Artificial Intelligence 2026 Comparisons

A Framework in Transition

Greek legislation is starting to adapt to the AI era. Pending full rollout of the AI Act, the current regulatory framework for the protection of fundamental rights, personal data and cybersecurity is called upon to tackle the challenges posed by the accelerating adoption of AI. Liability, contract, intellectual property and a broad range of other legal institutions across private, criminal and administrative law have yet to be adapted to the introduction of AI through dedicated legislative intervention.

Institutional Momentum

Greek public bodies have been promoting the country’s entry into the AI arena, becoming the first to widely adopt and integrate AI systems – notably in immigration processing and the Hellenic Cadastre’s LLM-based property contract analysis – with further applications in pilot-phase traffic enforcement cameras and optional AI-enabled content for primary and secondary education being actively explored for imminent implementation.

This public-sector drive is reflected institutionally: the Ministry of Digital Governance was renamed to include AI in its title (June 2025), and a dedicated Special Secretariat for AI and Data Governance was established.

Law 4961/2022

Prior to the AI Act’s entry into force, Greece enacted Law 4961/2022 introducing transparency obligations, algorithmic impact assessments, AI registries and employer notification duties for AI-assisted workplace decisions. Although the AI Act takes precedence according to the primacy principle, the Greek law (never formally repealed) retains significance for AI systems below the high-risk threshold for employer disclosure duties with no direct AI Act equivalent and for registry obligations that reinforce national traceability.

AI adoption in Greece is accelerating rapidly, with a 55% year-on-year increase – the second-fastest growth rate in Europe (AWS, 2025).

Traditional ML and predictive systems remain the primary entry point for most Greek enterprises, mainly through customer support chatbots and analytics solutions. Deeper applications are emerging in shipping (fuel optimisation, predictive maintenance, regulatory compliance), the startup ecosystem (AI chips, cybersecurity, conversational AI) and public safety (eight AI-powered traffic cameras have begun their Athens pilot under Law 5256/2025, with nationwide expansion to 2,000 units planned).

Foundation models and LLMs are gaining traction in the public sector. The Hellenic Cadastre became the first government agency to deploy an LLM-based system, analysing property contracts in natural language and cutting assessment times from hours to minutes. A Digital Doctor Assistant integrated with the national health record launched in October 2025, and Law 5237/2025 enables AI tools in primary and secondary education.

Autonomous and agentic systems remain nascent. Law 4784/2021 established a piloting framework for driverless vehicles, operationalised through the Trikala autonomous bus programme and extendable to research-purpose passenger cars.

Cross-industry momentum is supported by the DAIDALOS supercomputer (EuroHPC), the PHAROS AI Factory and a government–OpenAI partnership (September 2025).

Governments seek to facilitate AI innovation through incentivising and coordinating investment, establishing a clear framework or reducing regulatory burdens, and supporting infrastructure development.

The EU prioritises governance, legal certainty, consumer protection and public investments. Through large-scale programmes such as Digital Europe and Horizon Europe, regulatory sandboxes, common data spaces, and coordinated digital infrastructure (eg, the European AI Factories initiative) it aims to encourage development and testing of innovative AI applications.

The US relies more on a private sector-led approach, promoting innovation through its leading tech industry and massive venture capital ecosystem. At federal government level, tax incentives, defence contracts and initiatives such as the CHIPS Act and targeted federal funding seek to secure the hardware foundations necessary.

China follows a state-driven model, focusing on domestic self-reliance through massive public investment, regional AI clusters, subsidies and preferential procurement under the New Generation AI Development Plan.

Other governments (UK, United Arab Emirates) offer tax incentives, regulatory sandboxes, and STEM-focused immigration policies to attract talent for their national AI industry.

Greece has adopted a hybrid regulatory philosophy toward AI, combining innovation-supporting policies with a precautionary, risk-based governance model.

In line with the EU paradigm, Greece applies stricter requirements to high-risk AI systems while allowing experimentation and innovation in lower-risk applications, emphasising human oversight, transparency, and accountability, particularly where automated decision-making affects individuals’ rights.

The overall national AI strategy follows the blueprint of international frameworks, including OECD AI Principles and EU digital governance policies, seeking to strike a balance between promoting AI innovation and protecting the rights of consumers, users and affected parties.

In Greece, AI governance is primarily shaped by the EU regulatory framework, rounded out by national legislation.

Law 4961/2022 on emerging technologies introduced early rules on the use of artificial intelligence in the public sector, focusing on transparency, accountability, and responsible deployment. The Law predates the EU AI Act, but it largely aligns with its transparency and human-centric priorities. Key obligations include mandatory algorithmic impact assessments for public entities and clear information disclosure for employees when AI affects recruitment or working conditions.

While Law 4961/2022 provides a baseline for AI regulation in Greece, the national framework will be updated to fully reflect the objectives and priorities of the EU AI Act. Currently, application of AI-related legislation is coordinated by the Ministry of Digital Governance, along with other competent authorities, such as the Hellenic Data Protection Authority and the Labour Inspectorate.

In Greece, several non-binding guidelines and strategic documents complement the formal legal framework for AI, aiming to guide and steer responsible adoption, and societally beneficial use of AI.

Key public bodies, such as the Hellenic Data Protection Authority (HDPA) and the National Bioethics & Technoethics Commission, issue guidelines and supporting material that may serve as an ethical compass for the development and application of AI, focusing on the “privacy by design” principle and the mitigation of algorithmic bias, particularly in sensitive sectors such as health and public administration.

The national strategy “A Blueprint for Greece’s AI Transformation”, developed under the National AI Task Force, provides policy directions for public administration, research, and industry, promoting principles such as human-centric AI, transparency, accountability, and alignment with European values, while encouraging investment in skills, data infrastructure, and innovation ecosystems.

The AI Act applies directly in Greece without separate transposition, following the Regulation’s phased timeline.

In November 2024, the Ministry of Digital Governance designated the list of authorities to protect fundamental rights in connection with high-risk AI systems under Article 77(2). These are:

• the Hellenic Data Protection Authority (HDPA);
• the Greek Ombudsman;
• the Hellenic Authority for Communication Security and Privacy (ADAE); and
• the Greek National Commission for Human Rights (GNCHR).

Designation of market surveillance and notifying authorities under Article 70 remains pending, and no formal act allocating competences or designating a single point of contact has been published to date.

The recently renamed Ministry of Digital Governance and AI retains the coordinating role for Greece’s adaptation to the AI Act. A dedicated Special Secretariat for AI and Data Governance was established in July 2025 to lead national AI strategy and implementation. As already discussed, Law 4961/2022, introduced prior to the AI Act, provides a baseline for AI regulation in Greece.

Greece has stated its full commitment to the EU’s vision of human-centric and trustworthy AI, balancing innovation with a high level of protection of health, safety and fundamental rights. Innovation sandboxes and testing environments are being established, linked to EU digital innovation hubs and initiatives.

In the US, AI regulation is emerging at state level, as different states adopt targeted laws to address specific risks and challenges posed by the development and implementation of AI systems, leading to a fragmented but rapidly evolving governance landscape, instead of a comprehensive federal framework.

State initiatives focus on mitigating specific harms such as algorithmic discrimination, deepfakes, and privacy violations, usually relying and/or expanding upon consumer protection and anti-discrimination frameworks. Although approaches differ, the majority of such initiatives emphasise transparency, accountability and fairness, particularly in high-impact sectors such as employment, finance and healthcare.

California remains a leader in tech-related rights and freedoms-preserving regulatory interventions, with the California Consumer Privacy Act (CCPA) granting residents rights over personal data used in automated decision-making, and deepfake disclosure. Similarly, Illinois, and New York have enacted or proposed legislation focusing on automated decision-making systems, biometric technologies, and generative AI transparency, such as the Illinois’ Biometric Information Privacy Act (BIPA). Another prominent and fairly recent example is Colorado’s Artificial Intelligence Act, a comprehensive AI law (SB 24-205), requiring developers and deployers of high-risk AI systems to implement risk management frameworks and conduct impact assessments to prevent “algorithmic discrimination”. Finally, Connecticut and Texas have established state-level inventories and ethical standards for AI use within government agencies.

Greece follows the EU legislative framework on AI, supplemented by national Law 4961/2022 regulating AI and emerging technologies and other targeted legislative interventions. This national framework, obviously less broad and comprehensive than the AI Act, focused on the safe and transparent use and deployment of AI systems by public bodies and introduced certain transparency obligations for medium and large private entities.

Besides Law 4961/2022, Greece has not yet produced further AI-specific legislation addressing data protection, copyright or content issues.

The GDPR and Law 4624/2019 (regulating additional national data protection measures) remain the applicable framework for data protection issues. Even before the AI Act’s entry into force, the Hellenic Data Protection Authority took decisive enforcement action against illegal web scraping: its 2022 Clearview AI decision imposed a EUR20 million fine for unlawful biometric data scraping, signalling that even existing instruments – principally the GDPR – can provide a basis for regulatory intervention against AI systems that compromise data security and fundamental rights.

Laws 2121/1993 and 4996/2022 (implementing the DSM Directive 2019/790) remain applicable for copyright issues. The E-Commerce Directive, the Digital Services Act (DSA) and the relevant regulatory framework also apply with regards to synthetic content.

Beyond the horizontal Law 4961/2022, there is no other imminent known AI-specific legislation. The implementing presidential decree and ministerial decisions provisioned by Article 113 also appear to have been halted. This may relate to the pending status of the Digital Omnibus on AI (COM(2025)836), which proposes targeted amendments to the AI Act including postponement of high-risk system deadlines. It recently passed the European Parliament’s committee and plenary vote and now proceeds to trilogue negotiations with the Council.

The Product Liability Directive (2024/2853), with a transposition deadline of December 2026, extends strict product liability to software and AI, treating AI system providers as manufacturers for liability purposes.

In Gema v OpenAI (2025), the Munich Regional Court held that AI training constitutes “reproduction” under German copyright law, determining that memorisation of lyrics by ChatGPT constituted unauthorised reproduction and communication to the public.

In December 2023, the UK Supreme Court reiterated earlier decisions as to the ineligibility for patent protection of inventions where there is no named human inventor.

In March 2026, the US Supreme Court again declined to take up the issue of whether art generated by artificial intelligence can be copyrighted under US law, thus reinforcing the doctrine of human authorship.

On algorithmic decision–making, in EEOC v iTutorGroup (2023), the defendant had programmed their tutor application software to automatically reject older job applicants and ended up paying USD365,000 and furnish other relief as settlement in an employment discrimination lawsuit filed by the US Equal Employment Opportunity Commission (EEOC).

On consumer protections, State Attorney Generals from California and New Jersey have enforced existing laws against deceptive AI practices, algorithmic discrimination and deepfake fraud in areas such as healthcare, advertising and credit services.

Greece has not specified allocation of competencies regarding AI among the agencies yet. Supervisory jurisdiction on AI is currently distributed among the following authorities:

• the Ministry of Digital Governance, which is the national coordination body responsible for the design and implementation of the national AI strategy; 
• the Hellenic Data Protection Authority (HDPA), which is responsible for data protection issues arising from AI, including automated decision-making and profiling;
• the Hellenic Authority for Communication Security and Privacy (ADAE), which supervises AI systems to the extent that they affect the privacy, confidentiality and security of communications;
• the Greek Ombudsman, which is involved when AI-based decisions cause maladministration, or violations of rights; and
• the Greek National Commission for Human Rights (GNCHR).

Other sectoral regulators (telecoms/media, competition, energy, banking, capital markets, etc) can be involved with respect to the entities they supervise.

The High-Level Advisory Committee on Artificial Intelligence (AI) published “A Blueprint for Greece’s AI Transformation” in an effort to formulate a national policy for leveraging the potential of AI. One of the primary aims of this policy proposal is to safeguard against the risks posed by the unregulated use of AI.

In addition, several sectoral regulatory bodies have issued AI-specific guidance including the National Commission for Bioethics & Technoethics of Greece, which issued the “Opinion on the Applications of AI in Health in Greece” and the “Opinion on the use Artificial Intelligence in Greek Schools”.

Furthermore, the Hellenic Federation of Enterprises (SEV) issued an AI Guide to help Greek businesses implement AI effectively. Universities have published AI guidelines for students and faculty staff, while best practice guidelines have been issued on advertising by the Hellenic Association of Communication Agencies (“10 Principles for the Responsible Use of Artificial Intelligence in Advertising”).

The EU AI Act provides for a tiered penalty regime which includes fines, service suspensions or restrictions, as well as mandatory corrective actions and pre–enforcement warning, similar to the GDPR. Enforcement will be assigned to the national competent authorities, to be designated by each EU member state. Greece’s designation of competent authorities under Article 70 remains pending.

So far, GDPR remains the primary enforcement tool against AI–linked personal data and consumer protection violations, signalling that even existing regulatory instruments can be employed for intervention against AI systems that compromise data security and fundamental rights. Awaiting the AI Act’s full entry into force, the Hellenic Data Protection Authority took repeated enforcement action against AI-driven risks:

• in Decision 35/2022 (Clearview AI), it imposed a EUR20 million fine for unlawful biometric data scraping; and
• in Decision 18/2025, it found that DeepSeek, a Chinese AI platform accessible in Greece, had failed to appoint an EU representative as required by Article 27 GDPR – a transparency and accessibility obligation – despite clearly targeting EU data subjects.

Greece has not developed AI-specific national standards. NQIS (ESYP)/ELOT, the national standardisation body (member of CEN, CENELEC) functions as the adoption channel for harmonised European standards developed by CEN-CENELEC JTC 21 under the AI Act to become ELOT EN standards in Greece.

The Ministry of Digital Governance and AI is the overarching body shaping national AI policy. Its Department of Standards and Technological Applications (PD 40/2020, Article 41(4)) is responsible for shaping Greece’s positions in EU and international AI standardisation fora and for the transposition of regulatory instruments issued by CEN/CENELEC, ITU and ETSI. The newly established Special Secretariat for AI and Data Governance coordinates national AI strategy and implementation policy, supported by GRNET, which manages national HPC infrastructure including the DAIDALOS supercomputer and the PHAROS AI Factory.

The National Commission for Bioethics and Technoethics, an advisory body reporting to the Prime Minister, has issued Opinions on AI in healthcare (2024) and education (2025), articulating ethical principles that function as non-binding soft-law reference points for deployers.

ISO/IEC 42001:2023 (AI Management Systems) remains the most prominent international AI standard, providing a certifiable AI governance framework. First signs of early adoption by Greek companies include EY Greece and a spin-off of Athens University. CEN-CENELEC JTC 21 is expected to adopt it as EN ISO/IEC 42001; however, the European Commission has identified gaps which likely mean that ISO/IEC 42001 alone will not suffice for AI Act compliance.

prEN 18286 is an EU purpose-built QMS standard for AI Act compliance (Article 17), and the first of a broader suite of JTC 21 harmonised standards currently under development, covering conformity assessment (prEN 18285), risk management (prEN 18228), data quality and governance (prEN 18284), bias (prEN 18283), trustworthiness (prEN 18229) and cybersecurity (prEN 18282). Once released, these standards shall offer providers a presumption of conformity.

However, its enquiry vote in January 2026 did not reach the required approval threshold, and comment resolution is ongoing. This setback strengthens the case for the Digital Omnibus proposed postponement of application dates for high-risk AI systems.

Government agencies in Greece have been increasingly using AI systems to improve the quality and effectiveness of the public services. The AI-powered assistant mAigov is helping citizens navigate public services, while mAiGreece provides important information to visitors in Greece. The Independent Authority for Public Revenue (AADE) introduced a tax fraud detection AI system, while the Hellenic Cadastre has piloted an AI tool that reads property contracts in natural language, verifies document completeness against legal requirements and generates draft approval recommendations for supervisors, to accelerate the property registration procedure.

Government use of AI needs to comply with the GDPR and Greek Law 4624/2019 (regulating additional national data protection measures), as well as the EU AI Act and Greek Law 4961/2022 regulating AI and emerging technologies.

Greek courts have slowly started addressing automated decision-making, data processing through AI systems and AI-supported public administration. The Council of State, Greece’s highest administrative court has ruled (Decision 1206/2024) that, irrespective of whether a state administrator used automated data processing partially or fully for an individual decision, explaining its conclusion “is a fundamental element of the rule of law” and honours the principle of transparency and legality of civil administrative action. According to the ruling, Civil Administration is obliged to explain the key stages of mathematical calculations and variables considered, as this will allow the individual to determine whether the legal conditions were met and a judge to exercise effective judicial review.

The Greek Government has begun to explore the adoption of AI systems in its defence systems through a combination of domestic research and development and procurement from key partners. In line with this strategic national security decision:

• the Achilles’ Shield programme (approved by the National Security Council) will incorporate an Israeli-developed AI platform for automated threat detection, classification and interceptor selection against modern aerial threats across its multi-layered air and missile defence system;
• the domestically developed Kentavros and Iperion counter-drone systems, which incorporate AI-driven detection capabilities, have been operationally tested in live conditions; and
• an AI Department has been established under the Hellenic National Defence General Staff’s Informatics Directorate (Article 58, Law 5110/2024).

From a regulatory perspective, both the EU AI Act and Greek Law 4961/2022 on public sector AI expressly exclude AI systems intended for military, defence or national security purposes.

Generative AI systems, such as LLMs, content generators, and code-generation tools, raise significant legal questions across several regulatory domains, as traditional frameworks meet new challenges at an unprecedented scale.

Copyright law constitutes a key battleground, particularly regarding the use of protected works in training datasets and the legal status of AI-generated outputs. Much like the early days of the Internet and peer-to-peer sharing, the adaptability of the core copyright principles is being challenged, as litigation, public discourse, and policy debates address whether training constitutes lawful use and who, if anyone, holds rights in generated content.

Privacy and data protection concerns also arise from the processing of personal data within massive datasets, raising questions of lawful processing, data minimisation, and data subjects’ rights, most prominently the right to be forgotten.

Further challenges relate to liability for harmful, misleading, or infringing outputs, transparency requirements for AI-generated or manipulated content, and information about training data sources.

Finally, the governance of foundation models and general-purpose AI under the EU AI Act imposes specific transparency, documentation and risk-management obligations based on system risk.

AI is increasingly employed in legal practice – from research, contract analysis and document review to drafting, case law summarisation and litigation prediction. While AI tools promise improved efficiency and the ability to process large volumes of legal data, they also raise significant ethical and practical concerns. A well-established risk is hallucinations, where AI systems generate inaccurate or fabricated legal information, such as non-existent case law or provisions.

Concerns further arise regarding the unauthorised practice of law, particularly when AI tools provide legal advice directly to users without professional supervision.

Most critically, ethical considerations are particularly significant given the legal profession’s inherently human-centred role and responsibility in handling sensitive rights, and justice-related decisions.

To respond to the high ethical standards of the legal profession, including competence, confidentiality and professional responsibility, lawyers must balance innovation with ethical and professional integrity, ensuring that AI remains a supportive tool, the use of which does not compromise the human-centric approach and fiduciary trust that defines the attorney-client relationship.

Developers may face negligence liability where a breach of duty of care in the creation, training or deployment of an AI model foreseeably causes harm, provided a causal link is established.

If AI systems were to be treated as inherently dangerous activities or products – such as autonomous vehicles or medical AI – strict liability could apply to enterprises deploying and profiting from such AI systems for any harm caused by their use, irrespective of fault.

Vicarious liability may also arise for human operators or employers who fail to supervise AI systems within their scope of control; a notable Greek example is Article 42 of Law 4784/2021, which designates the remote operator of autonomous urban buses as the “driver” for responsibility purposes.

AI-generated content infringing copyright or containing defamatory material may also give rise to tort liability, though platforms may invoke safe harbour protections as intermediaries.

Across all theories, significant evidentiary challenges persist: AI systems involve multiple actors, evolve after deployment through updates and retraining, and may cause harm through rare, unpredictable behaviour, all of which create complex chains of liability and complicate causal attribution.

Although the EU AI Act, which establishes a risk–based framework, focuses more on pre-deployment safety and compliance requirements by shaping duties of care, it also implicitly shapes liability for the actors of AI systems.

EU Commission had proposed adopting an AI Liability Directive, aiming to address civil liability for damages caused by AI systems, and to simplify the evidentiary burden of the plaintiff, by introducing a “presumption of causality”, which would shift the burden of proof to providers. Due to lack of consensus among EU member parties, the proposal was withdrawn in February 2025.

The revised EU Product Liability Directive 2024/2853, which will take effect in December 2026, explicitly designates software and AI systems as a product for the purposes of applying no-fault liability, irrespective of the mode of its supply or usage, and of whether the software is hosted on a device, accessed through network or cloud technologies, or supplied through a software-as-a-service model. To this effect, a developer or producer of software, including AI system providers, will be treated as manufacturers, in terms of the strict liability imposed by the Directive.

Agentic AI challenges classical contract doctrine, because contracts typically require intent and consent, traditionally tied with natural or legal persons. Agentic AI is often compared to a non–human agent, acting on behalf of their (human) principal. However, unlike human agents, AI lacks intent and any fiduciary duties, thus raising the bar for accountability (of the principal – ie, deployer): the more autonomous and impactful the system, the stronger the requirements for auditability and explainability of its decisions or actions.

The EU AI Act also requires “human oversight measures”, which must ensure the ability to prevent automation bias, intervene and override the AI system, including safe shutdown mechanisms. In agentic systems which operate without real-time human input, oversight would likely be in the form of ex ante constraints and ex post review, rather than continuous supervision.

Additional challenges posed by Agentic AI include jurisdiction conflicts, and evidentiary difficulties in proving liability and causation, as well as interoperability risks, in cases of agent-to-agent interactions, where cascading failures could produce harm without a clear causal chain, thus warranting more collective or system–level liability approaches, rather than strictly individual fault attribution.

Liability for Agentic AI use could be established within the existing legal doctrines – ie, product liability, fault–based liability (negligence in AI deployment) – or vicarious liability which have adequate flexibility to adapt to new technologies.

However, their adequacy would be strained by certain features of Agentic AI, such as opacity of functions, continuous learning and autonomous decision–making, which could complicate foreseeability of harm and causation.

Contractual allocation of liability amongst developers, deployers, and users has, therefore, become paramount. Contracts are a central practical tool for managing AI risks through mechanisms such as indemnity clauses, limitations of liability, warranties for compliance and non–infringement. However, contractual clauses do not bind third–party victims (eg, end users) and may not override mandatory consumer protections nor exclude certain forms of gross negligence or statutory liability.

AI-specific liability frameworks have already started to emerge: the revised Product Liability Directive has included AI under the concept of “product” and has expanded the notion of “defect” to include lack of transparency and unsafe behaviour.

Although often associated with the training data, algorithmic bias occurs when technical decisions, from data selection to model architecture, produce systematically disadvantaged outcomes (unfair and/or discriminatory) for specific groups.

Technical definitions vary, and may even clash between group fairness and individual fairness. Discriminatory outcomes, either intentional or unintentional, may trigger liability under equality law, data protection law, and product liability rules, alongside enforcement of the AI Act through national market-surveillance authorities.

Under the EU AI Act, this issue is addressed in particular for high-risk AI systems listed in Annex III, such as systems used in employment, education, law enforcement, and access to essential services. Providers must establish a risk-management system, ensure that training, validation, and testing datasets are relevant, sufficiently representative, and examined for possible bias, and also design systems to enable effective human oversight. High-risk systems must also meet requirements of accuracy, robustness, and cybersecurity, while deployers must use them in accordance with instructions and monitor their operation.

In Greece, biometric AI systems are primarily governed by the GDPR, with the EU AI Act setting further compliance standards. The AI Act imposes prohibitions on emotion recognition in workplaces and schools, restricts real-time remote biometric identification in public spaces, and classifies systems in migration contexts as high-risk, requiring robust risk management, testing, human oversight, and transparency.

Enforcement is already active. In 2024 (Decision 13/2024), the Hellenic Data Protection Authority fined the Ministry of Migration & Asylum for deploying, among others, a CCTV and drone surveillance system employing artificial intelligence behavioural analytics in asylum centres. HDPA cited lack of legal basis, inadequate Data Protection Impact Assessments, insufficient transparency and data subject notification. Therefore, even ahead of full AI Act enforcement, Greece is actively applying existing data protection law to ensure that high-risk biometric AI systems respect fundamental rights and operate under clear accountability frameworks.

Greece has no standalone statute requiring the labelling of deepfakes, watermarking of AI-generated content, or sector-specific restrictions on synthetic media.

AI Act Article 50(4)’s transparency obligations, requiring synthetic content to be clearly marked, apply from August 2026, supported by the European Commission’s draft voluntary Code of Practice on marking and labelling AI-generated content (first draft December 2025, finalisation expected mid-2026).

Law 4961/2022 (Article 9) extends AI transparency obligations to platforms in respect of their external providers, employees and collaborators.

Article 346 of the Penal Code (introduced by Law 4749/2022) criminalises non-consensual sharing of intimate material, explicitly covering digitally fabricated images and video, with aggravated penalties where the act leads to the victim’s attempted or completed suicide.

Deepfakes depicting real persons may also engage defamation (Articles 362–363 PC) or extortion provisions where the material is used for coercion. Civil remedies are available under the defamation, and general tort frameworks of the Civil Code.

• Disclosure of AI use: Law 4961/2022 requires private employers to inform employees before deploying AI in decisions affecting them (Article 9) and obliges medium and large enterprises to maintain an AI system registry (Article 10), though the implementing secondary legislation envisaged by Article 113 was never issued, limiting practical enforceability. The AI Act adds mandatory disclosure for deployers of high-risk systems.
• Chatbot disclosure: The AI Act requires deployers to notify users interacting with an AI system. Greece’s mAIgov chatbot on gov.gr (see 7.1 Government Use of AI) provides a practical public-sector case study for transparency-by-design.
• AI-Generated Content: No domestic labelling rules exist. The AI Act’s Article 50 transparency obligations apply from August 2026 (see 12.3 Deepfakes and Synthetic Media).
• Explainability: Law 4961/2022 requires public bodies to ensure documentation and auditability of AI systems used in administrative processes. The AI Act imposes technical documentation and explainability duties on providers of high-risk systems.
• Safe Harbours: No Greek-specific exemptions exist; the AI Act uses risk-tiered obligations rather than safe harbours.
• Manipulative AI: The AI Act prohibits subliminal and manipulative AI practices (in force since February 2025). Greek consumer protection law (Law 2251/1994) applies in parallel to AI-driven unfair commercial practices.
• Foundation models: GPAI obligations became applicable on 2 August 2025, supported by the voluntary GPAI Code of Practice (finalised July 2025).

As enterprises move beyond simple prompts and APIs toward fine-tuned, custom-trained AI models, new challenges emerge on a contractual level. Key points in negotiations now include:

• clear IP segregation and protection – ie, distinguishing the fine-tuned model procured by the client from the developer’s underlying foundation model – and also the client’s proprietary data used in fine-tuning from the developer’s base training datasets;
• residual-use clauses – ie, granting the developer a licence to reuse client data for further training – are strongly contested, with enterprises seeking to protect trade secrets and preserve competitive advantage;
• risk and liability allocation, including in case of a system being reclassified under the AI Act (from low- to high-risk).

All the while, AI Act compliance – particularly for high-risk systems or on a group level – is becoming a growing procurement concern for big corporations and organisations.

Developers targeting Greek public contracts must also account for Law 4961/2022 (Article 7), which imposes specific transparency, system openness and compliance obligations on AI contractors.

As AI systems supply chains become increasingly more layered (foundation/LLM model providers, fine-tuning/API developers, cloud infrastructure), contractual cascading and alignment has become an important factor for supply chain accountability. Flowdown clauses, audit provisions, incident notification chains and compliance/certification requirements allow organisations to trace and demonstrate responsibility through each link.

This concerns not only regulated financial institutions, whose ICT procurement and outsourcing framework was comprehensively modernised by Bank of Greece Executive Committee Act 243/2/2025 (adopting EBA/GL/2021/05), and prospective public contractors, who must comply with the transparency, traceability, and accountability requirements of Law 4961/2022, but also any corporation or organisation wishing to demonstrate robust ICT – and, by extension, AI – supply chain governance, for liability reasons, ESG and social responsibility, or for attracting sustainable investment and EU or national funding.

The importance of supply chain diligence is further underscored by the AI Act’s Article 25 reclassification mechanism, elevating any entity substantially modifying or repurposing a procured AI system to full provider obligations.

AI is widely used in employment to screen and rank candidates, but also to define termination criteria, raising overlapping data protection, labour law and anti-discrimination concerns.

The Greek labour code prohibits discrimination and obliges employers to document selection criteria.

Law 4961/2022 (Article 9) separately requires employers to notify employees before first deploying any AI system that affects decision-making on their working conditions, selection, recruitment or evaluation.

Under the AI Act, AI systems used for hiring and termination are classified as high-risk and subject to strict requirements.

The GDPR requires a valid legal basis for employees’ personal data processing via such tools, transparent notification, respect for restrictions on automated decision-making and the conduct of a DPIA. 

Enforcement is shared among the HDPA (unlawful automated decision-making), the courts (discriminatory or unfair dismissals) and the competent labour inspectorate (corrective measures). 

Use of AI-enabled tools for employee performance evaluation – including productivity monitoring, performance analytics, biometric access/time tracking and behavioural analysis – is increasing. Such AI tools are subject to overlapping data protection, labour law and equality restrictions. The GDPR requires such processing to be necessary, proportionate, limited in scope and duration and transparent to employees. Law 4961/2022 imposes specific obligations on employers to notify employees when AI affects decision-making on working conditions, selection, hiring or evaluation. Employers must also audit AI systems for discriminatory bias to ensure equal treatment, while significant workplace monitoring changes require consultation with employee representatives under Greek labour law. Non-compliance may trigger data protection enforcement actions and labour law claims.

Digital platforms increasingly rely on AI for content moderation, recommendation systems, targeted advertising and ranking algorithms. Within the EU, this algorithmic power is governed primarily by the Digital Services Act (DSA) and the AI Act.

Under the DSA, very large online platforms (VLOPs) must:

• conduct systemic risk assessments of their algorithmic systems, including risks of misinformation, discrimination and manipulation;
• implement transparency measures;
• explain recommendation systems; and
• allow users to modify personalisation parameters.

The AI Act complements this with obligations on high-risk AI systems and transparency requirements for AI-generated content.

Regulatory Framework

The applicable financial services regulation framework in Greece, although not AI-specific, is layered: DORA (applicable since January 2025, supplemented by Law 5193/2025) governs ICT risk management used by financial entities (including AI systems) and designates the Bank of Greece and the Hellenic Capital Market Commission (HCMC) as competent authorities depending on the supervised entity.

MiFID II (transposed via Law 4514/2018) imposes algorithmic trading controls on investment firms, including system resilience requirements and risk controls for automated execution, the importance of which is amplified by the spread of Agentic AI. Bank of Greece’s Executive Committee Act 243/2/2025, adopting EBA guidelines on internal governance (EBA/GL/2021/05), modernised the entire ICT outsourcing and governance framework for credit and financial institutions, even though it does not address AI specifically.

Credit Decisioning and Consumer Protection

Automated credit decisions affecting individuals are subject to GDPR Article 22 (right not to be subject to solely automated decisions with legal effects) and the general consumer protection framework (Law 2251/1994). No Greek-specific AI explainability or bias mitigation requirements for credit decisioning have been issued to date. At EU level, the ECB has signalled increasing supervisory attention to AI in credit scoring and fraud detection as part of its 2026-28 supervisory priorities.

Governance and Outlook

The AI Act’s high-risk classification will capture AI applications used in creditworthiness assessment and insurance pricing, once the relevant provisions enter into force, requiring conformity assessments, adequate human oversight, meticulous technical documentation and an overall quality management system. Financial institutions deploying AI should anticipate compliance obligations under both the AI Act and DORA.

AI in healthcare in Greece is developing within a broader digital transformation of the health system, including electronic health records and data-driven care.

The Digital Doctor Assistant, launched in October 2025, is the first AI application integrated with the National Electronic Health Record (MyHealth/IDIKA). It allows physicians to query patient histories using natural language, cutting assessment times and reducing administrative burden.

A partnership with US-based Sword Health (announced November 2025) will introduce AI-powered triage on the national 1566 health line from 2026.

The National Commission for Bioethics and Technoethics Opinion on AI in healthcare (2024) articulates ethical operating principles, including complementarity (AI supports but does not replace clinical judgement), explainability, precaution, and prevention, that function as non-binding soft-law guidance.

No Greek-specific healthcare AI regulation exists to date. Where AI systems qualify as medical devices, the Medical Device Regulation (2017/745) applies, requiring conformity assessment and CE marking. The AI Act classifies AI systems intended for use as medical devices or their safety components as high-risk, triggering comprehensive risk and quality management, data governance, policies and documentation, human oversight and post-market monitoring obligations, once the relevant provisions enter into force. Processing of health data must also comply with the GDPR, including safeguards on automated individual decision-making (Article 22).

Law 4784/2021 (Article 42) established Greece’s piloting framework for driverless vehicles, permitting operation on public roads only for research purposes and under strict conditions. Two categories are covered:

• urban-type buses, for pilot or experimental operation, including municipal transport; and
• passenger cars, for research purposes only.

Commercial deployment of fully autonomous vehicles on Greek public roads is not currently permitted.

Operation of urban-type buses requires approval by the municipal council with the consent of local traffic police, among others. Driverless buses must be equipped with automated braking and immobilisation systems replicating the behaviour of a human driver and must be monitored at all times via external cameras and audio by a remote operator holding a valid driving licence and bearing legal responsibility as the vehicle’s driver. Operation is confined to a predefined urban or peri-urban route established by traffic study and must comply with all road traffic rules.

The Trikala autonomous bus programme was Greece’s first driverless public transport pilot, operating on a predefined municipal route.

AI-enabled retail tools (eg, dynamic pricing engines, personalised recommendations, AI chatbots) are found at the intersection of multiple regulatory frameworks.

The GDPR (supplemented by Law 4624/2019) requires a lawful basis for profiling and personalisation, while the principles of transparency, purpose limitation and data minimisation constrain how consumer data can feed AI models. Article 22 also gives consumers the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Law 4961/2022 requires medium and large enterprises to maintain an electronic registry of AI systems used for consumer profiling and to adopt ethical data use policies (Article 10), though the implementing Presidential Decrees have not been issued to date, limiting practical enforceability.

The AI Act’s prohibited practices provisions (Article 5), in force since February 2025, directly target AI systems deploying subliminal or manipulative techniques, dark patterns or exploitative personalisation in e-commerce.

Retailers must also comply with Law 2251/1994 (transposing the Unfair Commercial Practices Directive), which requires disclosure when pricing has been personalised based on automated decision-making (Article 3b).

Greece’s emerging industrial AI robotics sector, spearheaded by startups and Greek university spin-offs, is faced with a dual regulatory framework.

Where AI operates machinery autonomously, or functions as a safety component thereof, it will likely qualify as a high-risk AI system under the AI Act, triggering risk and quality management, technical documentation, human oversight, and cybersecurity requirements. 

Concurrently, the EU Machinery Regulation (2023/1230), applicable from January 2027 and replacing the current Directive (transposed in Greece via PD 57/2010), requires conformity assessment for machinery with “fully or partially self-evolving behaviour using machine learning approaches ensuring safety functions”, whether considered AI or traditional ML (exempted from the scope of AI Act), and expands risk assessment obligations to account for the evolving behaviour of such systems designed to operate with varying levels of autonomy over their lifetime.

An important attention point for both deployers and Robotics-as-a-Service providers is the “substantial modification” doctrine, used by both the AI Act (Article 25) and the Machinery Regulation (Article 18). Any substantial modification of the robot or its operating AI model, or of their intended use(s) and purpose(s), that affects the original risk profile (and its assessment) can reclassify the modifier as “provider” or “manufacturer”, elevating them to full compliance obligations.

Patentability of AI depends on whether the AI contributes to a tangible technical solution beyond mere computation.

An AI model’s source code and curated datasets may qualify for copyright protection as literary works, though not raw data and model architecture as such, as copyright protection does not extend to “methods” or “ideas or mere facts”.

Databases may enjoy sui generis protection (EU Directive 96/9) against substantial extraction, though this is itself limited by the text and data mining exception under the DSM Directive, subject to rightholder opt-out.

Model weights and training methodologies are more effectively safeguarded as trade secrets under EU Directive 2016/943.

Contractual clauses remain central to allocating IP across developers, users and data providers, particularly regarding training data, fine-tuned models and AI outputs, whose copyright status is often uncertain given limited human authorship (see 13.1 AI Procurement Standards and Contracting).

Simultaneously, AI systems are exposed to infringement claims from unlawful use of copyrighted training data to creating derivative outputs. Recent developments showcase increasing regulatory and judicial attention to these matters. Under the AI Act, providers must comply with copyright law and disclose summaries of training data sources, reinforcing transparency.

European patent and copyright law remains human-centric: only a natural person may qualify as an inventor or author, and AI systems cannot be treated as legal subjects of IP rights. The European Patent Office has confirmed this by repeatedly rejecting AI inventorship in the DABUS cases.

Copyright protection requires the author’s own intellectual creation, meaning protection may extend to human-guided AI output – through substantive fine-tuning or editing – but not to fully autonomous AI-generated content. Nor can the owner of an AI tool automatically claim inventorship of its output without contributing human intellect.

Moral rights, including attribution and integrity, which protect against misattribution and distortion, remain inalienable, meaning AI output that imitates or alters copyrighted works may raise infringement concerns. The AI Act reinforces this framework by treating AI as a tool whose risks must be regulated – demanding copyright compliance and training data transparency – rather than as a legal subject of rights.

AI training involves copying pre-existing works, which prima facie constitutes reproduction requiring authorisation or a license. The DSM Directive provides two text and data mining (TDM) exceptions: a mandatory exception for research organisations and a broader commercial exception subject to rightholder opt-out in machine-readable form. Due to the uncertainty surrounding TDM exceptions, AI companies increasingly negotiate licences with publishers and creators, with collective licensing (rather than on an individual basis) emerging as a practical framework. Even where training is lawful, liability may arise at the output stage, if AI-generated content reproduces or closely resembles copyrighted works, potentially giving rise to both economic rights and moral rights of attribution and integrity.

The European Parliament adopted a resolution on 10 March 2026 calling for full transparency on copyrighted works used in AI training, effective opt-out mechanisms, fair remuneration for creators (including for past use) and the establishment of voluntary collective licensing agreements, while rejecting a global flat-rate licence model.

Purely AI-generated works are excluded from copyright protection due to the absence of human intellectual effort; such output falls into the public domain unless it constitutes a derivative of an existing copyrighted work. Human-guided AI output may qualify for protection where the human contribution – through selecting, editing, curating or substantive prompt engineering – meets the threshold of originality. In that case, IP ownership vests in the human author or any party to whom rights have been contractually allocated. Since AI cannot be deemed an author, it cannot hold moral rights; where human-guided output qualifies for copyright, moral rights of attribution and integrity remain with the human contributor as inalienable and untransferable rights.

Proprietary AI models are typically closed-source, with weights and training data protected by copyright or as trade secrets, and access controlled via API or SaaS terms.

Open-weight models publicly release weights but not the source code or training data, with licences often imposing field-of-use restrictions or share-alike and attribution clauses. IP risk arises if the underlying dataset or weights infringe existing rights. True open-source models provide access to weights, training data and code, permitting modification and redistribution under standard OSS principles.

API-based models commonly include IP indemnities and output filters for infringing content, whereas self-hosted models are typically licensed “as is” without warranties or indemnities, shifting infringement risk to users.

A fine-tuned model could constitute a derivative work, protected by the base model’s copyright, or a new work, incorporating learned parameters, based on the license of the base model: permissive licences allow unrestricted fine-tuning, while copyleft or share-alike terms may require release of fine-tuned weights or training modifications. Open-source AI licences are legally binding under contract and copyright law, with non-compliance exposing users to infringement claims and licence revocation.

Model merging could lead to the creation of a composite derivative work, which must comply with all upstream licenses simultaneously. Model distillation – ie, training a smaller AI model on outputs of a larger one – could infringe on the base model’s IP, if reproducing a substantial part thereof, or violate its licence terms.

AI interferes with data protection as it relies on large datasets, often including personal data, for training. Organisations feeding personal data to AI systems for training must comply with data protection obligations stemming from the GDPR and supplemental Greek legislation, but also from the EU AI Act.

The data protection obligations include: 

• identification and documentation of a lawful basis for data processing (usually consent, legitimate interests, or public task/research) and performance of balancing tests when necessary;
• compliance with data protection general principles, including purpose limitation (eg, assessment whether AI training is compatible with the original purpose of collection of personal data) and data minimisation (eg, adoption of practical measures to remove non-necessary personal data for the purpose of AI training);
• the challenging task of implementation of appropriate mechanisms to handle data subject rights requests;
• enhanced safeguards for the processing of special category data, when such processing is allowed;
• adoption of technical and organisational measures, such as anonymisation and pseudonymisation, to minimise privacy risks; and
• the need to demonstrate compliance through documentation requirements.

Privacy by design requires organisations deploying AI to plan under the assumption that personal data will be processed and, consequently, to define processing purposes, map data flows and establish a valid legal basis at the earliest design stage.

Privacy notices must clearly and precisely explain what the AI system does and how personal data is used.

Data subjects retain all GDPR rights, including the right not to be subject to decisions based solely on automated processing, requiring organisations to implement mechanisms for human intervention and to enable data subjects to express their views and challenge automated decisions.

Compliance with data retention principles (retention policy, storage limitation), applied to both operational and training data, and enhanced protection of children’s personal data are further requirements that organisations deploying AI must address.

AI systems typically involve complex data processing and multiple parties across the supply chain. Determining GDPR roles (controllers, processors, joint controllers) and executing appropriate data processing agreements is a demanding task in this multi-actor environment, even for organisations willing to properly allocate responsibilities and share security obligations fairly.

Data protection impact assessments (DPIAs), whether combined with Fundamental Rights Impact Assessments (FRIAs) and/or algorithmic assessments or not, are a particularly effective tool for identifying high-risk processing and implementing appropriate technical and organisational safeguards.

Organisations should ensure from an early design stage that privacy considerations are effectively addressed and that default settings are privacy-friendly.

Data flows for both training and deployment should be mapped accurately and always kept up-to-date to ensure compliance with the GDPR, including with respect to cross-border transfers.

Greece’s competition law framework (Law 3959/2011) equips the Hellenic Competition Commission (HCC) with tools applicable to AI-related competition concerns, though no AI-specific enforcement action has been taken to date. The framework operates in parallel with the DMA (Regulation 2022/1925) for designated gatekeepers.

Standard merger control thresholds apply to AI acquisitions, including acqui-hires where they qualify as concentrations. Law 5255/2025 removed the fixed 30-day notification deadline, requiring instead that notification be made before the concentration is implemented – aligning with Regulation 139/2004. Article 1A of Law 3959/2011 (Law 4886/2022) prohibits price signalling between competitors, a provision potentially applicable to algorithmic price coordination.

Data-driven dominance, vertical integration along AI value chains, tying arrangements and foundation model concentration may be addressed under existing HCC powers, though enforcement on these issues remains primarily at EU level, as illustrated by Commission precedents such as the Amazon Marketplace and Google Shopping cases.

Article 38A of Law 3959/2011 (introduced by Law 5255/2025) expressly authorises the HCC to deploy AI systems, data mining and public/private system interconnections in its enforcement activities, and grants it direct access to the national e-procurement platform (ESIDIS) for bid-rigging detection.

With the increasing integration of artificial intelligence at every level of ICT systems, EU’s broader cybersecurity regime has become particularly relevant to AI systems. Joint Ministerial Decision 1689/2025, enacted in implementation of Law 5160/2024 (transposing NIS2), prescribes a comprehensive compliance framework (ICT risk assessment and management system, supply chain controls, internal policies and processes, audit rights etc).

Entities subject to NIS2 (Article 7 Law 5160/2024), as well as public sector bodies (Article 18 L. 4961/2022) must also designate an Information Technology Systems and Communications Security Officer, a cybersecurity compliance monitoring officer role.

A notable feature of Law 5160/2024 is that management bodies must formally approve cybersecurity risk management measures at policy level and can be held personally liable for non-compliance — a provision that has awakened management- and board-level attention to cybersecurity compliance.

Article 15 of the AI Act, requiring high-risk AI systems to achieve an appropriate level of cybersecurity, including resilience against adversarial attacks, data poisoning and model extraction, compounds to, rather than replaces, the obligations under NIS2 and DORA, particularly for regulated entities subject to supply chain compliance monitoring and entities elevated to provider level under Article 25 of the AI Act.

The ESG dimensions of AI are reshaping how sustainability is framed in an increasingly AI-mediated world. And, vice versa, the focus placed on sustainability calls for revising and possibly constraining AI usage.

Training and deploying large AI and GPAI models requires substantial computational power, raising concerns about energy consumption, water use and carbon emissions, with frameworks such as the AI Act and the Corporate Sustainability Reporting Directive (CSRD) reinforcing environmental disclosure and sustainability obligations.

In the social domain, AI raises concerns about algorithmic fairness, discrimination and workforce disruption, strengthening the case for re-skilling and inclusive innovation policies.

Governance is the most developed ESG pillar, with organisations increasingly adopting AI ethics boards, responsible AI frameworks and internal oversight mechanisms. ESG due diligence now extends to auditing AI investments, procurement and data supply chains for ethical labour and bias. As AI generates new sustainability risks across the triple bottom line, reconciling its ESG costs with its benefits will require evolving regulatory and corporate governance responses.

Effective AI governance requires a multi-layered, ethics-informed and risk-based structure embedded within existing corporate oversight, in a way that penetrates the entire organisations’ culture and practices. Whereas so far organisations have tended to rely mainly on AI Ethics Committees with loose mandates, now they increasingly employ governance boards, and dedicated risk or compliance functions to supervise AI-related decisions. A central element is maintaining an AI inventory that classifies systems by risk level, enabling proportionate governance and stronger controls for higher-impact uses. Governance must apply across the entire AI lifecycle, from data sourcing and model development to deployment, monitoring, and decommissioning. Practical implementation depends on impact assessments, documentation, and testing, particularly to meet standards under frameworks such as the EU AI Act. Third-party AI governance is equally important, since organisations may remain exposed to risks created by external vendors.