NIS2 Greece Compliance Guide: ENSI Authority, Maritime & Energy Sector Requirements, and What Greek Entities Must Do in 2026

Greece occupies a unique position in the EU’s NIS2 compliance landscape. It controls the world’s largest merchant fleet by tonnage, operates critical energy infrastructure across dozens of inhabited islands, and sits at the crossroads of Mediterranean submarine cable routes connecting Europe to the Middle East and North Africa. Yet Greece was among the majority of EU member states that missed the 17 October 2024 transposition deadline — the European Commission opened infringement proceedings in early 2025.

The Greek Ministry of Digital Governance (Υπουργείο Ψηφιακής Διακυβέρνησης), led through the national cybersecurity authority ENSI (Εθνική Αρχή Κυβερνοασφάλειας / National Cyber Security Authority), is now advancing the transposition of NIS2 (Directive (EU) 2022/2555) into national law. This guide covers everything Greek entities — and the cyber insurance professionals who underwrite them — need to know: the legal framework, competent authorities, entity classification, sector-specific obligations (especially maritime and island energy), penalties including personal management liability, incident reporting via GR-CSIRT, and the practical compliance roadmap.

Greek NIS2 Legislation: From Law 4577/2018 to NIS2 Transposition

Greece’s existing cybersecurity legal framework rests on two pillars:

• Law 4577/2018 — Transposed the original NIS Directive (2016/1148) into Greek law, establishing obligations for operators of essential services (OES) and digital service providers (DSP).
• Law 4764/2021 — Strengthened ENSI’s role as the national cybersecurity authority and expanded incident reporting obligations.

The NIS2 transposition requires a substantial overhaul of this framework to address NIS2’s dramatically expanded scope (from ~4,000 entities under NIS1 to an estimated 15,000–20,000 under NIS2), stricter risk management requirements, supply chain security obligations, and personal management liability.

Current status: The Greek government is preparing the transposition legislation, which is expected to be a comprehensive new law replacing or substantially amending Law 4577/2018. The delay past the EU deadline exposes Greece to continued infringement proceedings, but in practice, Greek entities should already be aligning with NIS2 requirements — the directive sets the compliance baseline regardless of national transposition timing.

For the broader EU framework, see our NIS2 Compliance Guide 2026 and NIS2 Essential vs Important Entities classification guide.

Who Regulates: Greece’s Cybersecurity Authority Landscape

ENSI — National Cyber Security Authority

ENSI (Εθνική Αρχή Κυβερνοασφάλειας) under the Ministry of Digital Governance is Greece’s primary competent authority for NIS2. Its responsibilities include:

• National cybersecurity strategy and policy coordination
• Oversight of essential and important entities’ compliance
• Operation of GR-CSIRT (the national Computer Security Incident Response Team)
• Risk management framework development and sector-specific guidance
• Incident reporting coordination and threat intelligence sharing
• Cross-border coordination with ENISA and other EU national authorities

Sector-Specific Competent Authorities

Greece’s institutional framework involves multiple regulators with sector-specific competences:

Authority	Sector	NIS2 Role
ADAE (Authority for Assuring the Confidentiality of Communications)	Telecommunications/electronic communications	Sector-specific competent authority
EETT (National Telecommunications & Post Commission)	Telecoms regulation	Coordination with ENSI
RAE (Regulatory Authority for Energy)	Energy	Sector-specific competent authority
Ministry of Maritime Affairs	Maritime transport, ports	Coordination on maritime cybersecurity
Bank of Greece	Banking/financial	Overlaps with DORA regulation
Ministry of Health	Healthcare	Sector coordination for hospital entities

GR-CSIRT — National Incident Response

GR-CSIRT, operated by ENSI, is the central incident reporting hub. It coordinates with sector-specific CSIRTs and international partners through ENISA’s network. Under NIS2, GR-CSIRT will be the single point of contact for all significant incident reporting.

For incident reporting procedures across the EU, see our NIS2 Incident Reporting Requirements guide.

Who Must Comply: Essential and Important Entities in Greece

NIS2 dramatically expands the scope of entities that must comply. In Greece, this means moving from approximately 200–400 entities under the original NIS Directive to potentially 5,000+ entities under NIS2.

Essential Entities in Greece

Entities in these sectors are classified as essential (subject to the most stringent obligations):

Energy:

• IPTO/ADMIE (Independent Power Transmission Operator)
• HEDNO/ΔΕΔΔΗΕ (Hellenic Electricity Distribution Network Operator)
• PPC/ΔΕΗ (Public Power Corporation)
• DESFA (natural gas transmission)
• Motor Oil, Hellenic Petroleum/ELPE (oil refineries)
• Renewable energy operators above threshold
• Island autonomous power systems (non-interconnected islands)

Transport:

• Piraeus Port Authority (largest port in the Mediterranean)
• Thessaloniki Port Authority
• Major Greek shipping companies’ shore-based infrastructure
• Athens International Airport, Thessaloniki Airport
• Hellenic Railways (OSE/TrainOSE)

Banking and Financial Market Infrastructure:

• Systemic banks: Piraeus Bank, Eurobank, National Bank of Greece, Alpha Bank
• Payment systems and clearing houses

Health:

• Major hospital networks and reference hospitals
• National health system (ESY) digital infrastructure

Digital Infrastructure:

• DNS providers, TLD registries (.gr, .ελ)
• Cloud service providers operating in Greece
• Data center operators
• Trust service providers

Water:

• Athens Water Supply (EYDAP), Thessaloniki Water Supply (EYATH)

Important Entities in Greece

Entities that meet size thresholds (50+ employees AND €10M+ turnover) in sectors including:

• Manufacturing (food production, pharmaceuticals, electronics)
• Digital providers (online marketplaces, search engines, social networks)
• Postal and courier services
• Waste management
• Food production and distribution

The Maritime Sector: Greece’s Unique Challenge

Greece controls approximately 20% of the global merchant fleet by tonnage and 50% of the EU fleet. Under NIS2, the maritime dimension creates several unique compliance considerations:

1. Shore-based entities: Greek shipping companies’ headquarters, fleet management systems, and shore-based IT infrastructure fall under NIS2 as “transport” essential entities. Companies like Navios Maritime, Star Bulk, and dozens of other Greek ship management firms are in scope.

2. Port infrastructure: Piraeus (top-5 European container port), Thessaloniki, Patras, Heraklion, and other major port operators must comply with both NIS2 and the IMO’s maritime cybersecurity framework.

3. Vessel systems: While individual vessels on international voyages fall under IMO rather than NIS2, the systems connecting vessels to shore (AIS, ECDIS, vessel management platforms) create a complex jurisdictional interface.

4. Flag state vs. port state: Greek-flagged vessels are subject to Greek maritime authority oversight, while vessels calling at Greek ports are subject to port state requirements.

For cyber insurance considerations in the maritime sector, see our Critical Infrastructure Underwriting Under NIS2 guide.

Island Energy Infrastructure

Greece has approximately 227 inhabited islands, many operating autonomous power systems that are not connected to the mainland grid. These represent a unique NIS2 compliance challenge:

• Non-interconnected islands (Νησιά Μη Διασυνδεδεμένα): Each autonomous power system is critical infrastructure. Islands like Crete (now being interconnected), Rhodes, Lesbos, and dozens of smaller islands operate independent grids with limited redundancy.

• Single points of failure: Many island systems have single undersea cable connections or satellite links — a cyberattack could isolate an island entirely.

• Limited cybersecurity expertise: Island-based infrastructure operators often lack dedicated cybersecurity staff.

• Interconnection projects: Major projects connecting islands to the mainland (Crete-Attica interconnection, Cyclades interconnections) create transitional cybersecurity challenges.

Compliance Requirements Under NIS2

Greek essential and important entities must implement the Article 21 risk management measures:

Management Responsibility

• Management body approval of cybersecurity risk management measures
• Cybersecurity training for all management members
• Personal liability for failures to implement adequate measures
• Regular review and update of cybersecurity policies

Risk Management Framework

• Risk analysis and information system security policies
• Incident handling procedures (aligned with GR-CSIRT reporting)
• Business continuity, backup management, and disaster recovery
• Supply chain security — including risk assessments of ICT suppliers and vendors
• Security measures for network and information systems
• Cryptography and encryption policies
• Access control and identity management
• Vulnerability handling and disclosure policies

Supply Chain Security

NIS2’s supply chain requirements are particularly impactful for Greece:

• Greek shipping companies rely on global technology vendors for vessel management, navigation, and communications
• Island energy operators depend on specialized OT/SCADA vendors with limited alternatives
• Tourism industry platforms depend on international booking and payment providers

For a complete supply chain compliance guide, see our NIS2 Supply Chain Security Requirements.

Incident Reporting in Greece

GR-CSIRT Reporting Obligations

Under NIS2, Greek entities must report significant incidents to GR-CSIRT in three stages:

Phase	Timeline	Content
Early Warning	Within 24 hours	Initial alert, suspected severity, potential cross-border impact
Incident Notification	Within 72 hours	Initial assessment, indicators of compromise, ongoing impact
Final Report	Within 1 month	Root cause analysis, remediation measures, lessons learned

Significant Incident Criteria

An incident is “significant” if it:

• Has caused or is capable of causing severe operational disruption or financial loss
• Has affected or is capable of affecting other natural or legal persons
• Has caused or is capable of causing material damage to the entity’s customers

Sector-Specific Reporting

• Telecoms: Report to both ENSI/GR-CSIRT and ADAE
• Energy: Report to ENSI and coordinate with RAE
• Maritime: Report to ENSI and coordinate with Ministry of Maritime Affairs and international (IMO) reporting channels
• Banking: May overlap with ECB/SSM incident reporting under DORA

Penalties and Enforcement

NIS2 mandates minimum penalty levels that Greece must implement:

Essential Entities

• Maximum fine: €10,000,000 or 2% of global annual turnover (whichever is higher)
• Personal liability for management body members
• Mandatory remediation orders

Important Entities

• Maximum fine: €7,000,000 or 1.4% of global annual turnover (whichever is higher)

Additional Enforcement Powers

• Security audits and on-site inspections by ENSI
• Binding instructions to remediate vulnerabilities
• Orders to implement specific security measures
• Temporary ban on natural persons in management positions (in severe cases)
• Public disclosure of enforcement actions

The Management Liability Wake-Up Call

For Greek family-owned shipping companies and SME-dominated sectors, the personal management liability provisions represent a major cultural shift. Greek maritime companies — many still family-owned with concentrated ownership and management — must now formalize cybersecurity governance in ways that go beyond traditional corporate structures.

For a full breakdown of personal liability risks, see our NIS2 Board Liability and Management Personal Fines guide.

Practical Compliance Roadmap for Greek Entities

Phase 1: Classification (Week 1-2)

• Determine if your entity qualifies as essential or important under NIS2
• Identify your sector-specific competent authority (ENSI, ADAE, RAE)
• Register with ENSI when the registration portal opens
• Document your entity classification rationale

Phase 2: Governance Setup (Week 2-4)

• Formalize board-level cybersecurity oversight (critical for family-owned enterprises)
• Ensure all management members complete NIS2-aware cybersecurity training
• Appoint a cybersecurity lead or CISO (may be outsourced for smaller entities)
• Establish internal reporting and escalation procedures

Phase 3: Risk Assessment (Week 3-6)

• Conduct comprehensive cybersecurity risk assessment covering all Article 21 domains
• Map all ICT assets, including OT/SCADA systems (especially for energy and maritime entities)
• Identify critical dependencies and single points of failure
• For island operators: assess isolation risk and backup communications

Phase 4: Supply Chain Mapping (Week 4-8)

• Create complete ICT supplier register
• Classify critical suppliers based on access level and data sensitivity
• Initiate security assessments for top-tier vendors
• Review and update supplier contracts with NIS2-compliant security clauses

Phase 5: Technical Controls (Week 6-10)

• Implement multi-factor authentication across all critical systems
• Verify cryptographic controls meet current standards
• Confirm network segmentation between OT and IT environments
• Test business continuity and disaster recovery procedures

Phase 6: Incident Response (Week 8-12)

• Document incident response procedures aligned with GR-CSIRT requirements
• Establish 24/7 monitoring capability (may be outsourced to MSSP)
• Register with GR-CSIRT portal for incident submission
• Conduct tabletop exercise and document results

For a structured approach, download our NIS2 Compliance Checklist PDF — a 15-point guide covering all compliance domains.

How This Affects Cyber Insurance in Greece

Greece’s NIS2 implementation creates significant implications for the cyber insurance market:

1. Maritime Cyber Insurance Surge: Greek shipping companies face new compliance obligations that directly impact insurability. Underwriters are adding NIS2 compliance verification to maritime cyber questionnaires. Non-compliant entities face higher premiums or coverage exclusions.

2. Infrastructure Risk Repricing: Island energy operators present unique accumulation risk — a single cyberattack could take down power to an entire island, triggering business interruption and property damage claims simultaneously.

3. Compliance as Insurability Precondition: Greek entities that cannot demonstrate NIS2 compliance to ENSI will face increasing difficulty obtaining or renewing cyber coverage. Insurers are treating NIS2 compliance as a minimum security baseline.

4. DORA-NIS2 Overlap: Greek financial institutions face dual compliance obligations under both NIS2 and DORA. Cyber insurance policies must be carefully structured to address both regulatory frameworks.

5. Demand Acceleration: As ENSI escalates enforcement, demand for cyber insurance from Greek mid-market companies is expected to grow significantly, particularly in manufacturing, tourism infrastructure, and food production.

For brokers placing Greek cyber risk, see our Cyber Insurance Buying Guide 2026 and NIS2 Underwriting Questions for Brokers for the complete question set.

Comparison: ENSI vs Other Southern EU Authorities

Aspect	ENSI (Greece)	ANSSI (France)	INCIBE (Spain)
Primary focus	Maritime, energy, island infrastructure	Formal notices, sector programs	Structured sector programs
Incident portal	GR-CSIRT	SIGNALEMENT	INCIBE-CERT
Maritime emphasis	Very high — world’s largest fleet	Moderate	Moderate
Island infrastructure	Unique challenge	Limited (Corsica)	Limited (Balearics, Canaries)
SME support	Limited	Limited	Etiqueta de Seguridad Cibernética
Transposition status	Late/pending	Enacted	Enacted
Cross-border coordination	Active in EU/ENISA	Active	Active

For the French perspective, see our NIS2 France ANSSI Compliance Guide. For Spain, see our NIS2 Spain INCIBE Guide.

The Bottom Line

Greece’s NIS2 implementation is late but inevitable. When the national law enters into force, ENSI will gain enforcement powers affecting thousands of entities across maritime, energy, tourism, and digital infrastructure sectors. The unique challenges — the world’s largest merchant fleet, dozens of island energy grids, critical submarine cable infrastructure — make Greek NIS2 compliance a matter of EU-wide significance.

The minimum standard: classified and registered with ENSI, governance formalized at board level, risk assessment completed, incident response tested, supply chain mapped. For Greek maritime and energy entities, the time to start is now — not when enforcement begins.

Next steps:

• Check your NIS2 compliance status with our free readiness assessment
• Download the NIS2 Compliance Checklist PDF — 15-point guide covering all Article 21 requirements
• Calculate your cyber risk exposure for insurance purposes

Related NIS2 Country Guides:

• NIS2 France (ANSSI) | NIS2 Germany (BSI) | NIS2 Italy (ACN) | NIS2 Spain (INCIBE) | NIS2 Netherlands (NCSC-NL) | NIS2 Poland (NCSA) | NIS2 Belgium (CCB) | NIS2 Austria (NISG 2026) | NIS2 Sweden (MSB) | NIS2 Denmark (CFCS) | NIS2 Czech Republic (NÚKIB) | NIS2 Portugal (CNCS) | NIS2 Ireland (NCSC) | NIS2 Finland (Traficom) | NIS2 Romania (DNSC)

---

Sources:

• ENSI (2025). National Cybersecurity Strategy of Greece — 2024-2027 Update. Athens: National Cyber Security Authority.
• Ministry of Digital Governance (2024). Draft NIS2 Transposition Legislation — Public Consultation Document. Athens.
• European Commission (2025). Infringement Decisions — Failure to Notify Transposition of Directive (EU) 2022/2555. Brussels.
• ENISA (2024). ICT Supply Chain Security — Guidelines for NIS2 Compliance. Athens: ENISA.
• Hellenic Republic (2018). Law 4577/2018 — Transposition of NIS Directive. Government Gazette.
• IMO (2023). MSC-FAL.1/Circ.3 — Guidelines on Maritime Cyber Risk Management. London: International Maritime Organization.