Last call for telcos to submit their revised Security Policy with ADAE

Contact People

Theodore Konstantakopoulos

Theodore Konstantakopoulos

Partner

vcard

LEARN MORE

Iliana Papantoni

Iliana Papantoni

Associate

vcard

LEARN MORE

Entities that provide public electronic communications networks or publicly available electronic communications services, operating under a General Authorisation regime (“Providers”), must, latest by 26 July 2024, submit their (revised) Networks and Services Security Policy (“Security Policy”) with the Hellenic Authority for Communication Security and Privacy (“ADAE”).

New Regulation adopted by ADAE

On 26 January 2024, ADAE published its new Regulation 28/2024 on the Security of Networks and Electronic Communications Services (“Regulation”), which determines the technical and organisational measures that Providers must have in place to ensure the confidentiality of communications and appropriate risk management with regard to the security of networks and services.[1]

Obligation to prepare and submit a (revised) Security Policy

Latest by 26 July 2024, Providers must:

  • adopt a Security Policy meeting the Regulation standards, or re­vise their existing Security Policy (previously approved by ADAE); and
  • submit the (revised) Security Pol­icy for approval before ADAE. [2]

Upon approval by ADAE, Providers will have a deadline of six (6) months to implement the Security Policy (and inform ADAE accordingly). Specifi­cally, in the case of a revised Security Policy, said deadline shall be deter­mined on a case-by-case basis by the regulator and will be included in its decision for approval.

Minimum content of the Security Policy

The Security Policy should cover (at least) the following areas:

  • Risk Assessment Procedure;
  • Roles and duties
  • Measures regarding the em­ployees and partners;
  • Security of infrastructure and systems;
  • Operation management;
  • Security incident management;
  • Business continuity manage­ment;
  • Monitoring and control man­agement; and
  • Procedure for the collection, monitoring and administration of threat intelligence
  • Awareness of us­ers / subscrib­ers

What we can do for you


Our firm is a highly trusted partner to several tech giants and companies operating in Greece. Our TMT & Data practice has a long track record in offering clients in the technology and telecoms sector the full spectrum of legal support, on a regular basis and as needed in cooperation with our IT experts. Our legal and IT teams have a deep understanding of the new and disruptive technologies, and the digital infrastructure and communications domain.
 

 


[1] The Regulation for the Assurance of Confidentiality in Electronic Communications (ADAE Decision 165/2011) and the Regulation for the Security and Integrity of Networks and Services (ADAE Decision 205/2013) shall be repealed as of entry into force of this Regulation (on 26 July 2024).

[2] Exceptions apply: Providers of the following services do not have the obligation to submit their Security Policy with ADAE: (i) machine to machine (M2M) services; (ii) satellite news gathering; (iii) earth news gathering (ENG); (iv) radio communications services, such as telematics, telemetry, radiolocation.