As part of Greece’s National Cybersecurity Strategy, Joint Ministerial Decision (JMD) No. 1689/2025 sets out detailed technical, operational, and organisational measures for entities falling under Article 4 of Law 5160/2024. The new regulation builds on key principles such as proportionality and accountability, adopting a comprehensive “all hazards” approach to cybersecurity risk.
A notable development is the clear assignment of responsibility to the entity’s highest administrative authority, which is now tasked with approving, implementing, supervising, and evaluating the cybersecurity programme. Entities are also required to prepare and follow a risk treatment plan, based on structured risk assessments and formal cybersecurity policies.
Depending on their role and scale, organisations must assign responsibilities to staff and appoint a dedicated Information and Communication Systems Security Officer (ICS Officer). Further obligations include background checks and cybersecurity awareness training for personnel.
Security requirements extend to independent audits, either internal or external, as well as continuous compliance assessments and corrective measures where needed. A current IT asset inventory, categorized by vulnerability and protection level, must also be maintained.