Strengthening Cybersecurity: New Obligations Introduced by JMD 1689/2025 under Law 5160/2024

Friday, 06 June 2025

As part of Greece’s National Cybersecurity Strategy, Joint Ministerial Decision (JMD) No. 1689/2025 sets out detailed technical, operational, and organisational measures for entities falling under Article 4 of Law 5160/2024. The new regulation builds on key principles such as proportionality and accountability, adopting a comprehensive “all hazards” approach to cybersecurity risk.

A notable development is the clear assignment of responsibility to the entity’s highest administrative authority, which is now tasked with approving, implementing, supervising, and evaluating the cybersecurity programme. Entities are also required to prepare and follow a risk treatment plan, based on structured risk assessments and formal cybersecurity policies.

Depending on their role and scale, organisations must assign responsibilities to staff and appoint a dedicated Information and Communication Systems Security Officer (ICS Officer). Further obligations include background checks and cybersecurity awareness training for personnel.

Security requirements extend to independent audits, either internal or external, as well as continuous compliance assessments and corrective measures where needed. A current IT asset inventory, categorized by vulnerability and protection level, must also be maintained.

Additional obligations apply to relationships with external IT service providers. These include transparency through service catalogues, ongoing evaluation, and the application of stricter requirements for providers of critical services.

Entities must also implement strong access control mechanisms, using personalised credentials, multi-factor authentication, and secure system configurations. Technical protections include vulnerability scanning, security patches, zero-day response processes, and penetration testing, with follow-up actions as necessary. Firewalls, network segmentation, and Domain Name System (DNS) protection are also required.

Further measures include malware detection, email security, and safeguards against access to malicious websites. Cryptographic controls, physical access security, and supervision mechanisms complete the set of technical and operational safeguards.

The decision establishes a framework for an integrated, effective cybersecurity programme that anticipates risks, enforces preventive measures, and ensures readiness to respond or recover when necessary.

Ballas Pelecanos Law offers strategic legal support for entities subject to cybersecurity and data protection obligations under Greek and EU law. Our team assists clients in setting up internal policies, ensuring compliance, and managing legal exposure in a rapidly evolving digital environment.

For targeted legal guidance, contact our expert Data Privacy team at [email protected] 

Relevant News & Legal Insights