Security Alert
Greece has introduced Law 5236/2025, bringing into national law the EU Directive 2022/2557 on the resilience of critical entities (CER Directive) (the “Law”). The new framework establishes a comprehensive, all-hazards approach to ensure the resilience of entities providing essential services. The Law coordinates with Greece’s NIS2 regime (Law 5160/2024), aligning physical and organisational resilience requirements with cybersecurity obligations.
Entities within scope
A private sector entity is designated as a critical entity under the Law when all of the following cumulative criteria are met:
Essential service: The entity provides one or more essential services, i.e., it operates in the sectors of energy, transport, banking, financial market infrastructures, health, digital infrastructure, public administration, space, and others.
Territorial nexus: The entity operates, and the critical infrastructure is located, within Greek territory.
Significant disruptive effect: An incident would have significant disruptive effects on the entity’s provision of one or more essential services, or on the provision of other essential services that depend on those essential services.
The General Secretariat for the Protection of Critical Entities will identify the critical entities by 17 July 2026, based on the above criteria.
Obligations
Entity level risk assessment
Critical entities must conduct comprehensive risk assessment covering all relevant physical and man-made hazards, ensuring that all risks capable of disrupting essential services are identified and addressed.
Resilience measures
Critical entities are required to adopt and maintain appropriate and proportionate technical, security, and organisational measures, documented in a resilience plan, to ensure their continued resilience.
Single point of contact
Each critical entity must designate a representative or qualified executive as the point of contact with the competent authority.
Background checks
Critical entities may request the competent police directorate to perform background checks for sensitive roles, personnel with remote access to facilities or ICS/control systems, or candidates for such positions, in accordance with EU and Greek data protection rules.
Incident reporting
Critical entities must notify the competent authority without undue delay of any incident that significantly disrupts, or is likely to significantly disrupt, the provision of essential services.
Sanctions
Non-compliance with the Law can result in significant sanctions, ranging from EUR 1,000,000 to EUR 10,000,000, depending on the nature and severity of the breach.
Interplay with Law 5160/2024 (NIS2)
The Law complements Law 5160/2024, which transposed the NIS2 Directive in Greece. Cybersecurity risk management, CSIRT reporting, and management accountability under Law 5160/2024 continue to apply to in-scope entities, while the new Law addresses physical and organisational resilience against all hazards. Competent authorities are required to coordinate to avoid duplication and reduce the administrative burden.