Greece sets up National Cybersecurity Authority

Greece is setting up a national cybersecurity agency in the wake of attacks against government and business entities. The New Democracy government said it wants a stronger firewall protecting state and private institutions. Like most countries, Greek businesses and public authorities have experienced a growing number of cyberattacks in recent years. According to media reports, however, the perpetrators include groups sponsored by the Greek state.

The EYP intelligence service previously admitted in a parliamentary committee in 2022 that it had spied on a financial journalist. In March 2023, Meta’s former security policy manager Artemis Seaford, who worked in Greece, said the National Intelligence Service (EYP) hacked her phone.

The measure setting up a National Cybersecurity Authority, which until now was a directorate of the Ministry of Digital Governance, was announced by Digital Governance Minister Dimitris Papastergiou. The move was prompted by a new EU Directive NIS2 (Network and Information Directive 2), which Greece is obliged to implement from October 2024. NIS2 expands the scope of mandatory cybersecurity standards to more than 2,000 organizations including the entire Greek public sector.

Medium-sized businesses with more than 50 workers and a balance sheet of more than 10 million euros are also included in the programme, which covers regional governments as well and postal and courier services, waste management, and businesses in vital industries like chemical manufacturing, production and distribution, food production and processing, and construction.

There have been a number of high profile attacks on critical organisations in the Greek public and private sector in recent years. In May, Greece’s Education Ministry was targeted in a cyberattack described as the most extensive in the country’s history, which disabled a centralized high school examination platform.

The Ministry said that Distributed Denial of Service (DDoS) attacks lasted for two days and involved computers from 114 countries. This caused outages and delays in high school exams but failing to incapacitate the system. In the wake of the attack, a judicial investigation was ordered by a Supreme Court prosecutor, to be assisted by the police’s cybercrime division.

“It is the most significant attack ever carried out against a Greek public or government organization,” the Education Ministry said, describing the incidents as “large-scale and of sustained duration.”

A further high-profile DDoS attack on Hellenic Public Properties Co, HPPC, the company managing the real estate assets of the Greek state, in November 2023 caused political controversy, with opposition lawmakers accused the conservative government of treating cybersecurity “superficially” and demanded a national strategy to deal with the issue, which is now being realized. In its notification to the Greek Data Protection Authority, HPPC said the disruption to information systems had a limited effect on operations and that there had not been any data breach.