Security Alert
On 11 April 2025, law 5193/2025 on strengthening of capital markets and other provisions was published (Law 5193/2025).
Law 5193/2025 adopts provisions supplementing Regulation (EU) 2022/2554 (DORA) and transposes Directive (EU) 2022/2556 into Greek law, reflecting the new requirements on digital resilience and governance of ICT services of financial sector entities and third-party providers.
Designation of competent authorities
Law 5193/2025 designates the Bank of Greece (BoG) or the Hellenic Capital Market Commission (HCMC) as competent authorities depending on the supervised financial sector entity, e.g.
the BoG is appointed as the competent authority for less significant credit institutions, payment and e-money institutions, account information service providers, (re-)insurance undertakings and (re-)insurance intermediaries, established in Greece;
the HCMC is appointed as the competent authority for investment firms and fund management companies as well as trading venues and central counterparties established in Greece.
Supervisory powers - Sanctions
The HCMC and the BoG are granted with the necessary supervisory and investigative powers (including on-site inspections) for ensuring financial sectors entities’ compliance with DORA and its delegated acts. In this regard the designated competent authorities may impose administrative sanctions, including fines up to 10% of the total net turnover, including gross income, in case of supervised financial sector entities, or up to EUR 5,000,000 in case of natural persons, or up to twice the amount of the benefit derived from the infringement as well as revocation of the supervised entity’s licence. The competent authorities may impose the removal or dismissal of the board members or key function holders from the position held in financial sector entities.
Sectorial legal amendments
Legal amendments have been introduced to align the sector-specific legislation with the newly established DORA framework, bringing Greek financial services framework relating to technology risk management, operational continuity plans, and ICT third-party oversight fully up to date.
In general, laws (such as law 4261/2014 on credit institutions and law 4514/2018 on investment firms) have been amended to encompass the obligations of financial sectors’ entities to implement appropriate and proportionate information and communication technology ICT systems, ICT business continuity plans and sound security mechanisms, as the case may be, that are set up and managed in accordance with DORA framework.
Financial sector entities shall provide to the BoG or the HCMC, upon request, the data and information provided by ICT third parties.
You can find further information on DORA requirements on our previous newsletter.