TMT 2024 Comparisons

Concept

The metaverse is a term describing a hypothetical enhanced digital environment, which is more immersive, interactive and interconnected than the internet today. It is a shared virtual space where users can create, interact and transact with each other in real time, using advanced technologies such as virtual and augmented reality, blockchain and artificial intelligence.

While this development seems exciting, the metaverse brings several legal and regulatory challenges that have either not been addressed or need to be revisited. Some of these issues relate to the collection of personal data, cybersecurity and intellectual property, but many more are likely to arise in the future.        

Laws and Regulations

There is currently no specific legislative framework that applies exclusively to the metaverse in Greece. Nonetheless, the relevant technology is already regulated to some extent by existing laws and regulations both in Greece and in the EU, the main of which include:

• Regulation (EU) 2022/2065 (Digital Services Act);
• Regulation (EU) 2022/1925 (Digital Markets Act);
• “Proposal for a Regulation […] laying down harmonised rules on artificial intelligence (AI) and amending certain union legislative acts”, COM (2021) 206 final (AI ACT) (if adopted);
• “Proposal for a Directive […] on adapting non-contractual civil liability rules to artificial intelligence”, COM (2022) 496 final (AI Liability Directive) (if adopted);
• Regulation (EU) 2016/679 (GDPR) and implementing Greek Law 4624/2019; and
• Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification […] (Cybersecurity Act).

Data Protection

A key legal challenge that arises in the context of the metaverse concerns the processing and protection of personal data. In order to provide the user with an unparalleled immersive experience, a substantial amount of personal information about their habits, behavioural patterns and general communication is collected, with concurrent processing of biometric data. This highlights the essential need for platforms to comply with the GDPR, particularly given that biometric data resides within the special categories of personal data, thereby raising the issue of the legal basis supporting its processing.

An important and simultaneously difficult issue arises with regard to the definition of the roles and responsibilities concerning personal data governance within the metaverse – namely, the roles of data controller and data processor – as in such a multi-layered environment it may not always be clear who actually determines the purpose for the processing of such data.

Moreover, a pivotal concern involves the procurement of user consent and the obligation to notify users comprehensively regarding the protection of their privacy, as well as the point in time at which the information and consent will be given accordingly. On the other hand, excessive effort to comply with the GDPR may result in users being unable to comprehend any complex and obscure terms of use.

Finally, it is important to note that the geographical scope of the GDPR is precise, as outlined in Article 3 thereof, so the applicable law may vary depending on the area of the virtual world used by the user, creating issues regarding the competence of authorities, legal uncertainty and the precariousness of rights.

Cybersecurity

Within the metaverse, prevailing cybersecurity challenges encompassing phenomena such as phishing, malware and hacking will intensify, deviating from contemporary internet-based attacks and threats. Cybersecurity issues may also arise in the main economic pillars of the metaverse, notably cryptocurrencies and non-fungible tokens (NFTs), and the risk of counterfeit or hacked avatars is imminent, posing problems such as deepfakes, identity theft and various challenges to identify virtual crimes.

However, cybersecurity legislation such as Directive (EU) 2022/2555 (NIS 2) has been introduced, which aims, inter alia, to ensure a high level of cybersecurity and cyber-resilience within the EU. Meanwhile, the “Proposal for a Regulation […] on horizontal cybersecurity requirements for products with digital elements, COM (2022) 454 final (EU Cyber Resilience Act) could also be implemented once adopted, and has the potential to significantly enhance cyberprotection within the metaverse. The NIS 2 Directive replaces Directive (EU) 2016/1148, which was incorporated into Greek law through Law 4577/2018, which remains in force. Within the broader cybersecurity framework, the following laws may also apply:

• Greek Law 5002/2022 regarding the procedure for the lifting of communications secrecy, cybersecurity and data protection; and
• Greek Law 4961/2022 on “Emerging information and communication technologies, strengthening digital governance and other provisions”.

Moreover, essential operations within the metaverse are executed through Virtual Reality (VR) and Augmented Reality (AR) devices, like virtual reality headsets. Therefore, the devices themselves should maintain a robust level of security and be constantly updated for new security patches. These devices are categorised as consumer products and may not fall within the scope of the NIS 2 Directive, but they do fall within the scope of the General Product Safety Regulation (EU) 2023/988, which refers, inter alia, to the existence of appropriate cybersecurity features for product protection.

Intellectual Property

The challenges posed by the metaverse in the field of intellectual and industrial property, such as unauthorised use of registered trade marks, copyright violations, jurisdiction and classification issues, also cannot be ignored. The metaverse provides a variety of virtual goods and services, all of which are either copied from the physical world or created, and are therefore subject to intellectual property laws and/or in need of protection. However, the challenges associated with tracking and enforcing intellectual property rights (IPR) have historically proven difficult and are anticipated to persist in the future.

With the underlying technology itself being subject to extensive patents, together with the introduction of innovative assets like digital collectibles documented via NFTs, new and unique intellectual property issues are emerging. For example, the utilisation and exploitation of previously licensed or acquired IPR, particularly by licensees, poses challenges regarding the scope of rights acquired under pre-existing contracts in the metaverse.

Legal issues also arise in the area of trade mark registration, and many companies have filed trade mark applications to enter the metaverse and the world of NFTs. As a result, trade mark owners face uncertainty in industrial property law due to the significant barriers to the successful detection of counterfeiting and the enforcement of trade mark rights that exist in the metaverse, such as the difficulty of identifying infringers. In Greece, full authority and responsibility for trade marks is assumed by the Hellenic Industrial Property Organisation according to the provisions of Law 4679/2020, entitled “Trademarks – transposition of Directive (EU) 2015/2436 on the approximation of the laws of the Member States relating to trademarks and Directive 2004/48/EC on the enforcement of IPR and other provisions”.

In addition, there are a number of intellectual property issues related to AI, which can obtain data from copyrighted works and reproduce it in an algorithmically automated way in the metaverse, without compensating the authors. In this context, technologies such as blockchain could be integrated into AI systems, making it possible to identify copyrighted, trade marked or patented content that has been used by AI. At the same time, creators and consumers of the metaverse have an obligation to respect the rights of copyright holders to the exclusive exploitation of their IPR within the metaverse. In Greece, copyright is protected by virtue of Law 2121/1993 on “Copyright, Related Rights and Cultural Matters” and Law 4481/2017 on “Collective management of copyright and related rights, multi-territorial licensing in musical works for online use in the internal market and other issues falling within the scope of the Ministry of Culture and Sports”.

The Hellenic Copyright Organisation is the national competent authority responsible for safeguarding the rights of authors and right holders in the field of copyright and related rights.

Directive 2000/31/EC was incorporated into Greek law by Presidential Decree 131/2003 and establishes rules on a number of issues in the European Union concerning electronic commerce and the provision of information society services. This law includes regulations relating to the establishment of service providers, the information that the provider is obliged to provide to the recipients of the service, commercial communications and advertising, the conclusion of contracts by electronic means, and the liability of providers for illegal content circulated on their platforms.

• In December 2020, a proposal for a Digital Services Regulation was published, which essentially updates the E-Commerce Directive. Following the adoption stages, the Digital Services Act (Regulation 2022/2065) was published on 27 October 2022 and is directly applicable in Greek law. The Regulation will progressively enter into application by 17 February 2024, and addresses issues such as:
• measures to deal with illegal content online;
• the traceability of marketers;
• the prohibition of misleading practices and specific types of targeted advertising;
• the liability of online intermediaries for third party content;
• the safety of users online; and
• due diligence obligations for different service providers depending on their size.

In addition, Articles 3b and 3ba ofLaw 2251/1994 contain provisions regarding the information that the supplier must provide to the consumer prior to the conclusion of a sales contract. Articles 3c and 3d set out the formal requirements for distance contracts.

Directives No 2019/770 on the supply of digital content and services and No 2019/771 on the sale of goods are part of the EU's effort to regulate digital markets from a competition law and consumer protection perspective. Directive 2019/770 was incorporated into Greek law by Law No 4967/2022, while Directive 2019/771, which establishes rules for contracts for the sale of goods with digital elements, has been incorporated into the Civil Code by Law No 4967/2022 and a small part of it in Law 2251/1994.

In the digital economy, the general rules on competition (mergers, acquisitions, abuse of dominant position) apply in the field of competition. In Greek law, EU Regulation 2019/1150 – also known as the P2B Regulation – is directly applicable and seeks to establish transparency and fair treatment for business users who use the platform as a channel for selling or promoting their business and their products, highlighting the obligation for transparent and detailed terms of use. It includes, inter alia, the obligation for platforms to post the ranking and promotion mechanisms of entrepreneurs, etc. Articles 4–8 of Law No 4753/2020 designate the Interdepartmental Market Control Unit at the Ministry of Development and Investment as the competent supervisory authority for the implementation of the Regulation.

Finally, following the initial proposal of the European Commission in December 2020, Regulation (EU) 2022/1925 (DMA) was adopted by the European Parliament and the Council on 14 September 2022, and was published in the Official Journal on 12 October 2022. The DMA entered into force on 1 November 2022 and became applicable on 2 May 2023. It is one of the first regulatory tools to comprehensively regulate the gatekeeper power of the largest digital companies. The DMA complements but does not change EU competition rules, which continue to apply fully.

Digital Services Act

The Digital Services Act (Regulation (EU) 2022/2065) entered into force on 16 November 2022 and will be enforced through a pan-European supervisory architecture. According to the Regulation, member states shall designate one or more competent authorities as being responsible for the supervision of intermediary service providers and the enforcement of this Regulation (“competent authorities”).

Member states shall designate one of the competent authorities as their digital services co-ordinator, which will be responsible for all matters relating to the supervision and enforcement of this Regulation in that member state, unless the member state concerned has delegated certain specific tasks or areas to other competent authorities. In any case, the digital services co-ordinator shall be responsible for ensuring co-ordination at the national level in relation to those issues and for contributing to the effective and consistent supervision and enforcement of this Regulation throughout the EU.

Greece shall designate its digital service co-ordinators by 17 February 2024. It is therefore expected that a legislative act will be adopted empowering the competent authority to be responsible for the supervision of intermediary service providers and the enforcement of this Regulation.

Law 4727/2020 on Digital Governance defines cloud computing as a service standard that enables internet access to an expandable and flexible group of shared physical or virtual resources. The provision of the service is based on the needs of the user, and the management of resources by the service provider is done only at the request of the user. Law 4727/2020 references the following models of cloud computing.

• Public: services are potentially available to any customer and the resources of the service are controlled by the service provider. A public cloud can be owned, managed and operated by a business, academic or governmental organisation, or by a combination thereof . The computing infrastructure is located on the premises of the service provider.
• Private: services are used exclusively by a single organisation and resources are controlled by that organisation. A private cloud can be owned, managed and operated by the organisation itself or by a third party, and the computing infrastructure may be located on-site or off-site. The private cloud service provider may allow access to other parties.
• Hybrid: uses at least two different cloud computing service models. The two services remain unique but are interconnected by the appropriate technology that enables interoperability, data and application portability. A hybrid cloud can be owned, managed and operated by the organisation itself or by a third party, and can be located on-site or off-site.

The Ministry of Digital Governance is responsible for determining the use of cloud computing infrastructure by public sector bodies and for defining criteria for the selection of techniques and methods for the use of cloud services. To promote the use of cloud services by public administration, the Ministry will design and launch a digital marketplace of cloud services and applications where public sector bodies and cloud service providers will be registered, where cloud service providers will post the cloud services they provide, the technical details and the costs of procurement.

Public Administration

With regard to the public administration sector, Law 4623/2019 and Law 4727/2020 contain provisions concerning the acquisition and use of cloud computing services by public administration in Greece.

In particular, the General Secretariat of Public Administration Information Systems (GGPSDD), the National Network of Technology and Research Infrastructures (EDYTE) and the Digital Governance of Social Insurance (HDIKA) must prioritise the acquisition of cloud computing services for all public sector entities over other technological solutions, for storing data, hosting information systems and other specified activities. Every new information system of public sector entities must be accompanied by a data classification study.

The provision of digital public services by public sector bodies is carried out through:

• the central infrastructure of the Government Cloud of the Public Sector (G-Cloud), managed by GGPSDD;
• the Government Cloud of the Research and Education Sector (RE-Cloud), managed by EDYTE; and
• the Government Cloud of the Health Sector (H-Cloud), managed by HDIKA.

The entities responsible for the management of the government clouds must each retain a digital register of the central electronic applications and the central information systems installed in the respective cloud. The government cloud computing systems may be interconnected to provide optimal public services and to create back-up, business continuity and disaster systems, in compliance with the provisions of the legislation on personal data protection.

All central electronic applications and information systems that relate to transactions between public administration and natural or legal persons or legal entities, and that are maintained by all ministries (except for the Ministry of Health and the Ministry of Education and Religious Affairs), public sector bodies (other than hospitals and health centres), independent authorities and Information Society S.A., must be installed on the G-Cloud by 1 January 2025. By the same date, all electronic applications and central information systems of the Ministry of Education and Religious Affairs and its supervised bodies, as well as those offered by the Ministry to the education and research community, must be installed on the RE-Cloud. The same applies for the applications and central information systems of the Ministry of Health, hospitals and health centres, concerning the processing of medical data and citizens’ medical transactions. GGPSDD, EDYTE and HDIKA must provide service level agreements to the above-mentioned entities.

With regard to the financial services sector, specific provisions on the use of cloud services are included in Act 2577/2006 and Act 2597/2007 of the Governor of the Central Bank of Greece on internal control and privacy systems for the banking sector, and also in Law 3431/2006 and Law 2472/1997, to the extent that they do not conflict with the GDPR.

GDPR

In Greece, personal data protection in cloud services is regulated by the GDPR, along with Law 4624/2019 implementing the GDPR, which introduces specific criminal penalties for the illegal processing of personal data, in addition to the administrative penalties provided under the GDPR.

According to the GDPR, the parties involved in the provision of cloud services are obliged to provide transparency on the purposes of data processing, to ensure that data subjects can exercise their rights and can clearly identify the roles of data controllers and data processors. The latter is particularly challenging in cloud computing, with great variations between B2B and B2C cases. In B2C cloud services, the cloud provider is usually the data controller collecting and processing personal data relating to end-customers; in B2B, where businesses act as customers, they are considered data controllers with the cloud providers acting as data processors, even though the business customers do not have full control of the infrastructure used for the processing.

The GDPR also requires cloud providers to use suitable technical solutions to ensure the appropriate level of security depending on the nature of data and to have mechanisms in place for data breach notifications and to prevent them from transferring this data to third parties unless an adequate level of data protection is proven to be in place.

Law 4961/2022 on “Emerging Information and Communication Technologies, Strengthening Digital Governance and Other Provisions”

This is the legal instrument regulating AI in Greece. There are also legislative proposals on the EU level regarding AI-related issues (ie, the AI Act), in order to establish harmonised EU-wide rules for AI.

The proposal of the AI Act was published by the EU Commission in 2021 to set a gradual regulatory framework, in which various AI systems are subject to requirements and obligations depending on the risks associated with them. The proposed AI Act contains a classification of regulatory requirements depending on the inherent risk associated with the AI system being used, namely:

• prohibited AI practices;
• high-risk AI systems; and
• low-risk systems.

In December 2023, the EU Parliament reached a provisional agreement with the EU Council on the AI Act. The draft Regulation aims to ensure that AI systems placed on the EU market and used in the EU are safe and respect the fundamental rights and values of the EU.

The main new elements of the provisional agreement can be summarised as follows:

• rules for the general purpose AI models of high impact that may pose a systematic risk in the future;
• a governance system with some enforcement powers at EU level;
• an extension of the list of prohibitions, with the possibility for law enforcement authorities to implement remote biometric identification in public places, subject to safeguards; and
• a wider protection of rights by requiring operators developing high-risk AI systems to carry out an impact assessment regarding fundamental rights before using an AI system.

In Greece, Law 4961/2022 introduced rules and obligations for organisations in both the private and public sectors that use AI systems, as outlined briefly below.

Obligations of public sector bodies

The use of ΑΙ systems by public sector bodies in the exercise of their functions, in decisions or actions that affect the rights of a natural or legal person, is permitted only if it is expressly provided for in a specific provision of law containing appropriate safeguards for the protection of those rights.

Before they become operational, public bodies must conduct an algorithmic impact assessment of the AI systems, and also have transparency obligations, consisting of the public provision of information on the exercise of the information rights of natural persons and the provision of information to the natural or legal persons concerned by the decision or the action in an intelligible and easily accessible form.

Each public sector body is required to keep a register of the AI systems it uses, including the information specified by the law. The register is updated annually and in any event when a new system is put into operation. Each public sector body shall make that register available to the National Transparency Authority upon request.

Obligations of private sector bodies

Before the first use of the AI system related to existing or prospective employees, each undertaking is required to provide said employees with relevant information.

Each medium-sized or large entity is required to establish and maintain an ethical data use policy and to keep a register of the AI systems it uses.

The law also provides for obligations of contractors in public contracts for the design or development of an AI system, regarding the provision of information to public bodies and to affected natural or legal persons, the delivery of the AI system to the operator with specified terms and the adoption of appropriate measures for the compatibility of the system with the legal framework.

Data Protection

Since AI systems analyse vast amounts of data to function and improve their performance, whenever personal data forms part of the large pools of data used in an AI system’s algorithmic decision-making process, this activity must abide by Law 4624/2019 and the GDPR.

Data subjects have the right to object to decision-making based solely on automated processing, including profiling. Where such decision-making exists, meaningful information about the logic involved in the process, as well as its significance and its envisaged consequences, should be provided to the data subjects.

According to Law 4961/2022, organisations must comply with all data protection requirements arising from the GDPR and this law. Specifically, they must carry out a Data Protection Impact Assessment, inform affected individuals and ensure that all data subjects’ rights are respected.

Liability

The Greek Civil Code sets out five conditions that need to be fulfilled for tortious liability to be attributable to a party:

• human behaviour;
• illegal action;
• fault;
• damage;
• causal link between the behaviour and the damage.

Where a system operating in the spectrum of autonomy causes damage, a number of these conditions are challenging to substantiate, particularly determining a party’s fault and the causal link between the human behaviour and the damage that occurred. In addition, all AI technologies in Greece should meet the essential health and safety requirements laid down in the EU safety legislation, as it has been transposed into Greek law.

The EU product liability regime is complementary to the product safety regime. It was introduced by the Product Liability Directive (Directive 85/374/EEC) and was implemented by amendments to the Greek Consumer Protection Law 2251/1994. The existing framework is also applicable to new digital technologies. The Greek Consumer Protection Law establishes a strict liability regime under which producers of defective products are held liable when such products cause damage to natural persons or their property, while the injured consumers are not required to prove the fault of the producer.

So far, the current legal framework of extra-contractual liability can be applied to damages caused by AI. However, as the new generation of AI edges closer to operational autonomy and behavioural unpredictability through their capacity to analyse and learn from their environments, assigning legal responsibility for harmful actions is bound to present a point of contention across most jurisdictions, as the natural person at fault for damage caused by an AI system will become increasingly difficult to identify.

In the absence of a specific tortious liability regime covering advanced AI, businesses and organisations that aim to operate in the nascent AI scene in Greece should act in a proactive manner, contractually regulating liability for such systems and investing in insurance coverage.

Intellectual Property

Greek Copyright Law 2121/1993 is human-centric as it is traversed by the “principle of truth”, according to which only a natural person shall be considered as the author of a work.

The copyrightability of computer programs depends on whether they can be considered the “author’s own intellectual creation” – namely, where the author made “free and creative choices” while creating the work. Therefore, devices cannot be recognised as “authors”, and any work they produce cannot qualify as copyright-protected content.

Computer-generated and AI works may only be protected if the prerequisite of “human intervention” is fulfilled (ie, through the selection of the data to be entered into a machine or of the parameters determining the objective of the machine’s activity); inversely, works autonomously and exclusively produced by information technology systems are not copyrightable. Accordingly, non-humans are not awarded protection. The creation of works by AI systems in whole or in part is expected to pose significant challenges to IPR in the near future. However, it is not yet clear how such copyrights could be enforced or enjoy their own copyright protection.

There are two cases where legal persons are recognised as potential copyright holders over a work: for computer programs and for databases where it is clearly provided that the maker of a database enjoying the sui generis right over its content is either the natural or the legal person taking the initiative and bearing the risk of the “substantial investment”. Moreover, computer programs are excluded from patentability according to Law 1733/1987. The legal definition of an invention for which patent protection may be sought (including inventions embodied in software) requires novelty, inventive activity and the susceptibility of industrial application.

For all these reasons, and in the absence of a tailor-made legal framework, issues of ownership and the transfer of rights in such work should be regulated by contract, through appropriate and detailed contractual clauses.

In Greece, there is currently no specific legislation solely for governing the internet of things (IoT). However, chapters (B) and (C) of part (B) of Greek Law 4961/2022 on “Emerging information and communication technologies, strengthening digital governance and other provisions” contain definitions and provisions regarding the use of IoT technology.

According to Law 4961/2022, IoT is any technology that:

• enables devices or a group of interconnected or related devices, through their connection to the internet, to perform automatic processing of digital data on a programmed basis, including technology that involves the interconnection of physical things, in particular appliances, vehicles and buildings, with electronic components, software, sensors, actuators, radio links and network connectivity; and
• enables the collection and exchange of digital data in order to offer a variety of services to users, with or without human involvement.

Data Privacy

Law 4961/2022 mandates that the processing of personal data related to the operation of IoT technology devices shall be carried out in accordance with EU and Greek legislation, and in particular in accordance with the GDPR, Law 4624/2019 implementing several provisions of the GDPR and Law 3471/2006 on the protection of personal data and privacy in the sector of electronic communications.

In its annual report for 2021, the Hellenic Data Protection Authority (HDPA) noted that emerging technologies including IoT will affect compliance with the GDPR in the coming years. Cutting-edge issues such as risks from machine learning, facial recognition and profiling are high-priority issues for supervisory authorities.

Furthermore, during a seminar marking European Data Protection Day, the HDPA addressed issues related to personal data within the IoT context. Among the risks to privacy and personal data protection, the highlighted concerns included:

• use for secondary purposes;
• the creation of individual profiles;
• detailed monitoring;
• automated decision-making;
• the lack of the possibility to remain anonymous;
• the lack of security;
• portability; and
• issues of consent.

Cybersecurity

Law 4961/2022 provides that IoT devices shall be designed and developed in such a way as to achieve an appropriate level of cybersecurity throughout their lifecycle and to prevent attempts by unauthorised third parties to alter their use or performance, and shall incorporate measures to ensure an appropriate level of cybersecurity, such as:

• the use of secure passwords;
• timely updates of software from reliable sources;
• the encryption of critical security data in transit, including remote access control and management data;
• identification by the IoT operator of a public contact point to which users can report device security incidents; and
• the provision of a vulnerability or security incident notification policy or procedure.

Law 4961/2022 also imposes legal obligations on manufacturers, importers, distributors and operators of IoT technology devices, as follows.

Manufacturers, importers and distributors

IoT devices intended to be made available to IoT operators must be accompanied by:

• a declaration of conformity by the manufacturer, stating the conformity of the device with the technical safety specifications;
• an instruction and safety information manual in terminology easily understood by end-users – the instructions shall include the information required for the safe installation, configuration and operation, depending on the intended use of the device, as well as a record of possible risks in case of non-compliance; and
• a procedure for the management of cases where an incident or a security vulnerability is identified by users – the management process shall include appropriate documentation from the manufacturer on the nature and likely occurrence of such incidents or vulnerability, detailed instructions for dealing with them, and appropriate measures to mitigate any adverse consequences.

Before making the IoT device available to IoT operators, importers and distributors must verify that the device is accompanied by the declaration of conformity. When they become aware that an IoT device does not conform with the technical safety specifications, importers and distributors shall refrain from making such device further available until it does.

If the National Cybersecurity Authority (NCA) finds that an IoT device presents a risk relating to the security of its operation or to the security of the operator’s network and information systems, despite complying with the necessary technical security specifications, it orders the manufacturer, importer and distributor to take all necessary measures to withdraw the device within a reasonable period of time, depending on the nature of the risk, and to ensure that the device will not present a risk when made available again to the IoT operator.

IoT operators

Law 4961/2022 introduces measures for the transparent and safe operation of IoT devices used by essential service operators and digital service providers acting as IoT operators. Such IoT operators are required to use IoT technologies in accordance with the technical security specifications, including cybersecurity measures specified by law, and bear several obligations under this legislation.

• Operators are required to designate an IoT Security Officer to be responsible for monitoring the proper implementation of the technical and organisational measures, and for maintaining the log created by the device for a reasonable period of time, in accordance with the purpose of its use.
• Operators must keep a register of the IoT technology devices they use (the “register of connected devices”), which must be updated on an annual basis and, in any case, when they start using a new IoT device. This register is made available to the NCA or the competent response team when requested.
• Transparent information: IoT operators must ensure that users of IoT devices are provided with information on their secure installation, configuration and operation in a concise, transparent, intelligible and easily accessible form, as well as detailed instructions for checking device security. They must also ensure that users are involved in the installation and operation of the devices as little as possible.
• If the IoT Security Officer suspects that an IoT device presents a risk, they shall make a recommendation to the operator, who shall in turn inform the NCA, the competent response team, the manufacturer, the importer and the distributor of the device and suspend the use of the device to the extent necessary.
• Upon being notified by the NCA, IoT operators must without delay suspend the use of any IoT device that the NCA has found presents a risk relating to the security of its operation or to the security of the operator’s network and information systems, despite complying with the necessary technical security specifications.
• IoT operators must carry out an impact assessment of the envisaged processing operations of personal data related to the operation of the IoT device, in accordance with Article 35 paragraph 1 of the GDPR.

National Cybersecurity Authority

The NCA is the competent authority for supervising compliance with the IoT security framework. Its powers include:

• overseeing the compliance of IoT manufacturers, importers, distributors and operators with their obligations and requesting all necessary information;
• assessing the conformity of IoT devices with the technical specifications;
• receiving notifications from IoT operators about incidents or vulnerabilities;
• ordering IoT device manufacturers, importers or distributors to take all necessary corrective action to bring devices into conformity with the applicable legislation; and
• ordering devices presenting risks to be temporarily withdrawn from the market and replaced only after such risks have been removed.

Upon the recommendation of the NCA, the competent body of the Ministry of Digital Governance may impose sanctions on non-compliant manufacturers, importers, distributors and operators – ie, recommendations, reprimands and fines of up to EUR15,000 or, in case of recurrence, up to EUR100,000.

Ministerial decisions shall specify the technical specifications and technical and organisational security measures of IoT devices, the obligations of manufacturers, importers, suppliers and operators of such products, and sanctions in case of non-compliance.

The main requirements for providers of audio-visual media services falling within the Greek jurisdiction, pursuant to Articles 7–30 of Greek Law 4779/2021, include the following.

• Ensuring that identification/contact information of the provider is easily, directly and permanently accessible to the recipients of the service.
• Ensuring that the service does not contain any incitement to violence or hatred against a group of persons or a member of a group identified on the basis of race, colour, national or ethnic origin, descent, ancestry, religion, disability, sexual orientation, identity or gender characteristics.
• Ensuring the protection of minors, in terms of providers not making available content that could be harmful for their physical, mental or moral development. Measures may include appropriate age marking, selection of the time of the broadcast and age verification tools. Unjustified violence and pornography shall be subject to stricter measures. Minors' personal data cannot be processed for commercial purposes, such as direct marketing, profiling and behaviourally targeted advertising.
• Gradually making the service accessible to people with a visual or hearing disability (in particular, with the subtitling of programs and the use of sign language, auditory descriptions and spoken subtitling).
• Complying with multiple regulations with regard to audio-visual commercial communications, sponsorships, product placement, television advertising and teleshopping.

Fewer requirements apply to companies with video-sharing platform services falling within the Greek jurisdiction, and some refer to the same issues as for providers of audio-visual media services. In particular, in accordance with Article 32 of Law 4779/2021, companies with video-sharing platform services are required to take appropriate measures to protect minors from content that may have a negative impact on their physical, mental or moral development, a set of which is provided in the legislation. The obligation to protect the general public from content that incites violence or hatred against a group of persons or a member of a group identified on the basis of race, colour, national or ethnic origin, descent, ancestry, religion, disability, sexual orientation, identity or gender characteristics is also provided. Fewer obligations are provided in relation to audio-visual commercial communications.

While not required, both providers of audio-visual media services and companies with video-sharing platform services are encouraged to establish national codes of conduct with the particular aim of further protecting consumers, minors, public health and healthy competition (Article 6 of Law 4779/2021).

Pursuant to Law 4339/2015, licences for digital terrestrial free-to-air TV are granted by way of public auction. This procedure is carried out by the National Council for Radio and Television (ESR), which issues the relevant notice. The notice specifies the conditions and the procedure for granting licences to content providers.

To qualify for participation in the auction, the applicants shall meet the following conditions set out in Articles 3–10 of Law 4339/2015:

• minimum share capital;
• registered shares;
• legal form;
• non-conviction of shareholders and members of the board for certain crimes;
• not having entered into liquidation or insolvency procedures;
• compliance with tax and insurance obligations;
• the presentation of evidence regarding the source of the financial means available for the operation of the company; and
• not exercising control over another company operating in the same media sector.

There are also some content requirements, mainly of a qualitative nature.

The tender procedure is conducted in accordance with the applicable Frequency Map of terrestrial digital broadcasting of television signals, which sets out in detail the frequencies, the transmission restrictions imposed on network providers and the permitted broadcasting centres, as well as their geographic coverage area and the technical specifications that network providers must satisfy.

The auction is carried out by way of a multi-round procedure with an increasing price on the starting price fixed in accordance with Article 2(4) of Law 4339/2015. The auction ends on the date of the proclamation of the successful bidders. The relevant notice of the ESR determines:

• the duration of each round;
• the determination of the increase of the bid price per round;
• the obligations of the participants;
• the method of submitting offers by the participants;
• the announcement of the successful bidders;
• the method of payment of the price; and
• any other necessary details for its conduct.

TV services delivered over IP-based broadband networks are regulated by Law No 3592/2007, which is a lex specialis in relation to Law 2644/1998. Article 15 paragraph 3 of said law provides that services delivered via broadband networks qualify both as electronic communication services and as radio/ΤV services. As such, for the provision of those services, not only is approval from the ESR required, but also a General Authorisation from the Hellenic Telecommunications and Post Commission (EETT).

The licensing framework for pay-tv and radio services via satellite, cable or frequencies is outlined in Law 2644/1998, as amended. Licences to provide subscription radio and TV services are held only by Sociétés Anonymes. Licences are granted by decision of the ESR and the conclusion of a concession agreement with the Greek State, excluding the provision of linear television services through broadband networks, for which Article 15 of Law 3592/2007 applies. Fees vary according to the number of channels.

Local telecommunications rules that apply to electronic communication networks (ECNs) and electronic communication services (ECSs) include Law 4727/2020 – “Digital Governance (Transposition into Greek Legislation of Directive (EU) 2016/2102 and of Directive (EU) 2019/1024) – Electronic communications (Transposition into Greek Legislation of Directive (EU) 2018/1972) and other provisions” – and relevant decisions of the EETT.

Regardless of the specific technologies used to provide a network or a service, the applicability of the regulatory framework for electronic communications depends on whether the technology falls within the scope of ECNs and/or ECSs. ECNs encompass all transmission systems, whether or not they are based on a permanent infrastructure or a centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements that are not active, used to convey signals, operated for public or private use, including wireless networks (eg, mobile, Wi-Fi), cable (eg, IP broadband network) and electricity cable systems, to the extent that they are used for transmitting signals, networks used for radio and television broadcasting, and cable television networks, regardless of the type of information conveyed.

ECSs encompass any service normally provided for remuneration via ECNs, including the following types of services, with the exception of services providing or exercising editorial control over content transmitted using ECNs and ECSs:

• internet access service;
• interpersonal communications service; and
• services consisting wholly or mainly of the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

In Law 4727/2020, the definition of “electronic communications service” was expanded to include any interpersonal communications services provided over the internet, including VoIP services, messaging apps and email services that do not use telephone numbers, and number-based interpersonal communications services (interpersonal communications services) that connect with publicly assigned numbering resources (namely, a number or numbers in national or international numbering plans) or that enable communication with a number or numbers in national or international numbering plans.

Activity of any kind relating to the provision of electronic communications networks and/or services within the territory of Greece, with the exception of number-independent interpersonal communications services, shall be subject to a General Authorisation, in the form of a Registration Declaration to the EETT. Electronic communications activities may commence immediately upon filing a complete Registration Declaration and paying the applicable administrative fees. ECN providers pay annual fees for their General Authorisation.

Where the electronic communications activity is subject to the granting of rights to use numbers or radio frequencies, the person concerned must also obtain the required rights to use numbers or radio frequencies, in addition to the General Authorisation, before proceeding with the activity in question. More specifically, the conditions attached to the use of radio frequencies for which no granting of individual rights is required due to the fact that the risk of harmful interference is negligible are determined in the Regulation on the Terms of Use of Radio Frequencies issued by the EETT. With the exception of free spectrum bands for all wireless services, an individual right to use frequencies is required and is granted by the competent authorities upon a relevant request being made. If there is a limited number of rights of use of frequencies, the EETT usually awards them through auctions. ECN providers pay annual fees for the rights to use spectrum and numbering resources. Spectrum licences and applicable secondary legislation specify the permitted use and the technical characteristics of the equipment that may be used, taking into account the principle of proportionality and technological neutrality.

According to Law 4070/2012 and Law 4727/2020, the EETT is the competent authority for issues concerning conditions of use and the placing on the market of terminal and radio equipment, which is regulated in Greece by Presidential Decree 98/2017, transposing Directive 2014/53/EU RED. Radio equipment includes all electrical or electronic products that deliberately broadcast and/or receive radio waves for radio-communication and/or radio-tracking purposes, or electrical or electronic products that have to be completed with a component (ie, an antenna) so as to broadcast and/or receive radio waves for radio-communication and/or radio-tracking purposes. The provisions of PD 98/2017 are not applicable to radio equipment used exclusively for activities related to public security, defence and state security. Radio equipment has to be labelled according to PD 98/2017 and Directive 2014/53/EU, and must be constructed to meet the following essential requirements:

• the protection of the health and safety of persons and of domestic animals, and the protection of property;
• the adequate level of electromagnetic compatibility; and
• effective support for the efficient use of radio spectrum in order to avoid harmful interference.

Restrictions on putting into service and authorisation of use requirements must be presented according to EU Regulation (EU) 2017/1354. No regulatory fees apply to this procedure.

The electrical, electronic and telecommunication terminal equipment used must comply with the provisions in force (such as the Low-Voltage Directive 2014/35/EU and the Electromagnetic Compatibility Directive 2014/30/EU, which have been incorporated into Greek law with the joint ministerial decisions Oik 51157/DTBN 1129/2016 and Oik 37764/873/F342/2016, respectively).

ECN providers are obliged to use radio equipment that allows for the efficient exploitation of the spectrum allocated in order to avoid harmful interference and to comply with the equipment standards established by the national and European authorities and the European Telecommunications Standards Institute.

Finally, all telecoms operators are obliged to obtain the appropriate licences for every antenna they use. The relevant framework was reviewed with Law 4635/2019 and EETT’s Regulation 919/26/2019.

Licensing Model

In Greece, technology agreements are mainly regulated by the Civil Code and the Commercial Code; as an EU member state, Greece also adheres to EU legislation.

Key Issues

Scope of the agreement

Although technology agreements usually take the form of software licences, some are much more complex. In many cases, the organisation procuring the technology services provides a solution that includes multiple components. This is important to bear in mind when drafting a technology agreement so as to avoid any ambiguity, to explicitly describe the parties’ obligations, to include charges covering all the components and to foresee all possible risks that may lead to a breach of contract or exposure to liabilities. Depending on the technology agreement, various chapters of the Civil Code may be applicable (ie, sales contracts, work contracts, service contracts). Due to the rapid development of technology and services provided via the internet, one of the challenges is the impossibility to include these agreements within the categories of Greek legislation.

Customisation

Some companies prefer a customised IT solution not through a licensing model, but through a software development agreement or an SaaS agreement (or PaaS). Other companies prefer the licensing agreement with the customisation it offers; this customisation, alongside the integration that may be required, creates a new set of provisions that need to be included in the agreement, especially referring to timelines, failures, rectifications and quality controls. In certain regulated industries, such as banking, the entities involved provide a complete set of services that an interested party may outsource to them, including technology services, applicable licences, monitoring, etc (ie, banking as a service). This type of agreement is not yet commonplace among the IT service providers established in Greece. However, due to the development of new technologies, such as AI and cloud computing, technology agreements are expected to be used frequently in the near future.

Recipient of the technology service (B2B and B2C)

A significant factor to consider is whether an IT solution will ultimately be addressed to other businesses (B2B) or to consumers and individuals (B2C). In the first case, contracts between professionals are generally ruled by the parties’ freedom of contract. In the second case, however, apart from the applicable Greek law, an elaborate body of consumer laws is in place, primarily driven by EU initiatives and instruments, prohibiting unfair terms, abusive clauses and under-negotiated clauses.

Maintenance

Service level agreements must be carefully drafted to include such items as the availability uptime, back-ups, disaster recovery, schedules of maintenance, and support means and response times, while taking into account business continuity and the possibility of termination of the agreement.

Intellectual property

Software, computer programs and databases are protected by Greek Copyright Law 2121/1993, and are considered works of intellectual creations of speech, art or science. Databases are also protected by a sui generis right by the above law, which protects the investment of manufacturers of databases. Therefore, the protection of copyright works in technology agreements (ie, software and databases) is also based on specific provisions of Greek legislation, in addition to the Civil Code.

IPR warranty and indemnities

One of the clauses that has traditionally been included in almost all software and IT-related agreements, on the IPR warranty and the provision of indemnity from the original provider, remains a necessity today, even in cloud computing agreements. The risk of a third party claiming ownership of software licensed to the organisation and thus prohibiting use of the licensed software and interrupting the business continuity is still present, and should be taken into account for indemnity provisions.

Data protection

Technology agreements often involve the processing of personal data. In these cases, the data protection legal framework in Greece must be taken into account and the parties must comply with their relevant obligations. Specifically, they shall:

• appoint the contractor as processor (Article 28 of the GDPR);
• define and implement technical and organisational measures;
• define the liability regime of the contracting parties; and
• limit the transfer of personal data outside the EEA, unless adequate safeguards are put in place.

Liabilities

All software and technology services or technology agreements include clauses that limit the liability of the provider. A technology agreement must therefore include back-to-back provisions that fully cover intermediary parties (in B2B cases) and end-customers (in B2C cases) against the original provider of the service. The clause setting a liability cap for the provider is of major importance – this cap is usually a multiple of the contract value.

From a judicial point of view, in B2C agreements, clauses that extensively limit the liability of the professional against the consumer – especially if they have not been negotiated – are usually considered as abusive and, thus, null and void. On the other hand, in B2B agreements under which the parties usually demonstrate similar bargaining powers, the freedom of the parties supersedes, unless one party has acted maliciously or in a grossly negligent manner, or has acted without previous experience and knowledge in this type of agreement, thus demonstrating a disadvantage in bargaining.

In Greece, it is common practice for the parties that offer IT services to have insurance coverage, in order to safeguard their business in case of breaching events, such as cyber liabilities, data protection (personal data breaches) and network disruptions. The existence of these insurance agreements can increase the cost of the provision of the IT services, but they appear to be necessary in the contemporary international technology landscape. This becomes more significant in cases where the IT services are provided to regulated and supervised entities.

The legal framework regulating the delivery of trust services, the use of electronic signatures and digital identity schemes in Greece consists mainly of the Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation), which came into direct effect for all EU member states on 1 July 2016, including Greece, and the ninth chapter (Articles 48–58) of Law 4727/2020 and the Regulation of the EETT on the provision of Trust Services (Decision No 837/1Β/2017), which complement the provisions of the eIDAS Regulation. Also, Law 4727/2020 provides that the Ministry of Digital Governance is responsible for determining the necessary institutional and regulatory framework for trust services.

With a view to ensuring the proper functioning of the internal market while aiming at an adequate level of security for electronic identification means and trust services, Regulation (EU) 910/2014 lays down the conditions under which member states recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another member state. It also lays down rules for trust services, particularly for electronic transactions, and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.

The Regulation defines “trust services” as the electronic services normally provided for remuneration and consisting of:

• the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services;
• the creation, verification and validation of certificates for website authentication; or
• the preservation of electronic signatures, seals or certificates related to those services.

Moreover, the Regulation refers to qualified trust services – ie, trust services meeting the applicable requirements laid down in this Regulation.

Trust services are provided by a “trust service provider” – ie, a natural or legal person who provides one or more trust services either as a qualified or non-qualified trust service provider. A “qualified trust service provider” is a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body. In Greece, the supervisory body is the EETT, which also maintains an electronic record of trust service providers established in Greece.

Regulation (EU) 910/2014 and EETT decisions provide specific security requirements for trust service providers, which must take the appropriate technical and organisational measures for the security of their trust services and inform the EETT of any breach of security or loss of integrity that has a significant impact, within 24 hours of the incident.

Both the Regulation and the national law provide that trust service providers shall be liable for damage caused intentionally or negligently to any natural or legal person due to a failure to comply with their obligations. The burden of proving the intention or negligence of a non-qualified trust service provider shall lie with the natural or legal person claiming the damage, while the intention or negligence of a qualified trust service provider shall be presumed unless that qualified trust service provider proves that the damage occurred without their intention or negligence.

Where trust service providers duly inform their customers in advance of the limitations on the use of the services they provide and where those limitations are recognisable to third parties, trust service providers shall not be liable for damages arising from the use of services exceeding the indicated limitations. According to the Regulation, a qualified trust service provider providing qualified trust services must maintain sufficient financial resources and/or obtain appropriate liability insurance.

The processing of personal data shall be carried out in accordance with the GDPR and Law 4624/2019. Where feasible, trust services provided and end-user products used in the provision of those services shall be made accessible for persons with disabilities.

In case of violation of the legislation regarding trust services, the EETT, after hearing the interested parties, may impose one or more of the following sanctions, depending on the gravity of the violation:

• recommendation;
• a fine up to EUR100,000; and/or
• the suspension or revocation of the rights deriving from the relevant EETT decisions for serious and repeated violations.

Electronic Signatures

An electronic signature is defined as data in an electronic form that is attached to or logically associated with other data in electronic form, and that is used by the signatory to sign. The Regulation provides for two particular types of electronic signatures:

• advanced electronic signatures – ie, electronic signatures that are:
1. uniquely linked to the signatory;
2. capable of identifying the signatory;
3. created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control; and
4. linked to the data signed therewith in such a way that any subsequent change in the data is detectable; and
• qualified electronic signatures – ie, advanced electronic signatures that are created by a qualified electronic signature creation device, and that are based on a qualified certificate for electronic signatures.

A qualified electronic signature has the equivalent legal effect of a handwritten signature. This means that where the law or the agreement of the parties provides for the use of written form, the document with the electronic signature has the status of a private document within the meaning of Article 160 of the Civil Code and is considered, by law, as a private document according to Article 443 of the Civil Procedure Code.

The legal effect and admissibility of the simple electronic signature as evidence in legal proceedings shall not be denied under the Regulation. However, a simple electronic signature cannot be considered equivalent to a handwritten signature, since that would be contrary to Article 25, Section 2 of the Regulation, and therefore it cannot be used as a substitute for the electronic signature in legal transactions where using the written form is mandatory. In this context, Article 16 of Law 4727/2020 expressly states that an electronic document bearing a simple or advanced electronic signature or an advanced electronic seal of its issuer constitutes a mechanical representation, within the meaning of Article 444 of the Civil Code – ie, a medium used by a computer or a computer’s peripheral memory, to record, store, produce or reproduce, by electronic, magnetic or other means, information that is not directly readable, as well as any magnetic, electronic or other material on which information, images, symbols or sound are recorded, provided that these materials are intended or suitable to provide proof on facts of legal significance.

However, in cases where the use of written form is required and therefore a private document must have the handwritten signature of its issuer in order to produce evidence, a qualified electronic signature or a qualified electronic seal is required. Electronic documents with a simple or advanced electronic signature are freely evaluated as legal evidence, based on the applicable procedural provisions.

Digital Identity

Following the European Commission's proposal for the creation of a framework for a European digital identity, the European Parliament and the Council of the EU have reached a final agreement on the Regulation introducing European Digital Identity Wallets, which is now subject to formal approval by the European Parliament and the Council. The Regulation to be issued will amend the eIDAS Regulation.

The European Digital Identity will be available to EU citizens, residents and businesses that want to identify themselves or provide confirmation of certain personal information. It can be used for both online and offline public and private services across the EU. Every EU citizen and resident in the EU will be able to use a personal digital wallet. Member states will have to provide EU Digital Identity Wallets to their citizens 24 months after the adoption of the Implementing Acts setting out the technical specifications for the EU Digital Identity Wallet and the technical specifications for certification.

In Greece, Gov.gr Wallet enables the creation, storage and control of citizens' digital documents. Digital ID cards, digital driving licences, digital disability cards, digital employment agency cards and digital ring cards are already supported. The digital documents issued through Gov.gr are fully equivalent to the paper documents, for any legal use within the Greek territory. They are not international travel documents. To create these documents, citizens connect with their personal TaxisNet codes, and a confirmed mobile phone number is required.