By Anestis Dimopoulos, Director, Head of Digital & Risk Advisory Services, Baker Tilly South East Europe
At a time where cyber threats are evolving at a rapid pace, Greece is entering a phase of strategic maturity. The new National Cybersecurity Strategy 2026–2030, published in December 2025 under the supervision of the National Cybersecurity Authority (NCSA), is not merely a statement of intent but an operational roadmap. With a primary focus on incorporating the NIS2 Directive as well as other European regulations, the strategy aims to protect critical infrastructure, public administration, and the private economy, while also fostering citizens’ trust in digital services. It marks a transition from fragmented cybersecurity initiatives to a coherent, operationally applicable framework fully aligned with European guidelines. Cybersecurity is now recognized as a strategic factor of trust, operational resilience, and digital growth.
The national strategy aligns with key European Union policies and regulatory instruments. It serves as the national mechanism for implementing the NIS2 Directive, strengthening, among other things, risk governance, accountability of organizational leadership, and incident management. At the same time, it is linked to the EU Cybersecurity Strategy, the Cybersecurity Act, the Digital Europe Programme, as well as the AI Act and the Cyber Resilience Act.
The focus shifts from the mere existence of policies to real operational capability in prevention, detection, response, and recovery. Particular emphasis is placed on the systematic development of skills, awareness-raising, and the creation of national and interconnected Security Operations Centers (SOCs).
The strategy is structured around five key pillars aimed at a holistic approach to digital risk:
- Strengthening Cyber Resilience: Enhancing the protection of critical infrastructure (energy, healthcare, transport) and establishing high security standards and cyber hygiene tools.
- Skills Development: The strategy prioritizes education. It aims to bridge the skills gap through training initiatives, upskilling and reskilling actions, awareness programs for senior executives, and certification programs for both public and private sector personnel.
- Modernizing Governance: Optimizing the role of the NCSA as a central coordinator and strengthening cooperation among Computer Security Incident Response Teams (CSIRTs).
- Promoting Innovation and Investment: Providing incentives for research in Artificial Intelligence (AI) and cybersecurity, as well as supporting small and medium-sized enterprises (SMEs). It also foresees the creation of a National Cybersecurity Reserve to financially support projects and initiatives that enhance cyber resilience in both public and private entities.
- National and International Cooperation: Active participation in European crisis management mechanisms and strengthened cooperation with law enforcement authorities to combat cybercrime.
The Greek strategy is aligned with the European Cybersecurity Strategy for the Digital Decade and, compared to other European countries, demonstrates strong points such as strengthening the requirements of Law 5160/2024 for implementing the NIS2 Directive (a directive that has not yet been fully adopted through implementing legislation in 8 out of the 27 EU member states to date). It places emphasis on the skills gap and the promotion of innovation and investment, including provisions for the creation of a dedicated reserve. While there are already criticisms pointing to a somewhat inward-looking strategy with limited international footprint and no explicit references to cyber defense and cyber diplomacy, the strategy does include specific objectives to enhance European and international cooperation, as well as to strengthen cyber deterrence capabilities in the field of national defense.
For organizational leadership, cybersecurity is no longer a “technical issue” but a matter of corporate governance. The NIS2 Directive and the relevant national law introduce personal liability for executives in cases of non-compliance. Management must approve risk management strategies and ensure business continuity.
CIOs are called upon to integrate security into every stage of digital transformation. The strategy requires secure interoperability, the use of certified products, and a transition to zero-trust architectures.
The role of CISOs is elevated to that of a strategic partner. They are expected to manage the national incident reporting framework, participate in simulation exercises, and oversee staff training. The emphasis shifts from prevention to resilience and rapid recovery.
Auditors gain a stricter and more clearly defined reporting framework. They will need to certify compliance not only with technical measures but also with governance processes and supply chain management practices. The emergence of “Certified Cybersecurity Auditors” will be a new milestone for the sector.
The National Cybersecurity Strategy 2026–2030 represents a qualitative step forward. It transforms cybersecurity from a compliance obligation into a foundation of digital reliability, resilience, and strategic advantage for the country and its organizations.
