A comprehensive analysis of the legal and regulatory cybersecurity landscape in Greece

EY in Greece and Microsoft have conducted a study on the compliance challenges faced by Greek businesses in a fragmented cybersecurity regulatory landscape.

The exponential evolution of digital technology, beyond its business benefits, has also increased the complexity of cybercrime, creating additional costs for businesses to manage security risks. At the same time, digitalization is shaping a dynamically changing, yet fragmented regulatory environment, with which organizations are required to comply.

A new study by EY in Greece and Microsoft examines, for the first time, the compliance challenges associated with the current cybersecurity legal and regulatory landscape in Greece. The aim of the study is to support Greek businesses in their efforts to ensure compliance with the abundance of regulatory requirements, while successfully adapting to an ever-changing digital environment.

Facing a complex regulatory environment

The growing importance of cybersecurity has led governments and supranational organizations, such as the European Union, to introduce specialized regulations and laws. These measures have made compliance and systematic monitoring of companies' obligations an increasingly complex task. 

For the first time in the Greek market, the study attempts a comprehensive analysis of the current national and European cybersecurity legal and regulatory landscape. It presents a detailed overview of European Directives, such as NIS, NIS II and CERD, as well as the main legislative acts on cybersecurity in Greece (Law 4577/2018, Law 4961/2022). The study also explores their scope of application and outlines the necessary steps for Greek businesses to achieve compliance with these regulations.

In line with the developments in the EU, Greece has adopted the National Cybersecurity Strategy (2020-2025) and has actively taken measures to enhance the country’s level of information security. The National Strategy includes a clear action plan for the National Cybersecurity Authority and highlights the gradual progress made by Greek public bodies in implementing coherent cybersecurity governance policies, enforcing regulations, and overseeing the private sector.

As part of the EU Cybersecurity Strategy framework, the European Union has already adopted the Cybersecurity Act and the sectoral Digital Operational Resilience Act (DORA) for the financial sector, which are directly applicable in Greece.

The overall legal and regulatory landscape aims to strengthen the resilience of organizations across all sectors and industries against cyber threats, thereby reducing overall cybersecurity risk. However, ensuring compliance with the expanding requirements poses additional challenges for businesses, including the need for management efforts, time, cost, and the development of skills, talent, and training.

Increased digitalization leads to increased compliance challenges 

To further explore these challenges, the study features a survey conducted on a sample of cybersecurity professionals from large Greek companies, operating in various sectors of the economy, such as financial services, energy, telecommunications, and the public sector.

The main sources of these compliance challenges can be derived from the following four areas:

• Fragmentation of the regulatory and legislative landscape
• Organizational and administrative concerns
• Management of third-party compliance
• Availability of talent and skills to effectively manage cybersecurity compliance