Software in Greece is considered literary work and protected under the provisions of intellectual property law, according to par. 3 of art. 2 of Law 2121/1993. A basic prerequisite for granting the protection of the intellectual property law to a software is that it is original, in the sense that it is the result of the personal intellectual work of its creator. In a few exceptional cases software can be protected by the Industrial Property Law as a patent (Law 1733/1987), if it qualifies as a patent, i.e. if it is a new invention, involving an inventive step and demonstrative of industrial application.

Supplementary protection is provided by the law of unfair competition and specifically articles 16-18 of Law 146/1914 concerning the protection of commercial and industrial secrecy, as long as this software constitutes a commercial secret or a business secret, and as long as legal and technical measures have been taken to prevent any third party’s access to the program. Furthermore, in case of outright copy or imitation of software by a competitor, the general clause of article 1 of Law 146/1914, prohibiting unfair behaviours, may apply.

The creator of a computer software will obtain the intellectual property rights, provided that the software is original, in the sense that it is the result of the personal intellectual work of its creator, unless any contractual agreement exists. The customer acquires rights to use the software, to the extent that it results from the nature of the software.

However, the Intellectual Property Law provides that that the economic right over a computer program that is created by an employee in the execution of their employment contract or following the instructions given by the employer, shall be ipso jure transferred to the latter, unless otherwise provided by contract (Article 40 of Law 2121/1993).

Under Greek law the Consumer’s law establishes a strict liability regime. Moreover, the producer is liable, in accordance with the provisions of Greek Civil Code on contractual liability and tort. The creator of a software can claim recognition of his right, the removal of the infringement and its omission in the future, as well as the payment of compensation for the remedying of the material damage and the satisfaction of non-material damage, if the infringement was caused by the fault of the third party.

Administrative sanctions are also provided for those who reproduce, present, sell or distribute computer programs to the public. Administrative sanctions are also imposed to anyone who retransmits, distributes for sale, presents to the public or possesses/accesses illegal equipment or software and generally exploits illegal audiovisual works, regardless of other sanctions that may be provided.

The Greek Criminal Code (articles 370B, 370D and 370F) contains provisions on the misuse of software, such as the offenses of unlawfully copying, depicting, using or disclosing to a third party or violating data or computer programs that constitute state, scientific or professional secrets or secrets of a public or private sector company, copying or using computer software without a corresponding right, as well as the distribution (sale, supply, possession, delivery) of computer devices or programs, which could facilitate the disruption of IT systems, and the commission of fraud through the use of a computer. Moreover, anyone who produces, sells, procures for use, imports, exports, possesses, distributes or otherwise distributes software or surveillance devices, with the ability to intercept, record and extract any kind of content and/or communication data (traffic and location) is punished under the Greek Criminal Code. Finally, anyone who copies or uses computer programs without a right is punished with a fine or a penalty for community service, while anyone who, without a right, gains access to the whole or part of an information system in violation of prohibitions or security measures taken by the legal owner, is punished with imprisonment.

Several laws may apply to software contracts and the use of cloud technology such as the Greek Civil Code (GCC), as software concession contracts, software maintenance and software development contracts, the GDPR and its implementing Law 4624/2019, as well as the Greek Consumer Protection Law. In addition, the rules around contracts for the supply of digital content (computer programs) regarding their compliance with the contract and the available remedies in case of failure to supply are defined by Directive 2019/770, which has been incorporated into Greek law by Law 4967/2022.

The type and content of cloud computing contracts are determined by both the technical version and the development model provided. In these contracts, the legislation on Consumer Protection (Law 2251/1994), the Presidential Decree 131/2003 on E-commerce and the Law 4727/2020 on Digital Governance are essential as well.

The software supplier, operating off-line or over the Internet, has the primary obligation to deliver the goods in the agreed condition and free of actual defects (534 Greek Civil Code) and to transfer the software free of any legal defects. The seller/supplier of the software is liable for the actual defects and the lack of agreed characteristics under Article 537 GCC “regardless of fault” and is only exempted if the buyer was aware of them at the time of the conclusion of the contract or if the non-performance is due to materials provided by the buyer.

According to Article 332 of the GCC, any prior agreement excluding or limiting liability for wilful misconduct or gross negligence is null and void. The exemption of the supplier for slight negligence may be agreed in advance unless (a) the buyer is in the service of the seller, (b) the liability arises from the exercise of an undertaking for which the authority was previously delegated to the seller, (c) if the exemption clause has not been individually negotiated between the buyer and the supplier, which is also related to the Greek Consumer Protection Law.

The software supplier incurs: (a) intra-contractual liability, which is in principle objective in respect of factual and legal defects or defects in the contracted properties of the software, with the possibility of claiming compensation for further damages in the event of fault (but limited only to the other party); (b) tortious liability, which is subjective, i.e. it is based on proof by the injured party of the fault of the injured party;  which seems particularly difficult in the case of software, and (c) liability under the consumer protection provisions, which is objective in nature, but whose scope is limited to the damage suffered only by consumers.

IPR infringement claims under (d), and wilful or deliberate breaches under (g), are typically excluded from any financial cap on the software vendor’s liability to the customer. The financial cap cannot be less than the actual damage. However, the parties are free to agree on a financial cap for their respective obligations under the contract in cases where liability arises from simple negligence.

With the escrow agreement, if two or more have a dispute over a software, they may, in order to secure their disputed or uncertain rights over it or in the process of selling it, agree to deliver the software to a third party escrow holder for safekeeping, until their dispute is resolved, either by consensus or by court decision, in which case the escrow holder is obliged to return it. The escrow holder can be any natural or legal person, who will be selected by the depositors. However, escrow agreements are not very widely met in Greek jurisdiction.

Export controls applicable to software transactions are those determined by the Customs Authorities and are subject to the application of EU Regulation 2021/821 regarding the Dual-Use products. Thus, any software exported from Greece that belongs to the categories of the Regulation (e.g. includes encryption or dual-use technologies) is subject to export controls.

In Greece, there are no specific technology laws that exclusively govern IT outsourcing transactions. Generally, IT outsourcing transactions in Greece are governed by various laws and regulations that cover contract law, data protection, intellectual property, labour regulations, and taxation. Some key examples of these include:

• Executive Board Act no. 178/5/2.10.2020 of the Bank of Greece adopting the European Banking Authority’s guidelines on outsourcing that also cover outsourcing to cloud service providers. Act no. 178/5/2.10.2020 establishes a harmonised framework for outsourcing functions for all institutions supervised by the Bank of Greece, which includes a clear definition of outsourcing and critical or important functions. It also contains specific internal governance requirements and obligations for institutions, both at pre-contractual and contractual stages, aimed at effectively managing the risks posed by outsourcing agreements.
• Regulation (EU) 2022/2554 (the Digital Operational Resilience Act or DORA): DORA entered into application on January 17th, 2025. DORA applies to the outsourcing of critical ICT services and sets out requirements for financial entities, including with regard to their contractual relationships with ICT service providers, to ensure digital operational resilience in the financial sector.
• Outsourcing agreements must comply with the framework for the protection of personal data, including the GDPR and implementing Law 4624/2029, which imposes strict requirements on the processing and protection of personal data

Under Greek law, IT outsourcing is governed primarily by the contractual terms agreed on an ad hoc basis between the parties, as the decision to outsource any kind of services, including IT services, is subject to the freedom of contracts based on the provisions of article 361 of the Greek Civil Code.

In the event that IT services are outsourced to a third party, the individual employment contracts of the staff that previously performed the service are not automatically transferred to the outsourcing supplier, even in cases where the outsourcing of IT services takes place between associated companies.

However, under specific circumstances, an outsourcing contract could be regarded as a contract of legal transfer of part of the business, in the context of Council Directive 2001/23/EC on the approximation of the laws of the Member States relating to the safeguarding of employees’ rights in the event of transfers of undertakings, businesses or parts of undertakings or businesses and Greek Presidential Decree No. 178/2002 on measures relating to the protection of employees’ rights in the event of transfers of undertakings, businesses or parts of undertakings or businesses, in compliance with Council Directive 98/50/ΕC, which was codified in the Greek Labour Code in 2022.

This applies only to contracts that, alongside the outsourced activity, provide for the transfer to the outsourcing supplier of third-party contracts, assets, employees etc. of the original business. In this context, outsourcing falls within the meaning of the “legal transfer” of business, whereby the transferred activity or operation constitutes an economic entity that retains its identity, meaning an organised grouping of resources which has the objective of pursuing in a stable manner, an economic activity, whether or not that activity is central or ancillary.

If an outsourcing contract meets the above conditions and constitutes a legal transfer of part of an undertaking, then the transferor’s (original business-outsourcer) rights and obligations arising from a contract of employment or from an existing employment relationship, connected to the transferred part of the business, shall, by reason of such transfer, be automatically transferred to the transferee (outsourcing supplier). The transferor and the transferee are required in this case to comply with the provisions of Presidential Decree No. 178/2002, which aims to safeguard employees’ rights and protect their interests when their employment is transferred to a new employer. According to Presidential Decree No. 178/2002, the transfer of an undertaking, business or part of an undertaking or business does not in itself constitute grounds for dismissing workers. However, this does not preclude, subject to compliance with the provisions relating to dismissals, employee dismissals which may take place for economic, technical or organisational reasons involving changes in the workforce.

It should be stressed that this automatic transfer of the employment contracts takes place only if the outsourcing contract provides for the transfer of an economic entity, an organised grouping of resources or part of the business, and not of the outsourced activity alone.

The principal law governing telecommunications networks and/or services in Greece is Law 4727/2020, on Digital Governance and Electronic Communications. The second part of this law transposes into Greek legislation EU Directive 2018/1972 for the establishment of the European Electronic Communications Code. The law establishes a harmonized framework for the regulation of electronic communications networks, electronic communications services, associated facilities and associated services, and certain aspects of terminal equipment. It also lays down national principles for the use of the radio spectrum and satellite orbits. Before the issuance of law 4727/2020, the principal law governing the telecoms sector in Greece was Law 4070/2012 on electronic communications. Although law 4727/2020 replaced most of Law 4070/2012, some provisions remain in force.

Law No. 5160/2024, which is the national transposition of the NIS2 Directive includes providers of public electronic communications networks or of publicly available electronic communications services among the entities that fall within its scope of obligations. These obligations include registration obligations on the National Cybersecurity Authority, implementation of cybersecurity measures, incident reporting obligations and appointment of an Information and Communication Systems Security Officer (ICSSO).

Following the aforementioned laws, a wide range of secondary legislation has been issued by the National Commission for Telecommunications and Post (EETT). Special reference should be made to the following:

• EETT’s Regulation on General Authorisations (Decision 991/4/2021), which regulates the procedure and conditions for the provision of electronic communications networks and/or services under the General Authorization Regime.
• ADAE’s Decision no. 28/2024, which is a Regulation on the Security of Electronic Communications Networks and Services, replacing the Regulation for the Assurance of Confidentiality in electronic communications (ADAE’s Decision No. 165/2011) and the Regulation for the security and integrity of networks and electronic communication services (ADAE’s Decision No. 205/2013).
• EETT’s Regulation on the Management and Allocation of the Numbering Resources of the National Numbering Plan (Decision 966/02/2020), defining clear framework for the exercise of the rights and obligations of providers of electronic services or electronic communications services, as well as users, which guarantees objective, transparent, and impartial access to the numbering resources of the national numbering plan
• EETT’s Regulation on the Use and Granting of Rights of Use of Radio Frequencies under the General Authorization Regime for the Provision of Electronic Communications Networks and/or Services (Decision 1075/02/2023), which defines the procedures, conditions, and any relevant details for the licensing of radio spectrum usage and the granting of individual radio spectrum usage rights under a General License regime.

In order to provide any kind of electronic communications networks and/or services within the territory of Greece (except for number-independent interpersonal communications services), operators shall acquire a General Authorisation, in the form of a Registration Declaration to EETT, in accordance with EETT’s Regulation on general authorisations (Decision 991/4/17-05-2021, as it has been amended and in force).  No general authorisation is required for the resale of electronic communications services to users. In contrast, a general authorisation is required for the provision of electronic communications services by third parties who, although they do not have their own electronic communications infrastructure, provide electronic communications services under a different brand and business organisation, relying on the infrastructure of other persons providing electronic communications networks and/or services with whom they have concluded a contract. The first step for the acquisition of a general authorisation is that the interested party is registered on the EETT’s Registry of Companies and Licenses (e-Registry) web app. After the registration in the Registry of Companies and Licenses is completed, the person interested in acquiring a general authorisation must apply for registration in the Registry of Electronic Communications Network and Service Providers, by submitting a registration declaration. The declaration shall be approved provided that it is fully and correctly completed. The payment of an administrative fee of €300 is required for registration to the registry. The registration declaration constitutes the general authorisation. The person filing the declaration may carry out the activity for which the registration declaration is submitted, directly by submitting a full declaration.

Where the electronic communications activity is subject to the granting of rights to use radio frequencies, the person concerned must also obtain the required rights to use radio frequencies.   The process for granting individual rights of use for specific radio frequencies or frequency bands for the provision of electronic communications networks and/or services is defined in EETT’s Decision 1075/02/12-6-2023 “Regulation on the Use and Granting of Rights of Use of Radio Frequencies under the General Authorization Regime for the Provision of Electronic Communications Networks and/or Services”. Rights to use frequencies are granted by the EETT upon a relevant request. Such requests are submitted through the EETT’s Spectrum Management System. Where no granting of individual rights to use radio frequencies is required, operators must meet the conditions set in the relevant regulation issued by EETT.

Where the electronic communications activity is subject to the granting of rights to use numbers, the person concerned must also follow the procedure for number allocation, as described in EETT’s Regulation on the Management and Allocation of the Numbering Resources of the National Numbering Plan (Decision 966/2/2020).

Finally, where applicable, operators shall obtain the appropriate licences for every antenna they use. The relevant framework consists of law 4635/2019 (articles 20–38) and EETT’s Regulation 919/26/2019 on the licensing of antennas and base stations. Applications for issuance of antenna construction licences are submitted through the EETT’s System for the Electronic Submission of Applications (SILYA). The planning approval is issued following the EETT’s antenna construction permit, through the e-Licensing electronic system used for building. Low electromagnetic environmental nuisance antenna facilities are exempt from the licensing process. As a result, for a significant number of antennas, mainly within urban centres, a simple registration procedure is followed, which is also implemented through SILYA

The confidentiality of communication is an individual right protected by the Constitution. According to Article 19 of the Constitution, the confidentiality of letters and freedom of correspondence or communication by any other means is absolutely inviolable. The same provision states that a law may provide guarantees under which judicial authorities are not bound by this confidentiality for the purpose of national security protection or for the purpose of investigating serious crimes. Based on the above, it follows that the lifting of confidentiality is permitted only as an exception, only if there is an order from a competent judicial authority, and only if the institutional and procedural requirements provided by law are met. The procedures, techniques, and organizational matters for lifting the confidentiality of communications are provided in Law 5002/2022 and Presidential Decree 47/2005, as in force.

Article 19 also provides for the establishment of an independent authority with the aim of to protecting communication confidentiality. The duties of the Hellenic Authority for Communication Security and Privacy (ADAE) include overseeing the compliance with the terms and procedures for the lifting of confidentiality.

The lifting of confidentiality does not concern face-to-face communication but any kind of communication conducted via a communication network or service provider used by the subscriber or user against whom the lifting measure is taken. The specific communication details that may be included in an order for the lifting of confidentiality depend on the type of communication and are mentioned in detail in Article 4 of Presidential Decree 47/2005. In short, the following information fall under the scope of the relevant provisions:

• The content of communication (content of telephone calls, SMS, emails, and generally any voice, image, or data communication).
• The identity of the caller/sender and the recipient.
• The location data of the terminal device (geolocation).

The law that specifies the conditions and procedures for lifting the confidentiality of communications is Law 5002/2022. As indicated by the Constitution, this law provides two reasons for lifting the confidentiality of communications: for national security reasons and for the investigation of crimes, as defined in detail in the law.

Requests for the lifting of communication confidentiality must be authorized by a judicial authority. According to this law, the lifting of communication confidentiality for national security reasons can be requested from the competent judicial officer only by the National Intelligence Service or the Special Violent Crime Squad of the Hellenic Police, either on their own initiative or following a relevant notification from a judicial or other public authority (political, military, or police) responsible for the national security issue requiring the lifting. If the prosecutor approves the request, the approval order shall be submitted without delay for approval to a Deputy Prosecutor of the Supreme Court or a Prosecutor of the Court of Appeals, appointed by decision of the Prosecutor of the Supreme Court (dual approval). The lifting of communication confidentiality for crime investigation purposes is ordered by the competent judicial council following a proposal by the prosecutor. In exceptional and urgent circumstances, the lifting can be ordered by the prosecutor or the investigating officer.

The law defines in detail the minimum content of the relevant requests and court orders, ensuring that  the legal standards of necessity and proportionality are met.

The duration of the lifting of confidentiality cannot exceed two months. Two-month extensions may be ordered, provided that the reasons for the lifting still apply, but the total duration cannot exceed ten months. Exceeding this limit is only allowed under specific conditions in cases of lifting confidentiality for national security reasons. After the expiration of the defined period, the lifting of confidentiality automatically ceases. In any case, by order of the authority that imposed the lifting of confidentiality, the cessation of the measure can be ordered before the specified duration has expired, if the purpose has been fulfilled or the reasons for the imposition of the measure have ceased to exist.

The procedure is strictly confidential. Three years after the validity period of the order for lifting the confidentiality for national security reasons has lapsed, the imposition of the measure is notified to the affected party, provided that the purpose for which it was ordered is not compromised. A relevant request for this notification is submitted to the Hellenic Authority for Communication Security and Privacy (ADAE), which is then forwarded to the National Intelligence Service and the Special Violent Crime Squad. The lifting of confidentiality is notified after a decision by a three-member body. If the decision is made to inform the affected party, they are notified about the imposition of the restrictive measure and its duration. The ADAE, after the expiration of the lifting of confidentiality measure for the investigation of crimes and following a relevant request by the affected party, shall notify them of the imposition of this measure within a period of sixty days, with the consent of the Prosecutor of the Supreme Court and provided that the purpose for which it was ordered is not compromised.

Finally, the Greek Code for Criminal Procedure, in art. 254 and 255, provides that lifting the confidentiality of communications is a specific special investigative measure, for the purpose of investigation of specific crimes, carried out under the guarantees outlined by Law 5002/2022.

In Greece, the development of technical standards for mobile communications and connected technologies is governed by the Hellenic Organization for Standardization (ELOT) and the Hellenic Telecommunications and Post Commission (EETT). The Hellenic Organization for Standardization (ELOT)  is the national standards body of Greece and has been founded by the Greek Law 372/1976. ELOT’s mission is the promotion and application of standardization in Greece. ELOT’s main activities are: preparing and publishing standards, awarding marks of conformity and granting certificates of conformity, certifying quality systems for businesses and conducting laboratory tests. The Hellenic Telecommunications and Post Commission (EETT) is an independent authority with administrative and financial autonomy. It acts as the National Regulatory Authority (NRA) in matters of provision of services and networks for electronic communications, related facilities and services, and postal services.

Technical standards that promote interoperability between connected devices significantly influence the development of connected technologies in the following ways:

1. Interoperability standards enable diverse IoT devices (such as sensors, actuators, and smart appliances) to work together harmoniously.
2. When devices follow common protocols and interfaces, they can seamlessly exchange data, commands, and status information. This seamless integration simplifies the development process and speeds up the time-to-market for new technologies.
3. When manufacturers comply with recognized standards, consumers and businesses gain confidence in the technology. They are assured that devices from different vendors will work together reliably, driving adoption and investment.
4. By leveraging existing standards, companies save resources. Additionally, interoperability reduces maintenance costs and ensures smoother upgrades.
5. Standards provide a foundation upon, which innovators can build. As a result, developers can focus on creating novel applications and services instead of reinventing basic communication mechanisms.
6. Standards help ensure compliance, leading to safer and more reliable products.

In Greece, as in other EU countries, the legal framework concerning these standards is influenced by both national and EU laws and especially in the field of Intellectual Property (IP), Competition Law and Data Protection.

Greece’s primary data protection law is Law 4624/2019, which implements the General Data Protection Regulation (GDPR) and incorporates Directive (EU) 2016/680. This legislation replaced the previous Law 2472/1997, which implemented Directive 95/46/EC.

In the area of electronic communications, Law 3471/2006—aligned with Directive 2002/58/EC (the ePrivacy Directive) and amended by Directive 2006/13/EC—serves as a complementary framework specifically focused on protecting personal data.

Other key laws contribute to Greece’s broader data protection landscape are the following:

• Law 5002/2022 outlines procedures for lifting the confidentiality of communications and sets provisions for cybersecurity and personal data protection of citizens.
• Law 4990/2022 addresses the protection of whistleblowers reporting violations of EU law, incorporating Directive (EU) 2019/1937.
• Law 4961/2022 focuses on emerging information and communication technologies, aims to strengthen digital governance, and includes additional provisions.
• Law 4579/2018 places obligations on air carriers regarding the collection and handling of passenger information.
• Law 3917/2011 governs the retention of data generated or processed through publicly available electronic communication services or networks, as well as the use of audio and video surveillance in public areas.
• Law 3783/2009 establishes rules for collecting and storing identifying data of mobile service subscribers for national security and the investigation of particularly serious crimes.
• Article 8 of Law 3144/2003 sets out conditions for processing workers’ medical data.

The HDPA may impose fines up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, or, for serious violations related to data subjects’ rights, fines up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.  When the Processor is a public body, the fine can go up to €10 million.

According to the provisions of Law 4961/2022, the processing of personal data when using AI systems must be carried out in accordance with the principles and rules of the GDPR. Therefore, technology contracts in Greece typically refer to the GDPR.

The principal laws regarding cybersecurity are the following:

• Law No. 5160/2024 constitutes the transposition of Directive (EU) 2022/2555 (NIS 2) into Greek law, establishing a strengthened cybersecurity framework for essential and important entities operating in sectors such as energy, transport, health, and digital services. By virtue of  Law 5160/2024, the following ministerial decisions have also been issued:
  1. Ministerial Decision 1381/2025 (Creation of a digital platform for the registration of entities under Article 4 of Law 5160/2024.),
  2. Ministerial Decision 1645/2025 (Amendment of Joint Ministerial Decision 2025 – Creation of a digital platform for the registration of entities under Article 4 of Law 5160/2024.),
  3. Ministerial Decision 1689/2025 (National Cybersecurity Requirements Framework for Essential and Important Entities.)
• Law 5086/2024 relates to the establishment of the National Cybersecurity Authority, as an independent legal entity governed by public law.
• Law 4961/2022 on the “Emerging Information and Communication Technologies, Strengthening of Digital Governance and other provisions”.
• Law 5002/2022 on the “lifting of the secrecy of communications process, cybersecurity issues and protection of citizens’ personal data issues”.
• Law 4727/2020 regarding “Digital Governance (Transposition into Greek Legislation of Directive (EU) 2016/2102 and Directive (EU) 2019/1024) – Electronic Communications (Transposition into Greek Legislation of Directive (EU) 2018/1972) and other provisions”.
• Ministerial Decision No. 1027/2019, issued by the Minister of Digital Governance, which specifies the implementation, and the procedures provided under Law 4577/2018.
• Regulation 28/2024 by the Hellenic Authority for Communication Security and Privacy (ADAE) defines the technical and organizational measures that must be taken by all providers of public electronic communications networks or publicly available electronic communications services to ensure the confidentiality of communications and the appropriate risk management with regard to the security of networks and services. This Regulation repealed ADAE’s Regulation No. 205/2013, concerning the Security and Integrity of Networks and Electronic Communication Services.
• Law 4411/2016, which transposed Directive 2013/40/EU into Greek law, on attacks against information systems.
• Law 4070/2012, in relation to the operation of electronic communications networks and the provision of electronic communications services.
• Art. 386A of the Greek Penal Code, regarding fraud committed via a computer.
• Law 3674/2008, which concerns the ensuring of telephone communication confidentiality.

Although the following are not legislation per se, they are included for reasons of completeness:

• The Hellenic Cybersecurity Authority (HCA) of the Ministry of Digital Governance has issued its National Cybersecurity Strategy for the period 2020–2025.
• The HCA has issued a Cybersecurity Handbook regarding best practices for protection and resilience of information systems.
• The HCA issued a cybersecurity self-assessment tool for companies, based on the Cybersecurity Handbook. This is a tool through which organizations can conduct a self-assessment of the security level of their systems and computers.

According to Law 5160/2024 essential entities may be subject to a fine of up to ten million (10,000,000) euros or up to 2% of the total worldwide annual turnover of the undertaking to which the essential entity belongs, for the preceding financial year, whichever is higher. Important entities may be subject to a fine of up to seven million (7,000,000) euros or up to 1.4% of the total worldwide annual turnover of the undertaking to which the important entity belongs, for the preceding financial year, whichever is higher.

Furthermore, the ADAE is entitled to address a recommendation for compliance with a certain provision of the law (being complemented by a warning for the imposition of sanctions in the case of a recurrence of the violation of the law governing the confidentiality of communication or the prerequisites and the procedure related to its declassification being substantiated), while it may also impose an administrative fine ranging from €15,000 to €1.5 million (Art. 11 of Law 3115/2003).

Fines varying from €20,000 to €5 million may be imposed on telecommunication operators if they fail to comply with the obligations set out in Law 3674/2008.  Under Art. 11 of Law 3674/2008, the ADAE, in case of a violation of Arts 2–8 of said Law, can either impose a fine or set the operator a deadline for compliance.  In case of severe violations, the ADAE transfers the file to the EETT, which has the right to impose the suspension or revocation of the right to provide telephony services.

In addition, should providers of public electronic communications networks or publicly available electronic communications services fail to provide the information necessary to assess the security of their networks and services, including documented security policies to the ADAE or to be subject to its security control or generally to comply with the obligations set out in Art. 148 of Law 4727/2020, the ADAE may impose one of the following penalties: (a) a recommendation for compliance within the time limits set by the notice of a fine in the event of non-compliance; and (b) a fine from €15,000 to €1.5 million (under Art. 149 of Law 4727/2020).

Art. 15 of Law 4577/2018 provides for the competence of the Minister of Digital Governance, following a relevant recommendation issued by the HCA, to impose on: (a) essential service operators; and (b) digital service providers, fines ranging from €15,000 to €200,000 when the aforementioned persons do not notify Incidents entailing a serious impact on the operation of their services or they do so but with undue delay, and fines ranging from €50,000 to €200,000 when these persons do not undertake appropriate and proportionate, technical and organisational measures on a provisional basis to manage the risks related to the security of the networks and information systems used for such services.  In case any natural/legal person does not provide – or provides with undue delay – any relevant information required in the context of inspections or Incident investigation, the Minister of Digital Governance, following a relevant recommendation issued by the HCA, may impose on  them a fine ranging from €50,000 to €200,000.

Art. 42 of Law 4961/2022 provides that if that an essential service operator or digital service provider as defined by law 4577/2018 or any municipality fails to comply with the obligations laid down in Arts 35 and 36, Art. 37 par. 2, Art. 38 par. 1 and Art. 40 of Law 4961/2022, the competent body of the Ministry of Digital Governance, following a reasoned recommendation of the HCA, may impose the following sanctions, in this order of priority:

1. a recommendation to the entity;
2. a reprimand to the operator, if it is established that the operator, despite the prior recommendation of the HCA, has not complied with its recommendations;
3. a fine of up to €15,000 if the entity fails to comply with the reprimand; and
4. in the event of a repeat offence, a fine of up to €100,000.

In Greece, the regulation and oversight of artificial intelligence (AI) are shaped by both national initiatives and the implementation of European Union legislation, particularly the AI Act.

Under Law 4961/2022, Greece has established a dedicated governance structure to coordinate and oversee the national AI strategy:

• The Coordination Committee for AI, tasked with decision-making regarding the implementation and continuous improvement of the National Strategy on AI. It formulates national priorities, proposes policy actions, and addresses potential impacts of AI systems on fundamental rights.
• The Supervisory Committee for the National Strategy on AI, operating within the Ministry of Digital Governance, monitors implementation progress, ensures compliance with the Coordinating Committee’s decisions, and facilitates inter-agency coordination.
• The AI Observatory, under the General Secretariat for Digital Governance and Simplification of Procedures, collects implementation data, supports policy design, and tracks key indicators related to AI deployment, education, and impact on fundamental rights.

In light of the European Union’s AI Act, Greece has recently taken a major step toward compliance by publishing the national list of authorities responsible for the enforcement and supervision of obligations related to the protection of fundamental rights when high-risk AI systems are used. These authorities include:

• The Hellenic Data Protection Authority
• The Greek Ombudsman
• The Hellenic Authority for Communication Security and Privacy (ADAE)
• The National Commission for Human Rights

These bodies will have additional powers from 2 August 2026, including access to documentation maintained by organizations to ensure compliance with the AI Act, within the scope of their jurisdiction. The list has been notified to the European Commission and will be updated as required by evolving national and EU frameworks.

At the national level, Law 4961/2022 constitutes the main legal framework governing artificial intelligence in Greece. Its objective is to establish an institutional framework that safeguards the rights of natural and legal persons while promoting transparency, accountability, and the legitimate use of AI technologies across both the public and private sectors. Key provisions of the law include:

• Restrictions on public sector use of AI in decision-making, permitted only where explicitly provided for by law and accompanied by adequate safeguards for fundamental rights.
• Mandatory algorithmic impact assessments prior to deployment of AI systems in the public sector, along with a public register of AI systems used by government bodies.
• In the private sector, specific obligations for medium and large enterprises, such as maintaining internal AI system registers when these systems are used in employment decision-making or consumer profiling.
• The obligation for companies to adopt an ethical data use policy, outlining the procedures and measures implemented to ensure fairness, transparency, and ethical treatment in the context of AI usage.

In addition to national legislation, the European Union’s Artificial Intelligence Act (AI Act) – adopted on 12 July 2024 – marks a fundamental shift in AI governance across the EU. It introduces a risk-based framework, categorising AI systems into four tiers: unacceptable, high, limited, and minimal risk. Systems classified as “unacceptable risk” are outright prohibited, while “high-risk” systems are subject to strict conformity and transparency obligations. The AI Act also includes provisions specific to general-purpose AI (GPAI) and foundation models.

The AI Act is a Regulation, directly applicable in all Member States, including Greece, without the need for national transposition. However, Member States are required to designate national competent authorities, including notifying bodies and market surveillance authorities, by mid-2025 to ensure effective implementation.

Furthermore, the General Data Protection Regulation (GDPR) also applies to AI systems, particularly where personal data is used or where automated decision-making affects individuals. Controllers must comply with:

1. Article 22 GDPR, which restricts decisions based solely on automated processing with legal or significant effects on individuals;
2. The obligation to carry out a Data Protection Impact Assessment (DPIA) under Article 35, especially for high-risk AI systems involving personal data;
3. Principles of data minimization, transparency, fairness, and purpose limitation (Article 5 GDPR).

The EU Artificial Intelligence Act, adopted in May 2024, introduces binding provisions directly applicable in Greece, specifically addressing general-purpose AI models (GPAI) such as Large Language Models (LLMs) and generative AI systems. The regulation adopts a risk-based approach and includes dedicated rules for general-purpose AI models, especially those posing “systemic risks.” To ensure safe and transparent AI, the AI Act puts in place rules for providers of such models. This includes transparency and copyright-related rules. For models that may carry systemic risks, providers should assess and mitigate these risks. The AI Act rules on general-purpose AI apply from 2 August 2025.

Also, the AI Office has been facilitating the drawing-up of a Code of Practice to detail out these rules. The Code was published on July 10, 2025. In the following weeks, Member States and the Commission will assess its adequacy. Additionally, the code will be complemented by Commission guidelines on key concepts related to general-purpose AI models, to be published still in July. After the Code is endorsed by Member States and the Commission, AI model providers who voluntarily sign it can show they comply with the AI Act by adhering the Code.

In Greece, apart from the general provisions of the Civil and Commercial Code, there are currently no mandatory statutory provisions specifically addressing AI-related risks in technology contracts. However, the emerging trend is to include contractual clauses dealing with AI risk, typically covering issues such as liability allocation, transparency, data protection, and compliance with ethical and regulatory standards. This trend is largely driven by Law 4961/2022, on “Emerging IT and communications technologies, strengthening digital governance and other provisions”, which establishes a national legal framework for emerging technologies, including AI.

The following obligations Mandatory provisions are required by Law 4961/2022 and apply to both public and private sector entities:

1. AI systems recording
2. Provision of legal basis
3. Algorithmic impact assessment
4. Record keeping with AI systems
5. Transparency obligations/information rights

According to this national legal framework, every public contract involving the design or development of an AI system must include:

• Transparency guarantees (i.e. to provide information to the public sector body to ensure the transparent operation of the system)
• Access to system parameters for improvement (i.e. the supply or services contract for the design or development of an AI system must ensure that the AI system is delivered to the public sector body under conditions that allow the public sector body to study its functionality and its decision-making parameters and to make improvements).
• Compliance with human rights, privacy, and anti-discrimination laws (i.e. to take appropriate measures in designing, developing, and operating an AI system, to ensure its compatibility with the legal framework).

Although technology agreements usually take the form of software licences, some are much more complex. In many cases, the organisation procuring the technology services provides a solution that includes multiple components. This is important to bear in mind when drafting a technology agreement to avoid any ambiguity, to explicitly describe the parties’ obligations, to include charges covering all the components and to foresee all possible risks that may lead to a breach of contract or exposure to liabilities. Depending on the technology agreement, various chapters of the Civil Code may be applicable (i.e., sales contracts, work contracts, service contracts).

It is common for software and technology services or technology agreements to include clauses that limit the liability of the provider. As issues of civil and criminal claims from defective AI systems are already starting to arise, the tendency to cover risks and to limit liability up to certain amounts has also become noticeable in practice.

It is important to note that from a judicial point of view, clauses that extensively limit the liability of the professional against the consumer in B2C agreements – especially if they have not been negotiated – are usually considered as abusive and, thus, null and void. On the other hand, in B2B agreements under which the parties usually demonstrate similar bargaining powers, the freedom of the parties supersedes, unless one party has acted maliciously or in a grossly negligent manner or has acted without previous experience and knowledge in this type of agreement, thus demonstrating a disadvantage in bargaining.

Under Greek law, the protection of copyright and ownership of outputs in the context of AI is primarily governed by Law 2121/1993 on Copyright and related rights, as supplemented by other statutory provisions. According to Article 2(1) of Law 2121/1993, a work is defined as any original intellectual creation expressed in any form, provided that it reflects human intellectual effort. Consequently, copyright protection presupposes a degree of human intervention, such as the selection of input data or parameters determining the operation of the system. Works generated autonomously and exclusively by AI systems, without substantive human contribution, are not copyrightable under Greek law. Conversely, where AI serves as an auxiliary tool and the human user exercises creative control, rights may vest in the human creator, although the extent of such contribution is often difficult to assess.

Software, computer programs and databases enjoy protection under Law 2121/1993, while databases also benefit from a sui generis right safeguarding the maker’s investment. Technology agreements in Greece therefore typically incorporate explicit clauses addressing intellectual property rights, not only to ensure compliance with statutory requirements but also to allocate risk contractually. Such agreements usually stipulate ownership of AI-generated outputs in favour of the customer, subject to third-party rights, and include IP warranties and indemnity provisions to mitigate exposure arising from infringement claims. This practice remains essential, particularly in cloud computing and AI-driven environments, where the risk of disruption due to third-party claims persists.

It is also relevant to note that Law 4961/2022 on emerging technologies imposes specific obligations on public sector entities deploying AI systems, including the preparation of an algorithmic impact assessment prior to operation. While these provisions are directed at public bodies, they inform best practices in the private sector by emphasizing transparency and risk management concerning data categories processed or generated by AI, as well as the potential impact on the rights and legitimate interests of individuals.

In Greece, the legal framework governing blockchain and digital assets is still evolving but has been significantly shaped by recent national and EU legislation. At the national level, Law 4961/2022 on emerging technologies introduced definitions and fundamental principles for blockchain and distributed ledger technologies (DLT), aiming to promote innovation while ensuring compliance with legal and regulatory standards. The law sets out principles for transparency, interoperability, and security in blockchain-based systems, primarily in the context of public and private sector adoption.

Furthermore, Law 5113/2024 supplements this framework by providing additional technical standards and governance requirements for blockchain applications, reinforcing trust and operational resilience. While these laws do not yet create a comprehensive regulatory regime for all blockchain uses, they represent the first legislative steps toward formal recognition and oversight of DLT in Greece.

With respect to digital assets, the primary national instrument remains the Anti-Money Laundering Law (Law 4557/2018), which expressly defines virtual currencies and imposes registration and compliance obligations on virtual asset service providers (VASPs) in line with the EU AML directives. This law focuses on combating financial crime by ensuring transparency in transactions involving crypto-assets.

At the EU level, the Markets in Crypto-Assets Regulation (MiCA) introduces a harmonized regime for the issuance and provision of services related to crypto-assets, aiming to enhance investor protection, market integrity, and transparency. MiCA establishes strict licensing, governance, and disclosure requirements for crypto-asset service providers and issuers, which will directly apply in Greece. In addition, certain blockchain-based financial instruments may fall within the scope of Law 4514/2018, which transposed MiFID II, necessitating careful assessment of each application to determine whether it constitutes a regulated investment service or financial instrument.

From a data protection perspective, blockchain raises important compliance issues under the GDPR. The European Data Protection Board (EDPB) recently published Draft Guidelines 02/2025 on the processing of personal data through blockchain technologies, which are under public consultation. These guidelines provide a legal and technical framework for identifying controllers and processors in decentralized environments, addressing critical aspects such as data minimization and the exercise of data subject rights in immutable ledgers.

Under Greek Law 5160/2024, which implements the NIS2 Directive, both search engines and online marketplace providers fall within the category of “digital providers” as outlined in Annex II of the legislation. Therefore, the obligations set in the law apply to those entities as well. These obligations include registration obligations on the National Cybersecurity Authority, implementation of cybersecurity measures, incident reporting obligations and appointment of an Information and Communication Systems Security Officer (ICSSO).

Regulation 2019/1150 applies to online intermediation services and online search engines provided, or offered to be provided, to business users and corporate website users, respectively, that have their place of establishment or residence in the Union and that, through those online intermediation services or online search engines, offer goods or services to consumers located in the Union, irrespective of the place of establishment or residence of the providers of those services and irrespective of the law otherwise applicable. The purpose of this Regulation is to contribute to the proper functioning of the internal market by laying down rules to ensure that business users of online intermediation services and corporate website users in relation to online search engines are granted appropriate transparency, fairness and effective redress possibilities. Following the above, all the obligations arising from Regulation 2019/1150 govern search engines and marketplaces.

Online marketplaces and search engines are also impacted by the Digital Services Act (DSA) and the Digital Markets Act (DMA). The Digital Services Act and the Digital Market Act form a single set of rules that apply across the whole EU and have two main goals:

1. to create a safer digital space in which the fundamental rights of all users of digital services are protected;
2. to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally.

The regulatory framework applicable to social media and online platforms in Greece comprises both EU instruments and national implementing laws, with the objective of ensuring transparency, safety, cybersecurity, and fair market conduct in digital services. The principle laws that govern social media and online platforms are the following:

1. Digital Services Act (DSA) – Regulation (EU) 2022/2065 and Greek Law 5099/2024: The DSA, fully applicable since 17 February 2024, establishes harmonized rules for digital intermediary services targeting users in the EU, regardless of the provider’s country of establishment. It introduces layered obligations for online platforms, including:

• Notice-and-action mechanisms for illegal content,
• Transparency in terms of service and recommender systems,
• Special risk assessment and mitigation duties for Very Large Online Platforms (VLOPs)

In Greece, the DSA is complemented by Law 5099/2024, which

• Establishes national supervisory bodies for DSA enforcement,
• Defines procedural rules and sanctions for non-compliance, and
• Designates competent authorities for oversight in the domestic market.

2. Audiovisual Content and User-Generated Media (Law 4779/2021): This law transposes the Audiovisual Media Services Directive (2018/1808/EU) and brings video-sharing platforms and social media services under Greek jurisdiction with respect to their audiovisual content, provided such content (user-generated or otherwise) is a principal function of the service and serves an informational, educational or entertainment purpose, absent editorial control. Obligations include:

• Protection of minors,
• Restrictions on hate speech and incitement to violence,
• Requirements for audiovisual commercial communications.

3. Presidential Decree 131/2003 (Platform Liability): Social media platforms are also regulated under PD 131/2003, which transposed the E-Commerce Directive (2000/31/EC). The decree offers liability exemptions for intermediary services (hosting, caching, mere conduit) as long as providers remain neutral and act expeditiously upon acquiring knowledge of illegal content.

4. NIS2 Directive and Greek Law 5160/2024 (cybersecurity obligations): Law 5160/2024 transposes the NIS2 Directive, expanding the scope of cybersecurity obligations to include providers of social networking services as “important entities”. These providers are now subject to:

• Risk management and incident reporting obligations,
• Governance and compliance measures,
• Oversight by competent national cybersecurity authorities.

5. GDPR and Law 4624/2019 (Data Protection and Privacy): Social media platforms are subject to the General Data Protection Regulation (GDPR), implemented through Law 4624/2019, and to Law 3471/2006 (E-Privacy Directive), governing electronic communications and data processing.

The most severe sanctions under the applicable online safety laws derive from directly applicable EU regulations and their national implementation:

• Under the Digital Services Act (DSA), regulators may impose administrative fines of up to 6% of the provider’s total annual worldwide turnover for violations of the DSA. In Greece, enforcement is governed by Law 5099/2024.
• Under the General Data Protection Regulation (GDPR), breaches involving personal data can trigger fines of up to €20 million or 4% of global turnover, whichever is higher.
• For violations of audiovisual content rules under Law 4779/2021, the National Council for Radio and Television may impose fines up to €500,000 per infringement and, in exceptional cases, suspend access to content or services.
• Under the NIS2 Directive, transposed into Greek law via Law 5160/2024, social media platforms deemed “important entities” may face fines up to €7 million or 1.4% of annual turnover for failure to implement cybersecurity and incident response obligations.

In addition to financial penalties, criminal sanctions may apply in cases involving illegal content (e.g. child sexual abuse or hate speech).

Spatial computing technologies in Greece, including AR, VR, XR, and the metaverse, are not subject to a standalone regulatory framework but fall under existing regimes governing data protection, cybersecurity, and intellectual property. The GDPR applies fully, particularly for biometric data, consent, and transparency, raising challenges in defining roles and jurisdiction within multi-layered virtual environments. Cybersecurity obligations derive from EU Directive 2022/2555 (NIS 2), implemented through Law 5160/2024, while the upcoming EU Cyber Resilience Act (CRA) will introduce additional obligations for digital products. Greek Laws 5002/2022 and 4961/2022 reinforce cybersecurity and digital governance measures. Devices such as VR headsets are subject to the General Product Safety Regulation (EU) 2023/988, which mandates appropriate cybersecurity safeguards.

Intellectual property remains a key concern in the metaverse. Issues include unauthorized trademark use, NFT-related fraud, and AI-generated content, all governed by Law 2121/1993 on copyright and Law 4679/2020 on trademarks. Enforcement remains challenging in decentralized environments.

Furthermore, the Greek legislator has addressed legal uncertainties surrounding smart contracts, a technology closely linked to blockchain applications that may underpin virtual environments. Law 4961/2022 establishes rules on the validity and evidentiary value of smart contracts, providing that such contracts are null and void if they meet the conditions for nullity applicable to traditional agreements (Article 49 §§ 2–3). If a blockchain registration or transaction is deemed invalid, courts may order restoration of property to its prior state, which could include reversing a blockchain entry or awarding compensation (Article 47 § 5). These provisions aim to provide legal certainty and ensure effective remedies in disputes involving smart contract-based transactions.

Although no specific legislation for the metaverse currently exists, EU and Greek regulatory developments in data protection, cybersecurity, blockchain, and smart contracts indicate a trend toward building a robust legal framework to address emerging risks in immersive digital environments.

There are currently no specific laws in force or proposed that directly govern quantum computing or quantum cryptography. Existing general frameworks on cybersecurity and data protection may become relevant as the technology evolves.

Yes, Greece has adopted a number of legislations that apply to data centres. Key pieces of legislation include:

• Law 5069/2023, which sets out building terms, construction requirements, and permissible land uses for data centres, amending Law 4442/2016.
• Law 4933/2022, which transposes Directive (EU) 2019/2161 and includes provisions on consumer protection and transparency.
• Law 5160/2024, which transposes the NIS 2 Directive, establishing enhanced cybersecurity obligations for essential and important entities.
• Law 4014/2011, which governs the environmental permitting procedures.
• Law 4759/2020, which relates to the modernization of spatial and urban planning.
• Law 4864/2021, which introduces strategic investment incentives.

Changes and innovations in technology law are and are expected to be rapid in the next years. In particular, only some of the sectors where significant growth is expected are the following:

1.AI and Automated Processes: The relationship between humans and AI technologies is expected to be a significant focus of the next three years. Greek and EU legislators and regulators will need to address the complexity and predictability of AI technologies, and to ensure that ethical principles are upheld without compromising the economic value of emerging markets. In addition, product liability litigation (covering software, AI and other emerging technologies related products and services) is expected to play an important role in Greece.

2. Cybersecurity Regulations: The new Greek Cybersecurity Law will bring higher requirements for cybersecurity readiness, as well as additional compliance obligations for entities and organizations. In addition, the efforts to strengthen Greece’s cybersecurity framework are expected to intensify.

3. Emerging Technologies Legislation: Greece has already adopted new legislation on emerging information and communication technologies. This trend is expected to continue, with new legislation being introduced to strengthen digital governance and address the challenges posed by novel technologies, including IoT and robotics.

That is not usually the case.