The principal laws and regulations governing the Greek banking sector are the following.

• Law 4261/2014 (Law 4261), implementing in Greece Directive 2013/36/EU (CRD IV), and Regulation (EU) 575/2013 (CRR), as amended, among others, by Regulation (EU) 2019/876 (CRR 2) and Regulation (EU) 2024/1623 (CRR 3). CRD IV has been amended by Directive (EU) 2024/1619 (CRD VI), which is to be transposed into Greek law by 10 January 2026. Law 4261 has been amended, among others, by Law 4799/2021, which transposed Directive 2019/878/EU (CRD V) into Greek law. Law 4261 sets out, inter alia, the provisions as regards:
• the establishment, authorisation and operation of credit institutions;
• the EU passport procedure and the licensing requirements in relation to third-country credit institutions providing banking services in Greece;
• the prudential supervision rules applicable to credit institutions established in Greece;
• the powers of supervisory authorities and the administrative penalties they may impose on credit institutions;
• the corporate governance of credit institutions; and
• the introduction of certain capital buffers to be maintained by credit institutions (in addition to the requirements of CRR as in force).
• Law 4335/2015, as amended (Law 4335), implementing in Greece Directive 2014/59/EU (BRRD) on the recovery and resolution of credit institutions and investment firms. Law 4335 has been amended by law 4799/2021, which transposed, among others, Directive 2019/879/EU (BRRD II) into Greek law.
• Law 4557/2018, as amended by Law 4734/2020 and Law 4816/2021 (the “AML Law”) setting out the anti-money laundering and countering the financing of terrorism (AML/CFT) framework. The AML Law implements Directives 2015/849/EU (“4th AML Directive”), 2018/843/EU (“5th AML Directive”) and 2018/1673/EU in Greece. On 19 June 2024, the EU introduced a new legislative toolkit comprising Regulation (EU) 2024/1620, Regulation (EU) 2024/1624 (AMLR) and Directive (EU) 2024/1640 (“6th AML Directive”), aiming to harmonise AML/CFT rules across EU member states. The 4th AML Directive will be repealed by the 6th AML Directive. The majority of new rules under the 6th AML Directive (as the measures will be transposed into Greek law) and under AMLR will apply as of 10 July 2027.
• Law 4370/2016, as amended, transposed into Greek law, among others, Directive 2014/49/EU (the “Directive on Deposit Guarantee Schemes”).
• Law 2251/1994 on consumer protection, as amended and codified by Ministerial Decision 5338/2018, as currently in force (the “Consumer Protection Law”).

Depending on the type of services offered to clients, credit institutions should also comply with other laws of the financial sector, including the following.

• Regulation (EU) 600/2014 (MiFIR), as amended, among others, by Regulation (EU) 2024/791 and Law 4514/2018, as amended, transposing Directive 2014/65/EU, as amended (MiFID II) in Greece as regards the provision of investment services.
• Law 4537/2018 transposing Directive 2015/2366/EU (“PSD2”) in Greece as regards the provision of payment services. Regulation (EU) 2024/886 as regards instant credit transfers in euros amends PSD2 and requires member states to adopt, publish and apply supplementing measures by 9 April 2025, while we are still anticipating the local supplementing measures to be adopted.
• Regulation (EU) 2023/1114 (“Markets in Crypto-Assets Regulation”, or MiCAR) and Law 5193/2025, as well as the delegated and implementing acts as regards the provision of crypto-asset services.

In addition to the laws of the banking sector, Greek credit institutions should also comply with other laws, including Law 4548/2018 on sociétés anonymes, Law 4706/2020 on corporate governance of listed entities, as applicable, as well as Regulation (EU) 2016/679 (“General Data Protection Regulation”) and Law 3471/2006.

The above laws are supplemented by Acts passed by the Bank of Greece (BoG), including the following:

• BoG Governor’s Act 2501/2002, as amended and currently in force, on the information that credit institutions must provide to their customers;
• BoG Act 392/31.05.2021 on the revision of the Code of Conduct under Greek Law 4224/2013;
• BoG Act 243/2/07.07.2025 endorsing the European Banking Authority’s (EBA) guidelines on internal governance (EBA/GL/2021/05). In brief, BoG Act 243 replaces the previous governance provisions set out in BoG Governor’s Act 2577/2006 and introduces a new comprehensive internal governance framework aligned with EU requirements;
• BoG Executive Committee Act 178/2020 as regards the outsourcing of activities;
• BoG Executive Committee Act 229/10.05.2024 on the determination of the initial capital structure for the issuance of an incorporation and operation license; and
• guidelines issued by the European Central Bank (ECB), the European Banking Authority (EBA) and other EU authorities.

The BoG is the national competent authority supervising the banking sector and exercising prudential supervision over Greek credit institutions. However, within the Single Supervisory Mechanism (SSM), the ECB directly supervises the following significant credit institutions authorised in Greece:

• Alpha Bank SA;
• Eurobank SA;
• National Bank of Greece SA; and
• Piraeus Bank SA.

Less significant credit institutions are supervised directly by the BoG, which is the competent authority for overseeing entities of the financial sector, including payment institutions, credit companies and credit servicing firms. The ECB may also collect data from certain less significant credit institutions as per Regulation (EU) 2015/534 on the reporting of supervisory financial information, as amended by, among others, Regulation (EU) 2025/1958.

The BoG is also the national resolution authority and, along with the Single Resolution Board (SRB), is established within the Single Resolution Mechanism to exercise the resolution powers. The SRB is competent for the credit institutions supervised directly by the ECB.

In addition, the BoG is responsible for supervising the compliance of credit institutions with the AML/CFT framework.

Further, the BoG is, in principle, the competent authority under MiCAR with respect to credit institutions offering crypto-asset services or issuing certain crypto-assets as per Law 5193/2025.

The Hellenic Capital Market Commission (HCMC) is the competent authority for monitoring the compliance of credit institutions with Law 4514/2018 with respect to investment services – with the exception of certain areas which remain under the authority of the BoG.

The HCMC is also responsible for monitoring compliance with market abuse legislation, including Regulation (EU) 596/2014 (“MAR”) and Law 4443/2016, which supplements the MAR in Greece.

Credit institutions established and operating in Greece must be authorised by the ECB, which co-operates closely with the BoG. Τhe authorisation of credit institutions in Greece is one of the “common procedures”, as defined in Regulation (EU) 468/2014 (“SSM Framework Regulation”) (ECB/2014/17), on which the final decision lies with the ECB.

Greek credit institutions may be established and may operate in Greece as:

• sociétés anonymes (which is the most common legal type);
• pure credit co-operatives under Law 1667/1986;
• European Societies (SE) under Regulation (EU) 2157/2001; or
• European Co-operative Societies under Regulation (EU) 1435/2003.

Greek credit institutions may be licensed to perform all banking activities listed in Annex I of CRD IV (“universal licence”), namely:

• the acceptance of deposits and other repayable funds;
• lending including, inter alia, consumer credit, credit agreements relating to immovable property, factoring, with or without recourse, financing of commercial transactions (including forfeiting);
• financial leasing;
• payment services as defined in Article 4(3) of the PSD2;
• issuing and administering other means of payment (ie, travellers’ cheques and bankers’ drafts) insofar as such activity is not covered by the above point;
• guarantees and commitments;
• trading for own account or for the account of customers in any of the following:
1. money market instruments (cheques, bills, certificates of deposit, etc);
2. foreign exchange;
3. financial futures and options;
4. exchange and interest-rate instruments; and
5. transferable securities;
• participation in securities issues and the provision of services relating to such issues, particularly underwriting;
• advice to undertakings on capital structure, industrial strategy and related questions, and on services relating to mergers and the purchase of undertakings;
• money broking;
• portfolio management or advice;
• safekeeping and administration of securities;
• credit reference services, including customer credit rating;
• safe custody services;
• issuing electronic money including electronic-money tokens as defined in article 3(1), point (7) of MiCAR;
• investment services and activities as well as ancillary services provided for in Law 4514/2018 (MiFID II services);
• issuance of asset-referenced tokens as defined in article 3(1), point (6), of MiCAR; and
• crypto-asset services as defined in article 3(1), point (16), of MiCAR.

As regards MiFID II services, credit institutions may also provide these in relation to DLT financial instruments, ie, financial instruments (under Law 4514/2018), which are issued by means of distributed ledger technology.

Greek licensed credit institutions intending to offer crypto-asset services must notify the BoG according to the procedure set out in MiCAR.

In addition to the above, the BoG may allow credit institutions to carry out other financial or ancillary activities, provided that the relevant risks are fully hedged.

Natural persons or legal entities that are not licensed credit institutions are prohibited from taking deposits or other repayable funds from the public. Moreover, the provision of credit/financing, in a professional capacity, is a regulated activity in Greece, which is allowed only to duly licensed credit institutions or certain financial institutions (such as Greek authorised credit companies).

EU licensed credit institutions may perform banking activities in Greece on the basis of the EU passport – ie, through their right to establishment or on a cross-border basis, provided that the EU licensed credit institution notifies the home member state’s authority that, in turn, transmits the notification to the BoG. If the EU credit institution wishes to establish a branch in Greece, the branch will be subject to certain local requirements (including the Greek AML framework).

Authorisation Process

The authorisation of a credit institution in Greece by the ECB/BoG is subject to the requirements set out in Law 4261 as supplemented by the BoG Act 244/3/25.07.2025 in conjunction with BoG Act 142/11.6.2018, as amended and in force, as well as other BoG Acts.

The BoG recently introduced an optional pre-application procedure (ie, prior to the submission of the formal application for authorisation) to assist candidates intending to establish a credit institution. This optional procedure aims to enable such parties to understand supervisory expectations and highlight issues where more preparation by candidates is needed. The pre-application process involves two meetings between interested parties and BoG officers, which can be held in person, online or on a hybrid basis. However, a final decision at the official authorisation procedure will be taken by the ECB.

A legal entity (which must already be established) must comply with at least the following when seeking authorisation as a credit institution in Greece.

• It must have fully paid-up initial capital equal to EUR18 million (for credit co-operatives, an amount of EUR6 million, and for the branches of third-country credit institutions EUR9 million) in accordance with the requirements of BoG Act 201/1/1.3.2022 and BoG Act 229/2/10.05.2024, as well as pay any additional funds that may be required in order to ensure that, during the first three years of operation, the own funds of the new credit institution will meet the expected capital requirements and the minimum initial capital requirement on a continuous basis.
• The calculation of any additional capital must take into account the forecasts in the business plan submitted and, in particular, the expected losses and risks to be incurred by the new credit institution. The relevant amount shall be deposited with the Bank of Greece prior to the granting of the operating licence.

The application must be submitted electronically via the dedicated web portal of the ECB, and must include:

• the information provided for in the provisions of Delegated Regulation (EU) 2022/2580 in conjunction with Law 4261, which sets out the requirements applicable in a uniform way through the EU, including:
• a programme of activities;
• financial information, including the funding sources and forecast information for three years (balance sheet, income statement and cash flow statement) as well as statutory financial statements (where applicable), a summary of the internal liquidity adequacy assessment and the risk management framework;
• a programme of operations (business plan), the structural organisation of the credit institution (including an indication of the parent undertakings, financial holding companies and mixed financial holding companies within the group) and the internal control systems and the auditors; the programme of operation must include a three-year business plan with the scope of work, the timetable for achieving the objectives of the credit institution, the structure of the group to which it belongs and the framework of the internal control functions, including the internal audit, risk management and compliance functions and procedures required for compliance with its organisational obligations; and
• a set of policies and procedures (such as an AML policy, conflict of interest policy, outsourcing policy, business continuity plan and policy, IT/ICT policies, etc);
• the “fit and proper” questionnaires completed by the Board of Directors (BoD) and key function holders as per BoG Act 224/1/21.12.2023, who are subject to fit and proper assessment; the applicant must ensure that at least two persons who effectively direct the business will be employed on a full-time basis and be executive directors subject to fit and proper assessment;
• the qualifying holding questionnaires completed by persons/entities holding, indirectly, ownership or control; if no person or other entity has a qualifying holding, the application must include a list of the 20 largest shareholders; and 
• the additional local information as set out in the BoG Act 244/3/25.07.2025.

Participation in the Deposit Guarantee Scheme is also required.

Following the official submission of the application and the initial BoG assessment of the licensing application, the BoG proceeds to the submission of a proposal (ie, a draft decision) to the ECB, which makes the final decision. If the BoG considers that requirements have not been met, it will reject the licensing request.

Timing and Cost Estimates

According to Law 4261 the BoG/ECB must revert to the applicant with a decision (ie, to grant or refuse the licensing application) within six months from receipt of the application, which may be extended to within 12 months of receipt of the application. This assessment period commences following the official submission of the complete application and thus the pre-application procedure does not affect the above timeline.

Until 2025, no fees were required to be paid by applicants for the submission of the application to the BoG. However, the BoG introduced supervisory fees as by virtue of BoG Act 238/2/10.1.2025, which will apply as of 1 January 2026. As of that date, applicants seeking authorisation as credit institutions will have to pay an initial supervisory fee of EUR20,000 to the BoG, while credit institutions will be also subject to on-going fees to the bank.

In addition, applicants should take into account the fees paid to legal counsel and financial/technical advisers, as well as their participation in the deposit guarantee scheme.

Requirement to Notify the BoG

Any natural person or legal entity (or persons acting in concert) that has decided either to acquire, directly or indirectly, a qualifying holding in a credit institution (ie, at least 10% of the share capital or of the voting rights) or to further increase, directly or indirectly, such a qualifying holding in a credit institution as a result of which the proportion of the voting rights or of the capital held would reach or exceed 20%, 33.33% (one-third), or 50%, or so that the credit institution would become its subsidiary, must notify the BoG in advance in accordance with the qualifying holding process set out in Law 4261.

Documents Required

The proposed acquirer must submit a notification to the BoG accompanied by certain questionnaires and required supporting documents in relation to the persons/entities that will acquire (directly or indirectly) a qualifying holding in the credit institution. In certain cases, a (3 years) business plan that must contain a minimum set of information should also be submitted by the proposed acquirer.

Assessment by the BoG

The BoG will assess whether the potential acquisition complies with all regulatory conditions and will prepare a draft decision which is submitted to the ECB. The ECB will thereafter decide whether or not to oppose the acquisition on the basis of its assessment of the proposed acquisition and the BoG’s draft decision. In terms of timing, the regulators will assess the proposed acquisition within 60 business days from the date of the written acknowledgement of receipt of a complete file. This can be extended up to 90 business days from the receipt of a complete file without prejudice to the BoG’s right to extend the whole procedure further if necessary.

Other Qualifying Holdings

A person may be deemed to be acquiring a qualifying holding even in circumstances where they acquire less than 10% of the shares and voting rights, since the definition of qualifying holding also includes cases where a proposed acquirer is deemed to exercise a “significant influence” over the management of a credit institution. Under Law 4261, a prior notification to the BoG is also required with respect to the acquisition or increase of a holding that would reach or exceed 5% in the share capital or voting rights of a Greek credit institution. The BoG will, thereafter, conduct an ad hoc assessment and decide, within five business days, whether such acquisition or increase will constitute a significant influence, and if so, it will notify the proposed acquirer and carry out an assessment in light of the qualifying holding process.

Credit institutions are also subject to reporting requirements to the BoG (on becoming aware of any acquisitions or disposals of holdings which cause holdings to exceed or fall below the relevant thresholds, or where a change occurs, as well as on a regular basis within the context of reporting obligations).

Transparency and Other Disclosure Requirements

In addition to the aforementioned qualifying holding approval process, notification requirements under Law 3556/2007, as amended and in force (Law 3556), implementing the Transparency Directive (Directive 2004/109) in Greece, might also be triggered as regards the acquisition of significant shareholdings in entities whose shares are traded on a regulated market (noting that the majority of the significant Greek credit institutions are wholly owned by financial holding companies listed on ATHEX or are themselves listed on ATHEX). The shareholders should notify the issuer and the HCMC of the percentage of voting rights held by them if they directly or indirectly acquire or dispose of the shares of the issuer carrying voting rights and if, as a result of that acquisition or disposal, the percentage of their voting rights reaches or exceeds or falls below the applicable thresholds (ie, 5%, 10%, 15%, 20%, 25%, 33.33 % (one-third), 50% and 66.66% (two-thirds)) or reaches, exceeds or falls below the aforementioned applicable threshold as a result of corporate events changing the breakdown of voting rights or on the basis of information disclosed by an issuer. A notification obligation also lies with any shareholder who holds voting rights exceeding 10%, if such percentage changes by 3% or more, following acquisition or disposal of voting rights or other corporate events altering the breakdown of voting rights. New changes exceeding 3% create a new notification obligation.

Additional requirements may be also triggered under the competition law.

Creditinstitutions are subject to corporate governance requirements stemming from Law 4261, supplemented by BoG Act 243/2/07.07.2025 endorsing the EBA’s guidelines on internal governance (EBA/GL/2021/05) and replacing the previous governance provisions set out in BoG Governor’s Act 2577/2006 (BoG Act 243).

Other BoG Acts must also be taken into account for specific requirements (such as outsourcing, information and technology security arrangements, etc).

BoG Act 243 introduces a new, comprehensive and robust internal organisation and corporate governance framework aligned with the EU requirements that all Greek credit institutions must comply with on the basis of the proportionality principle (taking into account the nature, scale and complexity of the business and activities of the institution). The Act entered into force as of 14 July 2025 and provides for a transitional implementation period – ie credit institutions must adjust their internal governance arrangements no later than 1 October 2025.

The Board of Directors (BoD) of credit institutions is responsible for the implementation of corporate governance arrangements. In summary, BoG Act 243:

• establishes the clear roles and responsibilities of the BoD of credit institutions and their committees, including specific composition requirements for the BoD, with a particular focus on independent non-executive members; the Act makes a clear distinction between the executive and supervisory functions of the BoD and introduces detailed provisions on the roles of executive, non-executive and independent non-executive members;
• clearly defines the role of independent internal control functions (risk management, compliance and internal audit) and specifies the related responsibilities and independence requirements;
• promotes the development of a robust internal control framework and a holistic risk management framework (including management of risks such as all types of AML/CFT risks, ESG risks, and operational risks);
• fosters the development of a strong risk culture, the promotion of high ethical and professional standards through the establishment of a code of conduct, and the obligation to establish conflict-of-interest policies and whistle-blowing procedures; and
• redefines and provides for comprehensive reporting requirements towards the BoG with specific deadlines, taking into account their use for supervisory purposes.

Under BoG Act 243, Greek credit institutions must establish comprehensive internal governance arrangements, including organisational and substantive requirements as follows.

• A BoD bears ultimate and general responsibility for the credit institution, defines, oversees and is accountable for the implementation of governance arrangements ensuring effective and prudent management. At least two of the executive BoD members will be responsible for effectively directing the business of the institution. The BoD must clearly distinguish between executive and supervisory functions, including the separation of the duties of the chairman from the executive duties of the CEO. The role of the chairman is defined in BoG Act 243. It is recommended that the chairman be an independent, non-executive BoD member, and, in all cases, a non-executive BoD member. Significant institutions (being a G-SII or O-SII, or listed on ATHEX) must comply with the requirements set out in Law 4706/2020 as regards independent, non-executive members, while other institutions must have at least two independent non-executive members. The BoD must monitor and periodically assess the effectiveness of the credit institution’s governance arrangements and take appropriate steps to address any deficiencies.
• BoD Committees must be established. Significant institutions must establish, on an individual basis, a Risk Management Committee, a Nomination Committee and Remuneration Committee to make proposals for approval to the BoD. Credit institutions that are not deemed significant must establish a Risk Management Committee and may be required to establish other committees. All credit institutions must establish an Audit Committee in accordance with Law 4449/2017.
• Independent internal control functions comprising risk management, compliance and internal audit functions must be established, each with adequate powers, authority and resources, and organisationally independent from the business areas they monitor and control.
• An AML/CFT function is required that ensures compliance with AML/CFT conditions and may be established as part of the compliance function or as a separate organisational function, with a designated executive BoD member responsible for AML/CFT compliance as required by Law 4557/2018.
• Additional key function holders must be nominated, including chief financial officer, heads of internal control functions, and other designated persons in key roles; business continuity management arrangements; and comprehensive policies covering new products approval, outsourcing, IT/ICT systems, and conflict of interest management must be in place.

Code of Conduct Under Greek Law 4224/2013

Greek credit institutions must also comply with the requirements (including organisation requirements) stemming from the BoG Act 392/31.05.2021 on the revision of the Code of Conduct under Greek Law 4224/2013 when granting credit to customers.

Hellenic Corporate Governance Code

In addition, Greek credit institutions that are listed on the ATHEX must also comply with the corporate governance requirements of Greek law 4706/2020. In June 2021, a new Hellenic Corporate Governance Code (“the Code”) was issued by the Hellenic Corporate Governance Council for listed companies. The Code is voluntary and facilitates the formulation of corporate governance policies and practices, which listed companies must follow depending on the characteristics of each company.

Code of Ethical Conduct

The BoD shall develop, establish, maintain, and promote high ethical and professional standards, taking into account the specific needs and characteristics of the credit institution, and ensure the implementation of these standards (eg, through a code of conduct or other similar means). More specifically, the BoD must adopt a code of conduct to be applied by the BoD members, senior management, and all staff of the institution on the basis of generally accepted principles (such as diligence, effectiveness, responsibility, professional secrecy, etc). In addition, it supervises compliance with these standards by staff.

The members of the BoD and senior management are proposed by the nomination committee to the BoD or the shareholders’ general meeting, respectively, on the basis of suitability assessment carried out taking into account the suitability criteria including their honesty, integrity and independence of mind promoting the diversity of the management bodies. If no nomination committee has been established, such duties are undertaken by the non-executive member of the BoD. Senior management (including the key function holders) is finally appointed by the BoD, and directors are elected by the shareholders’ general meeting. A suitability policy (including the selection, nomination and appointment) for BoD members and key function holders must be adopted in accordance with BoG Act 224/1/21.12.2023.

“Fit and Proper” Assessment

The BoD members and the senior managers of Greek credit institutions must meet specific suitability requirements and are subject to “fit and proper” assessment by the BoG/ECB (as the case may be) to assess that the BoD members and senior managers are of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties and act with honesty, integrity and independence of mind, according to Law 4261 and BoG Act 224/1/21.12.2023.

The BoD must also possess adequate collective knowledge, skills and experience to be able to understand the credit institution’s activities, including main risks. The overall composition of the BoD will need to reflect an adequately broad range of experience.

The key function holders – namely, the head of internal audit, head of risk management, head of compliance, chief financial officer, internal audit committee’s members and money laundering reporting officer (MLRO) – are also subject to the above criteria and the fit and proper assessment by the BoG/ECB (as the case may be). The fit and proper assessment must be carried out in accordance with BoG Act 224/1/21.12.2023.

More specifically, the persons appointed to hold any of the above positions must submit to the BoG, through the credit institution, a completed questionnaire on the fit and proper assessment of the BoD members and key function holders.

BoD Roles and Responsibilities

The BoD bears the ultimate and general responsibility for the credit institution, defines, oversees and is accountable for the implementation of governance arrangements that ensure effective and prudent management of the credit institution, including the segregation of duties in the organisation and the prevention of conflicts of interest. The duties of the BoD are clearly defined to distinguish between its executive and supervisory functions, including the separation of the duties of the Chairman of the BoD from the executive duties of the CEO. In summary, the BoD:

• has overall responsibility for the credit institution and approves and oversees the implementation of the credit institution’s strategic objectives, overall business strategy, risk strategy, risk appetite;
• establishes an adequate and effective internal governance framework and internal control framework that includes a clear organisational structure and ensures the proper functioning of independent risk management, compliance and internal audit functions and adopts key policies in accordance with the applicable legal framework, taking into account the long-term financial interests and solvency of the credit institution;
• ensures the integrity of the accounting and financial reporting systems, including financial and operational controls and compliance with the law and relevant standards;
• oversees the process of disclosure and communications to third parties and the Bank of Greece; and
• is responsible for providing effective oversight of senior management, including monitoring and controlling their performance at individual and collective level, as well as the implementation of the institution’s strategy and objectives.

The new BoG Act provides for specific duties and responsibilities of BoD members, distinguishing between the executive and non-executive members.

The remuneration requirements applicable to Greek credit institutions are in line with the provisions of CRD IV (as amended), which have been transposed into Law 4261.

According to Law 4261, when establishing and applying the remuneration policies for categories of staff whose professional activities have a material impact on the credit institution’s risk profile, credit institutions should apply the requirements in a manner that is appropriate to their size, internal organisation and the nature, scope and complexity of their activities.

The staff whose professional activities have a material impact are the following:

• all members of the BoD and senior managers;
• staff members with managerial responsibility over the credit institution’s control functions or material business units; and
• staff members entitled to significant remuneration in the preceding financial year, provided that the following conditions are met:
1. the staff member’s annual remuneration is equal to or greater than EUR500,000 and equal to or greater than the average remuneration awarded to the institution’s BoD members and senior managers; and
2. the staff member performs the professional activity within a material business unit and the activity is of a kind that has a significant impact on the relevant business unit’s risk profile.

In addition, credit institutions should conduct a self-assessment each year in order to identify all staff whose professional activities have or may have a material impact on the credit institution’s risk profile.

The requirements under Law 4261 are supplemented by Greek Law 4548/2018 on sociétés anonymes and BoG Act 231/1/15.07.2024 transposing in Greece EBA Guidelines on sound remuneration policies along with the governance requirements set out in the BoG Act 243.

Credit institutions must adopt remuneration policies and practices that promote sound and effective risk management and do not encourage risk-taking that exceeds the level of tolerated risk of the institution. More specifically, credit institutions must adopt remuneration policies for all staff as part of their internal governance arrangements and remuneration policies for identified staff (ie, staff whose professional activities have a material impact on the credit institution’s risk profile). In particular, for identified staff, the alignment of remuneration incentives with the credit institution’s risk profile is crucial. Credit institutions should operate a gender-neutral remuneration policy.

The remuneration policy should specify all components of remuneration and also include the pension policy, covering, where relevant, the framework for early retirement, as well as the ratio between fixed and variable pay. In addition, credit institutions should consider which requirements of the remuneration policy on variable remuneration for identified staff should be included in the remuneration policy for all staff; the policy must be consistent with the objectives of the institution’s business and risk strategy, including ESG related objectives.

The non-executive BoD members must adopt and periodically review the remuneration policy and are responsible for overseeing its implementation.

Credit institutions are also subject to reporting obligations toward the BoG.

Greek credit institutions are subject to Greek AML/CFT legislation, which is in line with the EU AML/CFT legislation. More specifically, the main legal basis is Greek Law 4557/2018 on “prevention and combatting of money laundering and terrorist financing and other provisions”, as amended and in force (“the AML Law”). This implements the following in Greece: Directives 2015/849/EU (4th AML Directive), 2018/843/EU (5th AML Directive) and 2018/1673/EU. The AML Law is supplemented by Decision No 281/5/17.3.2009 of the BoG’s Banking and Credit Committee specifying the obligations of credit, financial and payment institutions under the AML Law, as amended and in force (“the AML Decision”) and by other BoG acts as well as by-laws and guidelines adopted at EU level (such as EBA Guidelines on ML/TF risk factors and customer due diligence).

More specifically, Greek credit institutions are required to adopt AML policy and procedures in accordance with the Greek AML/CFT legislation. These include risk-based assessment and risk management practices, customer due diligence, suspicious transactions reporting, sanctions screening, employees’ training, record-keeping, internal control and compliance management, such as the appointment of an MLRO (and their deputy) on the basis of their integrity, status, academic background, experience in the relevant field and credit institution’s operations. One executive BoD member must also be designated as the member responsible for the credit institution’s compliance with the applicable AML/CFT framework.

Greek credit institutions must carry out customer due diligence (CDD) measures at least when:

• establishing a business relationship;
• carrying out occasional transactions exceeding certain thresholds; and
• there is a suspicion of money laundering or terrorism financing, as well as when there are doubts about the identification data previously obtained.

CDD also involves the ongoing monitoring of the business relationship.

In the context of the CDD measures, the verification of the relevant data of natural persons may be carried out either on the basis of original documents issued by reliable and independent authorities, or, with the explicit and special consent of the natural person, through the transmission of such documents via the electronic platform “eGov-KYC” of the Single Digital Portal of Public Administration. Similarly, a new electronic platform “eGov-Know Your Business” was set up with respect to the verification of data of legal entities, and the verification of the relevant data of legal entities may now be carried out either on the basis of original documents issued by reliable and independent authorities or, with the explicit and special consent of their legal representative, through the transmission of such documents via this platform.

In addition, BoG Act 172/1/29.05.2020, which takes into account the European Supervisory Authority’s joint opinion on the use of innovative solutions in the CDD process, sets out the terms and conditions for remote electronic identification of natural persons establishing a business relationship with credit institutions in the context of the application of CDD measures provided for in the AML framework. The above Act is amended by BoG Act 244/5/25.07.2025, which introduced the unattended video-call with asynchronous human review in addition to the previously adopted methods of videoconference and dynamic-selfies.

The Hellenic Deposit and Investment Guarantee Fund (HDIGF or, in Greek, TEKE) is the operator of three distinct schemes:

• the deposit guarantee scheme;
• the investment compensation scheme; and
• the resolution scheme of Greek credit institutions.

TEKE is governed by Greek Law 4370/2016, as amended (Law 4370), which transposes into Greek law, among others, the Directive on Deposit Guarantee Schemes (Directive 2014/49/EU). TEKE is supervised by the Ministry of Finance.

According to Law 4370, all Greek credit institutions (including their foreign branches) and Greek branches of credit institutions incorporated outside the EU must become members of the deposit coverage scheme held with TEKE. Such participation automatically activates the participation of credit institutions in the TEKE resolution scheme.

Branches of credit institutions incorporated in another EU member state do not participate in TEKE, as they are covered by the Deposit Guarantee Scheme of the respective member state where their registered office is located (home member state). Participation in the investor compensation scheme, which is another department of TEKE, is also mandatory for Greek credit institutions. However, Greek branches of EU member states’ credit institutions may also request to participate in the investor compensation scheme of TEKE for supplementary coverage.

Covered Deposits

TEKE covers deposits held by natural persons or legal entities, irrespective of the currency (eg, deposits in savings accounts, current accounts and time deposits). However, certain deposits are not eligible and are therefore excluded from the coverage protection, namely:

• deposits made by other credit institutions or investment firms on their own behalf and for their own account;
• credit institutions’ own funds;
• deposits arising out of transactions in connection with which there has been a criminal conviction for money laundering;
• deposits by financial institutions, (re-)insurance undertakings, collective investment undertakings, social security funds and occupational pension funds, public authorities and by TEKE;
• debt securities issued by a credit institution and liabilities arising out of own acceptances and promissory notes; and
• deposits where the holder or beneficiary has never been identified.

The maximum level of coverage is set to EUR100,000 per depositor, per credit institution (irrespective of the number of deposit accounts held in the credit institutions, the currency of such deposits and the location of such deposit accounts) with certain limited exemptions where the compensation may be up to EUR300,000 (eg, for sale or expropriation of private residential property, payment of a lump-sum retirement benefit or periodical pension benefits, compensation due to termination of employment, etc).

Funding of Scheme

An initial contribution must be paid by credit institutions joining the Deposit Compensation Scheme (DCS) of TEKE, within one month from the date on which they become members, which is calculated on the basis of Law 4370 and in any case cannot be higher than 8% of the credit institution’s own funds. New members pay the initial contribution in three annual instalments by crediting the dedicated DCS account with the BoG. Regular contributions are paid by credit institutions on an annual basis. The key factors to be considered for calculating the annual regular contributions are the amount of covered deposits and the degree of risk assumed by each credit institution. Within 20 calendar days from the beginning of every year, each credit institution must transmit to TEKE an annual list with the amount of its covered deposits as at the last day of each calendar quarter of the preceding year. By 30 September every year, credit institutions must also submit to TEKE the data specified by TEKE and refer to the last day of the preceding year, for the purpose of determining the degree of risk assumed by that credit institution. Extraordinary contributions are paid if the available funds of the DCS are not sufficient to compensate depositors. Extraordinary contributions must not exceed 0.5% of the covered deposits of each credit institution per calendar year. Higher contributions may be specified by a decision of TEKE’s BoD, with the consent of the BoG.

Capital Adequacy Requirements

The CRR and CRD IV (transposed into Law 4261) set out the capital adequacy requirements for credit institutions implementing, to some extent, the respective Basel III standards. Law 4799/2021 has transposed CRD V and BRRD II in Greece. As set out above in 1.1 Key Laws and Regulations, the EU Commission adopted the latest banking package in relation to the capital and prudential regime for credit institutions (CRR 3 and CRD VI), in order to be fully aligned with the Basel III framework and we still anticipate the transposition of CRD VI into Greek law.

Greece-based credit institutions are required to have a minimum paid-up initial capital of EUR18 million. The initial capital, which consists of the minimum initial capital required and any additional capital contributed in the authorisation process, may be covered by cash contributions and contributions in kind as per BoG Act 229/2/10.05.2024. The initial capital required must be entirely paid in cash.

The capital resources that a credit institution is required to maintain may be constituted by a mixture of common equity Tier 1 Capital, Additional Tier 1 Capital and Tier 2 Capital. The CRR contains detailed legal and technical requirements for eligibility of capital instruments. As regards liquidity requirements, the CRD IV and CRR, as amended, provide for quantitative liquidity standards, including the liquidity coverage ratio (LCR) and the net stable funding ratio (NSFR).

In particular, credit institutions must at all times satisfy the following own-funds requirements (which are expressed as a percentage of the credit institutions’ total risk exposure):

• a common equity Tier 1 Capital ratio of 4.5%;
• a Tier 1 capital ratio of 6%;
• total capital ratio of 8%; and
• a leverage ratio of 3%.

Buffer Requirements

The CRR 2 also introduced a leverage ratio buffer requirement for institutions identified as global systemically important institutions (G-SIIs) applicable as of 1 January 2023. The EU Commission was mandated (under Article 513(e) CRR) to assess whether such a buffer should be extended to other systemically important institutions (O-SIIs). On 16 February 2021, the EU Commission issued a report concluding that it does not consider it appropriate to introduce a leverage ratio surcharge for O-SIIs for the time being.

The combined buffer requirement includes the capital conservation buffer, the counter-cyclical capital buffer, the G-SIIs buffer, the O-SIIs buffer and the systemic risk buffer. Α capital conservation buffer of 2.5% of a credit institution’s total exposures should be maintained so that credit institutions are able to avoid breaches of minimum capital requirements during periods of stress. Within the context of its macro-prudential supervision, the BoG is responsible for setting the counter-cyclical capital buffer rate for Greece on a quarterly basis.

From 1 January 2016 until 2024, the BoG kept the counter-cyclical capital buffer rate for Greece at 0% (ie, at the lowest end of the permissible range), thus not affecting the capital requirements of credit institutions. However, in 2024 the BoG adopted Act 235/2/7.10.2024 providing that the counter-cyclical capital buffer rate would be set at 0.25% as of 1 October 2025. The counter-cyclical capital buffer rate will be set at 0.5% as of 1 October 2026 by virtue of BoG Act 248/1/06.10.2025.

The O-SII buffer consists of common equity Tier 1 Capital. Its rate is set by the BoG at a level of up to 2% of the total risk exposure amount and is reviewed at least once a year. The BoG has defined that the four Greek systemic credit institutions qualify as O-SIIs and set the applicable O-SII buffer rates (1.25% for Eurobank Ergasias Services and Holdings S.A. at consolidated level and 1% for all O-SIIs for 2026). The BoG has decided not to activate the systemic risk buffer and the global systemic institutions buffer. It has additional macro-prudential tools to apply towards credit institutions. In this respect, in March 2024, the Bank of Greece enacted binding borrower-based measures (BBMs) for loans and other credit to natural persons secured by residential real estate (RRE) located in Greece, which have been applicable as of 1 January 2025.

Supervisory Review and Evaluation Process

Credit institutions are required to assess the adequacy of their own capital through the Internal Capital Adequacy Assessment Process, which is then subject to review by the regulator in the context of the Supervisory Review and Evaluation Process (SREP) where the results from the stress tests are also assessed. The competent authorities will review the arrangements, strategies, processes and mechanisms implemented by the credit institutions to comply with Law 4261 and CRR and evaluate: (a) risks to which the credit institutions are or might be exposed; (b) risks revealed by stress testing taking into account the nature, scale and complexity of a credit institution’s activities; and (c) risks revealed by digital operational resilience testing in accordance with Chapter IV of DORA.

The BoG or the ECB may impose additional capital requirements in the context of the SREP assessment, if such evaluation reveals major deficiencies or in other cases provided by law. In particular, the Pillar Two requirement (P2R), which is determined on the basis of the SREP, is a credit institution-specific capital requirement which applies additionally in order to cover risks that are underestimated or not covered by the minimum capital requirement. The SREP underwent significant reform in 2024, which will be fully implemented by 2026. The P2R methodology is under review for further simplification and transparency. The capital the ECB or BoG asks credit institutions to keep based on the SREP also includes the Pillar Two Guidance (P2G), which indicates to credit institutions the adequate level of capital to be maintained to provide a sufficient buffer to withstand stressed situations. Unlike the P2R, the P2G is not legally binding.

Additional Own Funds Requirements

Following the transposition of the CRD V into Greek law, the competent authority may impose additional own funds requirements in accordance with Articles 104a et seq of CRD VI (and respective Articles 96A et seq. of Law 4261). In addition, credit institutions are obliged to set their internal capital at an adequate level of own funds sufficient to cover all the risks expected to be covered by a credit institution, and to ensure that the credit institution’s own funds can absorb potential losses resulting from stress scenarios, including those identified under the supervisory stress test. Guidance on additional own funds is provided to credit institutions by the competent authorities. The quantitative capital requirements under CRD IV and CRR are supplemented by the obligation under the BRRD as amended by BRRD II for credit institutions to satisfy at all times a minimum requirement for own funds and eligible liabilities (“MREL”), which is determined by the competent resolution authority on an annual basis (on a credit institution-specific basis). The target for the MREL requirement (as determined under the BRRD II by the resolution authority) is composed of a loss-absorption amount (LAA), which includes the sum of the Pillar One requirement and the Pillar Two requirement as determined by the competent authority, and any requirement in relation to the leverage ratio and a recapitalisation amount (RCA). Greek credit institutions have already taken initiatives to meet the MREL by the end of 2025 (ie, they have issued in recent years Additional Tier 1 capital instruments (AT1) and Tier 2 capital and senior unsecured bonds, which are also an additional source of funding).

By way of update, Law 4335/2025 was amended in 2025 by virtue of Law 5193/2025 that transposed in Greece Directive (EU) 2024/1174 amending BRRD as regards certain aspects of the minimum requirement for own funds and eligible liabilities (eg, to ensure that the possibility to comply with the internal MREL on a consolidated basis is available only in relevant cases and does not lead to a shortage of internal MREL eligible resources across the resolution group, the power to set the internal MREL on a consolidated basis for intermediate entities should be a discretionary power of the resolution authority subject to certain conditions set out thereunder).

Resolving a Failing Credit Institution – Resolution Measures

Greek Law 4335/2015, as amended (Law 4335), incorporated the provisions of Directive 2014/59/EU (BRRD) into Greek legislation and set out the legal framework for the recovery and resolution of credit institutions. This was amended in 2021 by Law 4799/2021, transposing the BRRD II into Greek law, and further updated in 2025 by Law 5193/2025, which transposed Directive (EU) 2024/1174 amending BRRD as regards certain aspects of the minimum requirement for own funds and eligible liabilities. The BRRD (as amended by BRRD II and Directive (EU) 2024/1174) is, in general, in line with the FSB Key Attributes of Effective Resolution regime, which is a soft law.

In the case of a credit institution failure, the provisions of Law 4335 are applicable. More specifically, the credit institution’s BoD, which considers the credit institution to be failing or likely to fail on the basis of certain objective criteria, must notify, without undue delay, the BoG in accordance with Law 4335 and the Bank of Greece Act No 111/2017.

At an earlier stage in the deterioration of a credit institution’s financial conditions, the resolution authorities may adopt one of the early intervention measures provided in Law 4335 (eg, to require the BoD of the credit institution to implement one or more of the arrangements or measures set out in the recovery plan or to require one or more members of the management body to be removed or replaced). The BoG has already endorsed the EBA guidelines on recovery plan indicators (BoG 222/1/2.11.2023). In addition, the competent resolution authority may take a resolution action where all the following conditions are met, regardless of whether an early intervention measure has been adopted:

• the credit institution is failing or likely to fail;
• there is no reasonable prospect that any alternative private sector measures or supervisory action would prevent the failure of such credit institution within a reasonable timeframe; and
• a resolution action is necessary in the public interest.

In particular, the resolution authorities may use one or more of the following resolution tools:

• the power to transfer to a purchaser shares or other instruments of ownership issued by (or all of any assets, rights or liabilities of) the credit institution under resolution (the “sale of business” tool);
• the power to transfer to a bridge institution, which shall be a legal person that is wholly or partially owned by one or more public authorities and controlled by the resolution authority, shares or other instruments of ownership issued by (or all of any assets, rights or liabilities of) the credit institution under resolution (the “bridge institution” tool);
• the power to transfer the assets, rights or liabilities of the credit institution under resolution or of a bridge institution to one or more asset management vehicles (the “asset separation” tool); or
• the write-down and conversion powers in relation to the liabilities of a credit institution under resolution (“bail-in” tool).

Other measures can be used to the extent that they conform to the principles and objectives of the resolution set out under the BRRD. In circumstances of extraordinary systemic crisis, the credit institution’s resolution may, as a last resort, involve government financial stabilisation tools consisting of public equity support and temporary public ownership tools. These measures would nonetheless only become available if certain conditions are met, including that the credit institution’s shareholders and creditors bear losses equivalent to 8% of the credit institution’s liabilities.

A special commissioner may be appointed by the resolution authorities to replace the BoD of the credit institution under resolution.

Principles – Protection of Depositors

When applying the resolution tools and exercising the resolution powers, the resolution authorities should take into account certain principles provided under the BRRD, including that:

• the shareholders of the credit institution under resolution bear first losses;
• the creditors of the credit institution under resolution bear losses after the shareholders in accordance with the order of priority of their claims under normal insolvency proceedings, save as expressly provided otherwise in Law 4335;
• the creditors of the same class are treated in an equitable manner (unless otherwise provided);
• no creditor shall incur greater losses than would have been incurred if the credit institution had been wound up under normal insolvency proceedings; and
• the covered deposits are fully protected.

In any case, the eligible deposits held with the credit institutions will be protected up to EUR100,000 (covered deposits) and are therefore excluded from the scope of application of the bail-in tool.

If the credit institution’s authorisation is revoked, the credit institution will be mandatorily placed under a special liquidation in accordance with Law 4261. The provisions of the Greek Bankruptcy Code (Law 4738/2020, as amended) may apply additionally to the provisions of the special liquidation of a credit institution, to the extent that they do not contradict Article 145 et seq of Law 4261 or any delegated BoG acts. Article 145a of Law 4261, as amended, among others, by Law 5193/2025, provides the hierarchy of claims in the special liquidation of credit institutions. Law 3458/2006, as amended, incorporates Directive 2001/24/EC in Greece and provides for the special liquidation procedure applicable to credit institutions.

Law 5193/2025 introduced important clarifications to the resolution framework, including the distinction between the term “resolution entities” (ie, the entities for which the resolution plan provides for resolution measures) vis-à-vis “liquidation entities” (ie, the entities intended to be liquidated under normal insolvency proceedings).

The shift towards a greener and more sustainable economy has become a key priority at a global and EU level. Following the publication of the 2030 Agenda for Sustainable Development by the UN General Assembly (in 2015), setting out the core sustainable development goals (SDGs), the EU Commission took these SDGs into account in the next steps towards a sustainable EU future, and presented the European Green Deal in 2019, part of which is a European green investment plan that aims to establish a framework to facilitate the public and private investments needed for the transition to a climate-neutral, green, competitive and inclusive economy. A series of legislation and other initiatives in relation to sustainable finance and environmental, social and corporate governance (ESG) factors have also been published at EU level.

ESG has evolved and moved from the sidelines to the forefront of decision-making for an increasing number of credit institutions and investors when making investment decisions in the financial sector, which leads to increased longer-term investments into sustainable economic activities and projects.

In the banking sector, the main regulatory and legislative initiatives are the following at EU and local level.

EU Level

After setting sustainable development as a key pillar of its strategy, the EU is aiming to become the first climate-neutral continent. It is already developing a strategy to achieve this goal, while aligning its funding framework with the global SDGs. The EU has developed a targeted framework of actions to finance sustainable growth (EU Action Plan on Financing Sustainable Growth) structured around three main pillars (with ten sub-actions), namely: reorienting capital flows towards a more sustainable economy; mainstreaming sustainability into risk management; and fostering transparency and “long-termism”.

In the framework of the European Green Deal, the EU urges businesses, and public authorities to orient themselves towards economic activities that have a lasting positive impact on the environment and that are either environmentally sustainable or contribute to the transformation of activities to become environmentally sustainable. In this respect, companies (including credit institutions) are already subject to extensive non-financial disclosure requirements and need (or will need) to comply with additional disclosure and organisational requirements in light of Regulation (EU) 2020/852 (“Taxonomy Regulation”) and include in their non-financial disclosures information on how and to what extent their activities are associated with economic activities that qualify as environmentally sustainable. The Taxonomy Regulation has been supplemented, inter alia, by Delegated Regulation (EU) 2021/2139, which established, inter alia, the technical screening criteria for determining the conditions under which an economic activity qualifies as contributing to climate change mitigation. In addition, Regulation (EU) 2019/2088, as amended by the Taxonomy Regulation (“Sustainable Finance Disclosures Regulation”), Regulation (EU) 2019/2089 on sustainability benchmarks, Regulation (EU) 2023/2631 on European Green Bonds (EUGBS), Directive (EU) 2022/2464 on corporate sustainability reporting (CSRD), and the recently adopted Directive (EU) 2024/1760 on corporate sustainability due diligence (CSDDD), frame the main ESG framework in the EU. EU credit institutions must disclose information on ESG issues in accordance with the aforementioned legislation (including the EBA technical standards). The adoption of the EU Omnibus Directive, which aims to modify and simplify the CSRD and other sustainability legislation, is also anticipated.

Credit institutions, like other financial sector participants, are therefore required to adjust their business models and develop plans to align their balance sheets with this transition to the sustainable economy, as well as to monitor and comply with the ESG legislative developments taking into account the legislative developments.

As of 2024, credit institutions have to disclose their green asset ratio as an indication of their degree of alignment with the EU Taxonomy. Regular climate stress tests are expected to take place on the basis of guidelines on institutions’ ESG risks stress testing. In January 2024, the ECB announced plans to enhance its climate initiatives during 2024 and 2025. Under its 2024–2025 climate and nature plan, the ECB concentrated on addressing nature-related risks, implementing a greener monetary policy and assessing the implications and challenges associated with transitioning to a green economy, which includes evaluating investment requirements and transition costs. The ECB has also intensified its supervisory expectations regarding credit institutions’ climate and environmental risk management frameworks, requiring more granular reporting on transition risks and physical climate risks.

One of the most significant legislative initiatives at EU level is the EU banking package implementing the Basel III framework, and, more specifically, CRR III and CRD VI adopted by the European Parliament in May 2024 to fully apply the Basel III standards. This banking package includes provisions going beyond Basel III, such as credit institutions’ obligations to identify, disclose and manage ESG risks at individual level. The transposition of CRD VI in Greece is thus expected in the coming months. ESG risks are a pivotal aspect to be monitored in line with the newly introduced risk management framework.

National Level

In general, Greece follows the path adopted by the EU, since the majority of EU provisions are adopted in the form of regulations which are directly applicable throughout the EU. In the same way, in 2021, the BoG established the Climate Change and Sustainability Centre (CCSC) to build on the work initiated by the previous Climate Change Impacts Study Committee (CCISC). The focus of the BoG is turning towards the compliance of credit institutions with the ESG principles and requirements, taking into account the reports and guidelines of EU regulators. The implementation of relevant directives, such as the Corporate Sustainability Reporting Directive, is expected to happen soon in Greece.

In investment services, the Bank of Greece Executive Committee Act 234/3/23.9.2024 updates the national legal provisions transposed by Commission Delegated Directive (EU) 2017/593 on the safeguarding of financial instruments and funds belonging to clients, product governance obligations and the rules applicable to the provision or reception of fees, commissions or any monetary or non-monetary benefits, as amended by Commission Delegated Directive (EU) 2021/1269 with respect to the integration of sustainability factors into product governance obligations.

In addition, Greece’s first climate law (Law 4936/2022) was enacted in May 2022 by the Hellenic parliament with the aim of establishing a coherent framework for improving climate resilience in Greece. Under this law, many undertakings, including credit institutions, are bound by carbon reporting obligations. The reports are to be uploaded to a publicly accessible electronic database operated by the Organisation of Natural Environment and Climate Change. In addition, the CSRD was transposed into Greek law in December 2024 with increased non-financial reporting obligations.

In December 2022, Regulation (EU) 2022/2554 (Digital Operational Resilience Act, DORA) was adopted and applies as of 17 January 2025. Law 5193/2025 on strengthening of capital markets and other provisions was published provided for the supplementing measures relating to DORA.

Through the creation of a unified regulatory framework, DORA aims to boost credit and other institutions’ resilience against cyber threats through the implementation of stringent cybersecurity measures, regular risk assessments, the reporting of cyber incidents to the relevant authorities, and by addressing operational failures and IT disruptions. The key pillars of DORA that should be observed by credit institutions include the following:

• Governance: Credit institutions’ BoD will have ultimate responsibility for managing ICT (Information and Communication Technology) risk and adopting policies to maintain high standards of data availability, authenticity, integrity, and confidentiality. They are responsible for defining roles and governance structures, and ensuring effective communication within ICT functions. The BoD will approve the digital operational resilience strategy, including risk tolerance levels, and oversee ICT business continuity and recovery plans. Management bodies will review ICT audits, allocate the necessary budget for resilience needs, including staff training, and approve policies related to ICT third-party service providers. Finally, credit institutions must establish reporting channels to monitor changes or incidents.
• ICT Risk Management: Credit institutions need to implement a sound, comprehensive and well-documented ICT risk management framework. In this respect, they must adopt plans, policies, procedures, protocols and tools to identify any potential ICT threat, protect both their digital and physical infrastructure, detect incidents in a timely manner, respond effectively, and recover without major disruptions.
• Testing: A digital operational resilience testing programme is required as part of the ICT risk management framework to assess readiness for handling ICT-related incidents, and must include tests such as vulnerability assessments, penetration checks and scenario-based evaluations. These will be performed by independent parties, and identified issues will be prioritised, remedied, and validated. Critical functions must be tested at least annually, while advanced testing must be conducted every three years, covering critical ICT functions, including outsourced services.
• ICT-Related Incidents Management and Reporting: DORA further outlines the requirements for reporting major ICT-related incidents (which must be classified as per the criteria provided thereunder) by using the relevant templates. Credit institutions must report such incidents to the relevant competent authority. The reports of significant credit institutions must be immediately transmitted by the national competent authorities to the ECB. Outsourcing reporting will be allowed, but responsibility will remain with the credit institution. Voluntary notification of significant threats to cybersecurity is provided under DORA.
• ICT Third-Party Risk Management: DORA also governs the management of ICT third-party risk, emphasising that credit institutions must integrate ICT third-party risk management into their overall ICT risk management framework. When outsourcing services to ICT third-party service providers, the institution remains fully responsible for compliance with DORA requirements. In addition, credit institutions must maintain a register of all ICT contracts, assess risks before entering into such agreements, ensure service providers meet high security standards, and have audit and inspection rights. Therefore, their outsourcing arrangements will need to be re-assessed on this basis. Outsourcing agreements should include specific provisions under DORA (including clear service descriptions, security requirements, and exit strategies to minimise disruptions in the event of termination) in addition to existing outsourcing requirements. Additionally, concentration risks and subcontracting must be carefully evaluated, particularly when dealing with providers in third countries.

In summary, DORA represents a significant shift in how credit and financial institutions manage their digital operations and risks in an increasingly tech-driven environment. It aims to ensure that institutions are better prepared to handle disruptions and cyber threats, while holding them more accountable for their ICT systems’ resilience and third-party dependencies. Therefore, credit institutions need to implement the appropriate policies, procedures and measures to ensure compliance with the new requirements.

The BoG was designated as the DORA competent authority for (less significant) credit institutions established in Greece, and was granted the necessary supervisory and investigative powers (including on-site inspections) for ensuring credit institutions’ compliance with DORA and its delegated acts. In this regard, the BoG may impose administrative sanctions, including fines of up to 10% of total net turnover, including gross income, for supervised financial sector entities, or up to EUR5,000,000 for natural persons, or up to twice the amount of the benefit derived from the infringement, as well as revocation of the supervised institution’s licence. The BoG may also impose the removal or dismissal of the board members or key function holders from the position held within the credit institution.

At national level, the most significant changes that took place in 2025 were as follows:

BoG Supervisory Fees

The BoG passed a large number of Acts that change the regulatory landscape and must be complied with by credit institutions. Most importantly, for the first time, the Bog decided to introduce (initial and ongoing) supervisory fees applicable to credit institutions as of 1 January 2026.

Corporate Governance

The BoG has also reshaped the corporate governance requirements of credit institutions. These are now subject to more robust internal organisation and corporate governance requirements, in line with the EBA Guidelines. BoG Act 243, replacing BoG Governor’s Act 2577/2006, entered into force as of 14 July 2025 and provides for a transitional implementation period, with credit institutions having to adjust their internal governance arrangements no later than 1 October 2025, with less significant institutions obliged to comply with the minimum number of independent non-executive BoD members until 1 January 2026. Credit institutions should therefore already have performed a gap analysis of the new requirements against their current governance, risk management, and internal control frameworks in order to update their policies and procedures and ensure that the BoD composition (particularly independent non-executive members) and committee structures comply with mandatory requirements by the relevant deadlines.

It is worth mentioning that the EBA has completed a consultation on proposed revisions to its guidelines on internal governance under the Capital Requirements Directive (CRD) that were recently endorsed by the BoG. The revisions form part of the EBA’s broader roadmap for implementing the EU Banking Package and reflect changes introduced by CRD VI, DORA and other legal texts.

Law 5193/2025

Law 5193/2025 on strengthening the capital markets legal framework brought significant changes for Greece with the aim of making its capital market more attractive to investors.

The law also established the national legislative framework necessary to supplement DORA and MiCAR, including the designation of competent authorities and the attribution of relevant powers to such authorities.

The following legal developments are expected at national level in the next few months:

Consumer Credit

In October 2023, Directive (EU) 2023/2225 (Consumer Credit Directive 2) was published to reform the existing consumer credit regime which applies to credit institutions and other financial institutions providing consumer loans. Creditors (and especially Buy-Now-Pay-Later (BNPL) providers and leasing providers), as well as credit intermediaries that did not previously fall within the scope of the consumer credit regime under Directive (EU) 2008/48, will have to re-assess their model, since Consumer Credit Directive 2 provides for a broader scope of application and types of credit previously exempt (such as BNPL, as well as leasing agreements where an obligation or an option to purchase the object of the agreement is laid down) will be brought into the scope of the new regime. This may trigger licensing/registration as well as disclosure and transparency requirements towards such entities.

In Greece, the granting of any type of credit in a professional capacity is already a regulated activity and thus licensing requirements are, in principle, triggered by the persons offering such activities. However, market participants must re-assess their business operations and identify any new requirements stemming from the new legal framework that must be complied with.

EU member states were required to transpose Consumer Credit Directive 2 into their national law by 20 November 2025, with the new measures taking effect from 20 November 2026. In Greece, a working group was established, and the preliminary lawmaking procedure was completed in summer 2025. The Ministry of Development is expected to approve the final draft law before its publication to open consultation and adoption of the law by the Hellenic Parliament.

Financial Services Contracts Concluded at a Distance

The transposition into Greek law of Directive (EU) 2023/2673 is also expected, which will repeal Directive 2002/65/EC concerning the distance marketing of consumer financial services and amend Directive 2011/83/EU by extending its scope to cover financial services contracts concluded at a distance. The changes introduced by Directive (EU) 2023/2673 will affect the terms and conditions of credit institutions that should be revised and adjusted to the new requirements.

EU member states must transpose Directive (EU) 2023/2673 into their national law by 19 December 2025, with the new measures taking effect from 19 June 2026. In Greece, a working group was set up, and the preliminary lawmaking procedure was completed; we are expecting the draft law to be published soon for consultation.

Instant Payments Regulation

Regulation (EU) 2024/886 amending, inter alia, Regulations (EU) 260/2012 and (EU) 2021/1230 as regards instant credit transfers in euros was adopted in order to force credit institutions to offer instant payments in euros at no extra cost and enable the speedy transfer of money at any time (24 hours a day).

In addition, as of 9 October 2025, payment service providers in the EU have been required to offer payers a “Verification of Payee” (VoP) service (free of charge) prior to authorising a credit transfer. Payers who do not qualify as consumers may waive this VoP service.

We are anticipating the adoption of local laws and administrative provisions to supplement such Regulation.

Notwithstanding the above, Greek law 4446/2016, as recently amended, with the aim of fighting tax evasion, requires merchants accepting cards to enter into contracts with duly licensed payment service providers. In addition, as of 1 December 2025, legal entities acting as payees, in the context of transactions with payers (acting outside their trade, business or profession), are required to accept payments through an instant payment service (which is a payment service that allows a credit transfer to be executed immediately, 24 hours a day, on any calendar day, with immediate or almost-immediate settlement). This is linked with the promotion of instant payment service of IRIS offered currently in Greece by payment services providers that cooperate with DIAS SA (the Greek automated clearing house).

The EU Banking Package

One of the most significant legislative initiatives at EU level is the adopted EU banking package implementing the Basel III framework, and, more specifically, CRR III and CRD VI adopted by the European Parliament in May 2024 to fully apply Basel III standards.

The new provisions aim to ensure that EU credit institutions become more resilient to potential future economic shocks, while also contributing to the EU’s recovery from the COVID-19 pandemic and the transition to climate neutrality. There are also provisions going beyond Basel III, such as credit institutions’ obligations to identify, disclose and manage ESG risks at individual level, the harmonised framework in relation to fit and proper assessment of key function holders, and a new common framework in relation to third-country institutions’ branches due to their material footprint in the EU. It is important to note that third-country undertakings wishing to offer “core banking services” in an EU member state will need to assess their model of operation and seek legal advice in order to evaluate whether they will trigger a third-country branch authorisation requirement under CRD VI.

CRD VI introduces stricter notification and approval requirements for certain transactions relating to mergers and acquisitions of credit institutions and financial holding companies. It is interesting to see whether and how the above will affect the existing local legal framework, since Greek law 2515/1997, as recently amended, among others, by law 5222/2025, includes a procedure and requires the Bank of Greece’s approval for any type of corporate transformation (mergers and, under certain thresholds, demergers/spin-offs) according to the provisions of law 2515/1997, for the credit institutions and financial institutions supervised by the BoG.

CRD VI must be transposed into Greek law by 10 January 2026, and it will be generally applicable from 11 January 2026. However, the provisions on third-country branches will be applicable one year later, on 11 January 2027.

In addition, credit institutions must closely monitor the following legal developments at EU level. 

Payment Services

The completion of the legislative procedure for the adoption of the Payment Services Directive (PSD3), Payment Services Regulation (PSR) and Regulation on a Framework for Financial Data Access (FIDA) is envisaged to take place in the next couple of months. The package aims, inter alia, to contribute to further harmonisation and the consistent application of legal requirements, avoiding regulatory arbitrage and ensuring a level playing field between the different types of payment-service providers.

AML/CFT Rules

On 19 June 2024, the EU introduced new legislation to strengthen its AML/CFT framework through an ambitious legislative package comprising Regulation (EU) 2024/1620 (“AMLA Regulation”), Regulation (EU) 2024/1624 (“AML Regulation”) and Directive (EU) 2024/1640 (“6th AML Directive”), with the aim of harmonising AML/CFT rules across EU member states, enhancing supervision and enforcement, and increasing transparency in financial transactions. In summary, a new EU authority dedicated to AML/CFT (AMLA) was established, anti-money laundering rules were for the first time thoroughly harmonised throughout the EU, new obliged entities and stricter due diligence measures were introduced, and clearer rules were set on how financial intelligence units (FIUs) and supervisors work together. The majority of the new AML measures will apply as of 10 July 2027.

Savings and Investment Union

Finally, one important EU strategic objective that must be monitored is around the savings and investment union, a horizontal enabler that will create a financing ecosystem to benefit investments.

In this respect, credit institutions have a central role in financing economic activity in the EU, although this proved to be a disadvantage in the aftermath of the financial and sovereign debt crisis where the need for a more diversified financial system was highlighted. To address such deficiencies, the SIU will allow EU businesses and the economy to have access to more capital and more financing options. Retail savers will have the opportunity, if they wish, to hold more of their savings in higher-yielding capital-market instruments including in view of retirement.

EU credit institutions will be on the forefront of this development, since strong credit institutions operating across borders are necessary for key capital market services, such as listing and trading. They can also play a pivotal role in encouraging retail investor participation to capital markets, mobilising their savings, and ensuring financing for businesses.