Ευρωπαϊκή οδηγία 2022/2555 (NIS 2) : κυβερνοασφάλεια και πρακτικό πλαίσιο ελέγχου συμμόρφωσης με την NIS2 και τον εφαρμοστικό Νόμο 5160/2024
View/
Abstract
The rapid development of information and communication technologies, combined
with the continuous digitalisation of economic, social, and administrative activities, has
fundamentally transformed the way businesses and organisations operate. The increasing
reliance on digital infrastructures, information systems, and network services has elevated
cybersecurity to a critical factor for ensuring business continuity, data protection, and the
proper functioning of both the private and public sectors. At the same time, this growing
dependence on digital systems has significantly expanded the attack surface, rendering
information systems more vulnerable to increasingly sophisticated and evolving cyber
threats.
Cybercrime, cyberattacks, and organised malicious activities in cyberspace now
constitute systemic risks with serious economic, social, and institutional consequences.
Attacks such as phishing, malware infections, ransomware incidents, and distributed denialof-service (DDoS) attacks not only compromise the technical integrity of information systems
but also directly affect user trust, the protection of personal data, and, in certain cases, national
security. In this context, cybersecurity can no longer be regarded as a purely technical issue;
rather, it has become a core element of organisational governance, regulatory compliance, and
legal accountability for businesses and organisations.
At the European level, the need for a unified, coherent, and effective regulatory
framework led to the adoption of Directive (EU) 2022/2555, commonly referred to as the NIS2
Directive, which repealed and substantially reinforced the previous NIS1 framework. NIS2
introduces stricter and more clearly defined obligations for a broader range of entities,
categorising them as essential and important entities, and establishes a risk-based approach
to cybersecurity governance grounded in the principles of proportionality and accountability.
A central pillar of the Directive is the obligation to implement appropriate technical,
organisational, and operational cybersecurity risk management measures, as well as to ensure
timely incident reporting and response.
Greece transposed the NIS2 Directive into national law through Law 5160/2024, which
constitutes the new institutional framework for cybersecurity in the country. This law
modernises the provisions of the former Law 4577/2018 and establishes an integrated
13
cybersecurity governance system, defining competent authorities, supervisory and
enforcement mechanisms, and sanctions for non-compliance by obligated entities.
Furthermore, through secondary legislation—most notably Ministerial Decision No.
1689/2025—the general obligations introduced by NIS2 and Law 5160/2024 are further
specified by defining concrete cybersecurity policies, procedures, and security measures that
essential and important entities are required to adopt and implement.
The purpose of this thesis is to provide a systematic analysis of the regulatory and
organisational cybersecurity framework introduced by the NIS2 Directive and its
implementing Law 5160/2024, as well as to present a practical compliance audit framework
applicable to businesses and organisations. The thesis aims to bridge the gap between the
theoretical foundations of cybersecurity and the practical implementation of regulatory
requirements, highlighting the role of organisational standards, technical safeguards, and
institutional enforcement mechanisms.
The methodology adopted in this study is based on a combined analysis of technical,
organisational, and legal sources, including European directives, national legislation,
international information security standards, and regulatory acts. Particular emphasis is
placed on cybersecurity risk management, the role of competent authorities, incident
reporting obligations, and the importance of business continuity and crisis management
mechanisms.
The structure of the thesis reflects the progressive development of the subject matter.
Initially, fundamental concepts related to cybersecurity, cybercrime, and technological
evolution are presented. Subsequently, the main forms and types of cyberattacks and their
impact on businesses and organisations are analysed. The thesis then examines organisational
information security standards and the cybersecurity regulatory framework at both European
and national levels. A dedicated chapter focuses on the competent authorities responsible for
the enforcement of cybersecurity legislation, as well as on the role of the Information and
Communication Systems Security Officer (ICSSO). Finally, the thesis provides an in-depth
analysis of technical and organisational security measures, incident reporting obligations, and
business continuity and crisis management mechanisms within the framework of compliance
with NIS2.
Postgraduate Studies Programme
Δίκαιο και Τεχνολογίες Πληροφορικής και Επικοινωνιών (MSc in Law and Information and Communication Technologies)Department
Σχολή Τεχνολογιών Πληροφορικής και Επικοινωνιών. Τμήμα Ψηφιακών ΣυστημάτωνNumber of pages
123Language
GreekCollections
Except where otherwise noted, this item's license is described as
Αναφορά Δημιουργού-Μη Εμπορική Χρήση-Όχι Παράγωγα Έργα 3.0 Ελλάδα
Αναφορά Δημιουργού-Μη Εμπορική Χρήση-Όχι Παράγωγα Έργα 3.0 Ελλάδα