Skip to main content
Datatrek
nis2 compliance regulation sme

NIS2 for Greek SMEs: what you actually need to do

by Datatrek SOC 3-minute read

NIS2 (Directive (EU) 2022/2555) became applicable across Greece in October 2024. We've spent the last 18 months helping SMEs in Crete and Athens align with it. The good news: most of what NIS2 expects is what a competent IT team already does. The bad news: "competent IT team" is exactly the rare resource SMEs don't have.

This post is the engineer's checklist — the tactical version, not the consultant's slide deck.

Who is in scope?

Two categories, simplified:

  • Essential entities — energy, transport, banking, healthcare, drinking water, digital infrastructure (data centers, DNS, TLDs, cloud), public administration. ~250+ employees or ~€50M turnover.
  • Important entities — postal services, waste management, food, manufacturing of certain products, digital providers, research. ~50+ employees or ~€10M turnover.

If your SME provides any of the above services to anyone in scope, you're likely in scope as a supplier.

What NIS2 actually requires (technical)

The directive lists ten categories of "minimum measures." Translated to engineer-speak:

  1. Risk analysis & policies — write down what you're protecting, what could break it, what you'll do if it does.
  2. Incident handling — detection, triage, response, post-mortem. Documented, not just "we're good at it."
  3. Business continuity — backup strategy, disaster recovery plan, crisis management.
  4. Supply-chain security — your suppliers' security is your problem now. Track it.
  5. Acquisition & maintenance security — vulnerability handling, patch management, secure SDLC.
  6. Effectiveness measurement — you have to evaluate whether your measures work. Reports, audits, metrics.
  7. Cyber hygiene & training — for all staff, not just IT.
  8. Cryptography — appropriate use, where appropriate.
  9. Access control & asset management — know what you have, know who can touch it.
  10. MFA, secure communications, secure emergency comms — yes, MFA is now law-adjacent.

The 24/72-hour reporting clock

When you have a "significant" incident, you have:

  • 24 hours for an early warning to the national CSIRT (in Greece: Hellenic Cybersecurity Centre / NCSA).
  • 72 hours for an incident notification.
  • One month for a full final report.

"Significant" is defined narrowly enough that most ransomware events qualify.

What SMEs typically miss

In the dozen-plus engagements we've done in the last year, the same gaps come up:

  • No documented incident response runbook. "Call Yannis" is not a runbook.
  • Backups exist, but immutability does not. A ransomware crew with domain admin will delete backups before encrypting. Object Lock is the answer.
  • Patch management is reactive. "We update when there's a problem" gets you breached.
  • No log retention. When you discover a breach 3 months later, you need 5 months of logs to investigate. Most SMEs have 7 days.
  • Effectiveness measurement is informal. NIS2 wants reports. Generate them; audit them; archive them.

How Datatrek aligns

Every service we run produces NIS2-aligned artifacts:

  • XEDR → incident timelines, host-isolation logs, agent inventory.
  • SIEM → 5-month log retention, correlation rules, monthly reports.
  • XNDR → topology evidence, persistence audits, port-drift logs.
  • Vulnerabilities → continuous scans, severity reports, patch verification trail.
  • S3 Backup → Object Lock, snapshot history, restore tests.

Each one mapped to the directive's 10 minimum measures. We share the alignment matrix with prospective clients so the conversation skips the usual security-marketing layer.

Talk to us about NIS2

← Back to news