Entities that provide public electronic communications networks or publicly available electronic communications services, operating under a General Authorisation regime (“Providers”), must, latest by 26 July 2024, submit their (revised) Networks and Services Security Policy (“Security Policy”) with the Hellenic Authority for Communication Security and Privacy (“ADAE”).
New Regulation adopted by ADAE
On 26 January 2024, ADAE published its new Regulation 28/2024 on the Security of Networks and Electronic Communications Services (“Regulation”), which determines the technical and organisational measures that Providers must have in place to ensure the confidentiality of communications and appropriate risk management with regard to the security of networks and services.[1]
Obligation to prepare and submit a (revised) Security Policy
Latest by 26 July 2024, Providers must:
- adopt a Security Policy meeting the Regulation standards, or revise their existing Security Policy (previously approved by ADAE); and
- submit the (revised) Security Policy for approval before ADAE. [2]
Upon approval by ADAE, Providers will have a deadline of six (6) months to implement the Security Policy (and inform ADAE accordingly). Specifically, in the case of a revised Security Policy, said deadline shall be determined on a case-by-case basis by the regulator and will be included in its decision for approval.
Minimum content of the Security Policy
The Security Policy should cover (at least) the following areas:
- Risk Assessment Procedure;
- Roles and duties
- Measures regarding the employees and partners;
- Security of infrastructure and systems;
- Operation management;
- Security incident management;
- Business continuity management;
- Monitoring and control management; and
- Procedure for the collection, monitoring and administration of threat intelligence
- Awareness of users / subscribers
What we can do for you
Our firm is a highly trusted partner to several tech giants and companies operating in Greece. Our TMT & Data practice has a long track record in offering clients in the technology and telecoms sector the full spectrum of legal support, on a regular basis and as needed in cooperation with our IT experts. Our legal and IT teams have a deep understanding of the new and disruptive technologies, and the digital infrastructure and communications domain.
[1] The Regulation for the Assurance of Confidentiality in Electronic Communications (ADAE Decision 165/2011) and the Regulation for the Security and Integrity of Networks and Services (ADAE Decision 205/2013) shall be repealed as of entry into force of this Regulation (on 26 July 2024).
[2] Exceptions apply: Providers of the following services do not have the obligation to submit their Security Policy with ADAE: (i) machine to machine (M2M) services; (ii) satellite news gathering; (iii) earth news gathering (ENG); (iv) radio communications services, such as telematics, telemetry, radiolocation.
