On 14 February 2024, Law 5086/2024 (OJ 23/A/14-2-2024) entered into force establishing the “National Cybersecurity Authority” for the prevention and management of cyber-attacks. The most important provisions of the new Law regarding this Authority can be summarized as follows:
Purpose:
The Authority was established with the general objective of ensuring a high level of cybersecurity, covering prevention, protection, deterrence, detection, response and recovery from cyber-attacks.
Role & Responsibilities:
The Authority shall be responsible for:
-advising the National Security Council and formulating the National Cybersecurity Strategy.
-recommending legislative measures to the Minister of Digital Government, collaborating on a cybersecurity certification framework, and promoting cybersecurity education and awareness. The Authority shall support research, development, and partnerships, formulate technical measures for ICT systems and act against cybercrime.
-monitoring and controlling compliance with the legal framework for cybersecurity, imposing sanctions and developing a certification framework for cybersecurity products and services. It shall actively participate in the prevention, protection, and response to threats, in cooperation with the relevant cybersecurity authorities at national, EU and international level to achieve national objectives to ensure a high level of security and to protect individual rights in cyberspace.
-developing the National Contingency Plan, contributing to the National Risk Assessment Plan and the National Cyber Incident and Crisis Response Plan, which shall be submitted to the Cybersecurity Coordination Committee for approval.
-supporting the development of e-government applications with a focus on cybersecurity, representing the country on cybersecurity issues internationally and coordinating its representatives in European and international organizations.
The Authority’s powers shall be exercised with a view to national security, defense, public order, and safety. Cooperation with relevant agencies, such as the Ministry of National Defense, the Ministry of Citizen Protection, and the National Intelligence Service (E.Y.Π., in Greek), is vital. However, the Authority does not have jurisdiction over information and communication technology systems governed by national or Union rules on the protection of classified information.
According to the Ministry of Digital Governance, Law 5086/2024 reflects the country’s response to the escalating national requirements and the commitments of the European Union. It contains the implementation of appropriate and proportionate technical, operational, and organizational measures to effectively manage risks to the security of network and information systems.
In addition, developments are expected in relation to the harmonization with the European Directive 2022/2555 (NIS2 Directive), which is expected to be incorporated into Greek legislation. It has to be pointed out that Member States are required to adopt and publish the necessary measures to comply with NIS 2 Directive by 17 October 2024.
The Editorial Team