ISMS Copilot
Ν. 5160/2024

Ν. 5160/2024 Copilot

Navigate Greece's NIS 2 transposition law with clarity and confidence

Start Free TrialSee it in action

What the Ν. 5160/2024 Copilot Can Do

Identify whether your organisation qualifies as essential or important under Ν. 5160/2024

Understand the ten risk management domains required by the law

Navigate the 24h, 72h, and one-month incident notification timeline to EL-CSIRT

Map supply chain security obligations to your third-party relationships

Interpret board-level accountability and mandatory cybersecurity training requirements

Compare ex ante and ex post supervisory regimes applicable to your entity type

About Ν. 5160/2024 Copilot

Ν. 5160/2024 (ΦΕΚ Α' 195/27.11.2024) transposes the NIS 2 Directive into Greek law, establishing cybersecurity obligations for essential and important entities operating in Greece. The Ν. 5160/2024 Copilot helps you interpret the law's requirements, understand supervisory expectations, and prepare your organisation for compliance.

Who it's for

NIS 2

Parent EU directive — transposed into Greece's national law.

NIS 2 Germany

Sister national transposition of NIS 2.

NIS 2 Belgium

Sister national transposition of NIS 2.

Frequently Asked Questions

What is Ν. 5160/2024?

Ν. 5160/2024 is the Greek law that transposes the EU NIS 2 Directive (2022/2555) into national legislation, published in ΦΕΚ Α' 195/27.11.2024. It replaces Ν. 4577/2018, establishes the National Cybersecurity Authority (ΕΑΚ) as the competent authority, and sets binding cybersecurity risk management and incident notification obligations for essential and important entities in Greece.

How does the Ν. 5160/2024 Copilot help?

The Copilot helps you interpret the obligations in Ν. 5160/2024 and the implementing framework under ΚΥΑ 1689/2025, so your team can identify gaps, draft relevant policies, and understand supervisory and penalty provisions — including fines of up to €10,000,000 or 2% of global annual turnover for essential entities under άρθρο 26.

How does Ν. 5160/2024 interact with GDPR obligations?

When a cybersecurity incident also involves personal data, organisations must notify the ΕΑΚ or EL-CSIRT under Ν. 5160/2024 and separately notify the ΑΠΔΠΧ within 72 hours under Art. 33 GDPR — the two obligations run in parallel and neither authority replaces the other. Financial entities subject to DORA (EU) 2022/2554 should also note that DORA applies as lex specialis in its scope.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0