L. 4577/2018: New Cybersecurity Obligations for Essential and Digital Services
Law 4577/2018 imposes important obligations for system and network security on businesses in the fields of energy, transport, credit, financial infrastructure, health, water and digital infrastructure, e-commerce and information society services. Furthermore, the new Law stipulates significant sanctions in case of non-compliance.
Law 4577/2018 (GG 199 / Α '/ 03-12-2018) transposes Directive 2016/1148 / EU of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union into Greek law (“NIS Directive”).
The Law establishes the national cybersecurity plan and Cybersecurity Authority in the Ministry of Digital Policy, Telecommunications and Information, designating the latter with a supervisory and regulatory role. It also provides for the establishment of a Computer Security Incident Response Team (CSIRT).
The new Law sets out important cybersecurity obligations for the following categories of companies:
- Operators of Essential Services in the fields of energy, transport, credit institutions, financial market infrastructure, health, water supply and digital infrastructures.
- Providers of Digital services, in particular e-commerce businesses and in general, digital services, search engines and cloud computing providers.
Obligations for Businesses
Businesses falling within the scope of the Law have the following basic obligations with regard to the security of their systems:
- Adopt technical and organizational measures for the security of networks and information systems.
- Adopt measures to prevent and minimize the impact of incidents affecting the security of networks and information systems.
- Notify the National Cybersecurity Authority and the CSIRT of incidents with a serious impact on business continuity. The notification must be made without undue delay and be accompanied by additional information to the Authority regarding the severity of the relevant incident.
- Cooperate with the competent authorities.
The newly established National Cybersecurity Authority has the following powers:
- To assess the compliance of liable businesses with Law 4577/2018
- To order liable businesses to provide the necessary information, including security policies.
- To order liable businesses to correct any breach of compliance.
Following the opinion of the National Cybersecurity Authority, the Minister of Digital Policy, Telecommunications and Information, imposes the below sanctions in case of violation of the provisions of Law 4577/2018:
- A fine of up to EUR 15,000 in the event of no notification / delay of notification.
- A fine of up to EUR 200,000 in the event of failure to take appropriate organizational / technical measures to manage the risks to network and system security.
- A fine of up to EUR 50,000 in case of non-provision or unjustified delay in the provision of information, if requested by the National Cybersecurity Authority.
This document contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global EY organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
ΕΥ | Assurance | Tax | Transactions | Advisory
About Platis – Anastassiadis & Associates
Platis - Anastassiadis & Associates is part of the Law Specialty Practice (EY Law) which operates in 62 countries globally and is comprised of 1400 people.
We are an independent law office with a core team of 15 lawyers. Our office provides high quality legal services across the full range of commercial and financial transactions.
Especially in our geographical area, we have established an ongoing cooperation with the respective law firms which are associated with EY, in order to offer seamless and consistent regional services to our clients that have cross country operations.
Our experience allows us to better understand our clients’ needs and offer them integrated multidisciplinary solutions in the fields of accounting, tax and financial advisory services. Platis – Anastassiadis & Associates Law Office is solution focused. We work closely with our clients to seek innovative and practical ways of dealing with their issues. Our priority is to help our clients meet their business objectives. Our expertise, commitment and enthusiasm has resulted in the build up of a client base which includes local and international listed, State and private sector companies and financial institutions.
All rights reserved