework”) has now been published.
As previously reported (here), certain entities have the obligation to adopt cybersecurity risk-management measures to manage the risks posed to the security of network and information systems and to prevent or minimise the impact of incidents. Management bodies are also required to formally approve these measures – deadline for this obligation has already lapsed.
The Cybersecurity Requirements Framework introduces a holistic, risk-based approach to cybersecurity, focusing on both technical and organisational measures. It also imposes additional obligations on essential entities and clarifies the duties of management.
Key cybersecurity measures
The Cybersecurity Requirements Framework sets out, among others, specific details regarding the following measures:
Develop a tailored cyber risk management framework.
Conduct regular risk assessments, including threat intelligence and system vulnerability evaluations.
Implement security policies and procedures covering access control, incident response, and third-party management (the minimum required policies are provided).
Implement employee-related measures, including, conducting background checks on candidates for cybersecurity roles.
Maintain an up-to-date inventory of IT and operational assets and classify them based on criticality.
Establish cybersecurity requirements for suppliers and ICT service providers, including contract clauses, risk-based classification, and ongoing oversight.
Implement structured processes to identify, assess, and remediate vulnerabilities, and ensure timely disclosure of critical issues, including zero-day vulnerabilities, to competent authorities
Maintain security training programs for all employees.
Management obligations
The Cybersecurity Requirements Framework further specifies management duties – among others:
Approve the cybersecurity risk management program and ensures its overall implementation, supervision, periodic evaluation, and continuous improvement
Evaluate the roles, responsibilities and powers of the Security Officer and/or any other individual appointed with similar duties.
Initiate corrective action procedures, in case the results of the independent audit reveal insufficient implementation of the necessary technical, organisational, and operational cybersecurity measures.
Sanctions
Non-compliance may lead to sanctions up to EUR 10,000,000, or 2% of the entity’s total worldwide annual turnover in the preceding financial year, whichever is higher, depending on the nature and severity of the breach and the entity's classification.
Our comprehensive services include:
Legal guidance on interpreting and complying with the NIS2 Directive/ Greek cybersecurity Law and the Cybersecurity Requirements Framework
Collaboration with IT partners to implement robust cybersecurity measures and risk management strategies
Assistance with the appointment of a Security Officer and the development of your cybersecurity policies
Training and awareness programs for management and employees tailored to your organisation's needs
Guidance on liability risks and ensuring your management team is fully prepared for compliance requirements