Security Alert
Rules for the use of Internet of Things (IoT) technology devices will enter into force on 1st March 2023.
Law 4961/2022 on emerging information and communication technologies has introduced obligations for IoT technology operators, manufacturers, importers and distributors, aiming to establish a secure framework for their use.
1. Which companies are affected
Within scope are:
- IoT technology operators, namely the following persons when they use IoT technology devices[1]:
-Operators of Essential Services, including, among others, companies of the energy, transport, banking and health sector
-Digital Service Providers, including online marketplace, online search engines and cloud computing service providers
-Local government organisations - Manufacturers of IoT technology devices
- Importers and distributors of IoT technology devices
2. Obligations of IoT technology operators
IoT technology operators must:
- appoint an IoT Security Officer
- maintain a register of the IoT technology devices they use
- inform the users of said devices regarding their safe installation, configuration and operation
- carry out a Data Protection Impact Assessment (DPIA) according to relevant GDPR standards.
3. Obligations of manufacturers
Manufacturers must ensure that IoT technology devices are accompanied by a manufacturer’s declaration of compliance and the appropriate user manual and security information. Also, they should adopt a management policy covering security incidents or security vulnerabilities.
4. Obligations of importers and distributors
Before placing an IoT technology device on the market, importers and distributors must verify that the device is accompanied by the manufacturer’s declaration of compliance and, upon request, must make this available to the Greek National Cybersecurity Authority or to the competent incident response team. Further obligations apply in case of non-compliance of the device with the appropriate technical safety specifications.
5. Sanctions for non-compliance
Administrative sanctions are provided for IoT technology operators who fail to comply with their obligations and include fines up to EUR 15,000 and, in case of relapse, up to EUR 100,000.
6. Expected Ministerial Decisions
Ministerial Decisions by the Ministry of Digital Governance are expected, which will specify the technical safety specifications of the IT technology devices and the appropriate technical and organisational measures that IoT technology operators should apply.
The obligations of the IoT technology operators, manufacturers, importers and distributors and issues related to the procedure and criteria for the imposition of sanctions will be further specified by Ministerial Decisions by the Ministry of Digital Governance that are also expected.
7. Key take-aways
Affected companies must:
- Properly record and audit devices they use, to identify instances where IoT technology is being used
- IoT technology operators must appoint an IoT Security Officer, maintain a register of the IoT technology devices they use and inform users about their safe operation
- Take actions to ensure compliance with GDPR standards, which include carrying out a DPIA and providing notice to affected individuals.
[1] “Internet of Things” (IoT) is statutorily defined as “any technology, which (a) allows devices or a group of interconnected or related devices, through their connection to the Internet, to perform automatic processing of digital data on a programmed basis, including technology relating to the interconnection of physical objects, in particular devices, vehicles and buildings, with electronic components, software, sensors, actuators, radio links and network connections; and (b) allows the collection and exchange of digital data, in order to offer a variety of services to users, with or without human intervention”.