L.5236/2025: Transposition of the CER Directive, for the resilience of critical entities

The Act no. 5236/2025 (Government Gazette A’ 175/10-10-2025), incorporates the CER Directive into the Greek legal order. This Directive establishes a unified framework for strengthening the resilience of critical entities against natural, technological, and hybrid threats, setting out obligations for risk assessment, prevention, and incident management, as well as mechanisms for supervision, cooperation, and enforcement of sanctions.

On 10 October 2025, the Act no. 5236/2025 was published in the Government Gazette, by which Directive (EU) 2022/2557 on the resilience of critical entities was transposed into Greek law (Government Gazette 175/A/10-10-2025) (“the Law”).

According to the explanatory report of the Law, the new provisions aim to enhance the resilience of critical entities against natural and technological risks and to ensure the uninterrupted operation of critical services essential for public safety, the economy, and society.

The new Law determines the scope of critical entities and introduces their obligations regarding risk assessment, the adoption of resilience measures, and the notification of incidents to the competent authorities.

In addition, the Law provides for the establishment of the General Secretariat for the Protection of Critical Entities (GSPCE) within the Ministry for Citizen Protection, as the competent authority and single point of contact for implementing the new framework, with responsibilities for compliance supervision, enforcement of measures, and sanctions.

Finally, a regime of increased accountability for the management of critical entities is introduced, along with stricter requirements regarding governance, reporting, and crisis management.

In cases of non-compliance, fines of up to €10,000,000 are stipulated in the Law.

The Act no. 5236/2025 has entered into force and takes immediate effect upon its publication in the Government Gazette. However, the designation of critical entities by the GSPCE — when respective obligations will arise — will take place by 17 July 2026.

1. Purpose and scope

The purpose of the Law is to strengthen the resilience of critical entities that provide essential services vital for maintaining social functions and economic activities.

In this context, the Law aims to:

• Designate the General Secretariat for the Protection of Critical Entities within the Ministry for Citizen Protection as the competent national authority and single point of contact for the implementation and supervision of the Law.
• Develop the National Strategy and conduct risk assessments to enhance the resilience of critical entities.
• Establish obligations and measures for prevention, protection, and response to ensure the uninterrupted provision of essential services in the country.
• Strengthen cooperation between public authorities and private bodies for the effective management of risks and incidents.
• Introduce mechanisms for supervision, compliance, and enforcement of sanctions to ensure the full implementation of the obligations arising from the Law.

2. Scope of application of the Law

The Law applies to critical entities operating in the following sectors::

• Energy
• Transport
• Banking and financial markets
• Health
• Drinking water and wastewater
• Digital infrastructure
• Public administration
• Space
• Production, processing, and distribution of food

The provisions aim to enhance the resilience of the above sectors against natural, man-made, accidental, or intentional risks, in accordance with specific European and national regulations. 

3. Key definitions

• Resilience: The ability of a critical entity to prevent, protect against, respond to, resist, mitigate, absorb, adapt to, and recover from an incident.
• Essential Service: A service of critical importance for maintaining vital social functions, economic activities, public health, safety, or the environment.
• Risk Assessment: The process of identifying, analyzing, and evaluating threats and vulnerabilities that could lead to the disruption of an essential service.

4. Responsibilities of the General Secretariat for the Protection of Critical Entities (GSPCE)

The GSPCE is responsible for conducting national risk assessments, taking into account cross-sectoral and cross-border threats, as well as the impacts of climate change, with the aim of creating a comprehensive database and knowledge base for implementing effective measures.

At the same time, the GSPCE:

• Identifies, by 17 July 2026, the critical entities in each sector and subsector,
• Establishes the National Registry of Critical Entities,
• Ensures cooperation with the National Cybersecurity Authority.
  

In addition, the GSPCE prepares the National Strategy for Strengthening the Resilience of Critical Entities by 17 January 2026. This strategy defines the framework of actions and priorities for the prevention, protection, and management of natural, man-made, and technological risks that may affect the operation of essential services.

5. Exceptions and coordination with other legislation

The new Law does not apply to matters covered by Law 5160/2024 (which incorporates the NIS 2 Directive on cybersecurity).

The GSPCE and the National Cybersecurity Authority cooperate for the coordinated implementation of the framework concerning the physical security and cybersecurity of critical entities.

Where other sectoral EU legal acts impose equivalent resilience measures, the relevant provisions of this Law do not apply (e.g., Regulation (EC) No 300/2008 on aviation security).

6. Obligations of critical entities

Risk Assessment 

• Critical entities must carry out a risk assessment within nine (9) months of receiving notification and subsequently at least every four years.
• Inclusion of all natural, man-made, technological, and socio-economic risks, as well as cross-sectoral or cross-border threats.
• Examination of interdependencies with other sectors and entities, both within and outside Greece.
• Possibility of using existing assessments or relevant documents from other legal obligations, provided they meet the requirements of the Law.

Resilience Measures

• Critical entities must take technical, organizational, and security measures to ensure their operational and physical resilience, including:
• Prevention of incidents and adaptation to climate change.
• Physical protection of facilities and critical infrastructure (e.g., fencing, access controls, surveillance).
• Crisis management and early warning procedures for responding to and mitigating consequences.
• Recovery and business continuity, including alternative supply chains.
• Personnel security management, through background checks, definition of critical roles, and required qualifications.
• Training and familiarization of personnel through seminars, briefings, and exercises.
   

Resilience Plan

• Critical entities are required to develop and implement a resilience plan for incident management and operational continuity.

Point of Contact

• Each entity must appoint a representative or authorized officer as the point of contact with the GSPCE (General Secretariat for the Protection of Critical Entities).

Personnel Background Checks

• The Hellenic Police may conduct background checks on individuals in sensitive roles or with access to critical infrastructure

Incident Notification

• Entities must notify the GSPCE without delay of any incidents that affect their operations. An initial report must be submitted within 24 hours, followed by a detailed report within one month.

7. Critical entities of particular European interest

An entity is considered a critical entity of particular European interest when:

• It is already a critical entity (article 7).
• It provides essential services in at least six (6) Member States.
• It has been notified as belonging to this category.

The General Secretariat for the Protection of Critical Entities (GSPCE) informs the entity without delay of the European Commission’s decision and of its related obligations.

8. Sanctions 

• Non-compliance with core obligations relating to the designation or recognition of a critical entity: up to €1,000,000
• Failure to adopt or inadequate implementation of measures for risk management and the security of critical infrastructures: up to €10,000,000
• Violation of obligations to inform or notify competent authorities of critical information: up to €1,000,000
• Failure to comply with the notification or decision of the European Commission that an entity is of particular European interest: up to €1,000,000
• Non-compliance with specific obligations, such as network and infrastructure security measures or information provision during crises: up to €5,000,000
• General infringements or failure to cooperate/exchange information with competent authorities: up to €5,000,000

9. Conclusions

Together with Law 5160/2024, which transposes the NIS2 Directive on cybersecurity, the provisions of the new the Act no. 5236/2025 establish a comprehensive regulatory framework for the smooth and secure operation of critical entities within the Greek territory.

The GSPCE will identify the critical entities by 17 July 2026. Within one (1) month from that identification, the designated critical entities will be notified by the GSPCE of their designation, in order to be included in the relevant registry and informed of their obligations.

Therefore, the effective commencement of the obligations for these critical entities is considered to begin from the date of notification of their designation by the GSPCE.

Within this context, entities operating in the sectors covered by the Law are advised to develop a compliance plan now to ensure timely and proper fulfillment of their obligations once they are designated.

The full text of the Law is available here.