The digital economy in Greece is governed by the following national laws and EU regulations:

• the e-Commerce Directive (2000/31/EC) was incorporated via Presidential Decree 131/2003 and sets the rules for service providers, e-contracting and platform liability;
• the EU Digital Services Act (DSA) updates the e-Commerce Directive, addressing illegal content and intermediary liability, and was implemented through Law 5099/2024, with the Telecommunications & Post Commission of Greece (EETT) as co-ordinator;
• the Consumer Protection Law 2251/1994 defines supplier obligations and incorporates Directives 2019/770 and 2019/771 on digital content and goods;
• the EU Digital Markets Act regulates large platforms to ensure fair competition;
• Law 4961/2022 creates a framework for AI, IoT, blockchain and 3D printing;
• the Cybersecurity Law 5160/2024 implements the NIS2 Directive to enhance cybersecurity;
• the EU Data Governance Act (2022/868) promotes secure, harmonised data sharing; and
• the EU Data Act (2023/2854) regulates data access and sharing.

The Data Governance Act and the Data Act are expected to be incorporated into national law.

Electronically supplied services and goods are subject to VAT in Greece when the recipient of the service or goods is established in Greece, regardless of the place of establishment of the provider. The standard VAT rate in Greece is 24%. Proper VAT handling is crucial to avoid penalties for non-compliance.

Non-resident businesses must charge and collect Greek VAT and remit it to the Greek tax authority, and must register for VAT purposes in the country in order to provide B2C services or goods. Foreign companies can avoid VAT registration in Greece by using the EU One Stop Shop (OSS), which allows businesses to register electronically in one member state and file a single VAT return for all eligible sales of goods and services across all member states. The tax authority of the member state of registration will then remit the tax owed to the Greek tax authorities.

In B2C transactions, suppliers established in Greece shall tax the relevant services and goods in Greece if recipients are residents in another member state and the total amount of the transactions carried out, excluding VAT, does not exceed EUR10,000 during the current calendar year and did not exceed that amount during the previous calendar year, unless the suppliers choose otherwise. Similarly, services and goods are not taxable in Greece if the supplier established in another member state meets similar conditions in that member state, unless they choose otherwise, even if the recipient is a Greek resident.

For B2B transactions, VAT is handled via the reverse charge mechanism.

The question of whether and to what extent advertising through the websites of providers (usually large multinational companies) constitutes the accrual of royalties or a simple commercial transaction concerns both providers and advertisers.

In a recent decision (811/2023), the Complaints Settlement Directorate of the Greek Independent Authority for Public Revenue ruled that advertising services via websites and applications, with the use of special software allowing the selective display of advertisements to visitors belonging to certain groups of consumers, based on criteria such as age, gender or consumption habits, constitutes the accrual of royalties, which is subject to withholding tax. Similarly, in 2016, the Ministry of Finance answered a relevant question that the use of software of a platform for the registration of advertisements is included in the concept of royalties. In this regard, it has been held that the Greek authorities understand anything digital or connected to the internet as software, and thus deem the use of software to involve the accrual of royalties.

The practical implication of whether or not advertising through digital platforms constitutes the accrual of royalties is that income from royalties is subject to withholding tax at a national rate of 20% or at the rate provided for by the double taxation agreement (DTA) in force, while on commercial transactions there is no issue of withholding tax. Legal entities that are not tax residents and do not maintain a permanent establishment in Greece are, in principle, not subject to tax in Greece on income they acquire from sources in Greece. However, income from royalties acquired by these entities is subject to tax in Greece. In practice, the withholding tax that is applied to the above income exhausts their tax liability. If these entities are residents of a state with which there is a DTA in force, the provisions of the agreement shall apply.

Consumer Protection Laws Applicable to the TMT Sector

The following consumer protection laws apply to digital goods and services relevant to the TMT sector, covering various aspects regarding consumer rights and sellers’ obligations:

• Law  4967/2022, which transposed Directive (EU) 2019/770 on contracts for the supply of digital content and digital services and Directive (EU) 2019/771 on sales of goods and the Consumer Protection Law and the Civil Code, as amended; and
• Presidential Decree 131/2003, which transposed the e-Commerce Directive.

Consumer protection issues are specifically regulated in the electronic communications sector. In particular, EETT ensures compliance with consumer rights in electronic communications under its Decision 991/4/17.05.2021 (“Regulation On General Authorisations”), by directly referring to the application of the Consumer Protection Law for various issues and by adding specific provisions on the necessary information of the contracts concluded between consumers and the providers of electronic communication networks and/or services. In light of the above, EETT has also issued a Code of Conduct for the provision of electronic communications services to consumers. EETT establishes specific obligations for providers prior and during their contractual relationship with consumers.

Companies can ensure they uphold consumer rights in the digital economy by:

• not using false/misleading descriptions on the goods and services offered;
• using transparent pricing calculations and other costs;
• adopting clear and easily understood terms and conditions in contracts, and not including unfair terms of use;
• stating the consumers’ legal rights and offering efficient customer service options for consumer complaints; and
• not adopting unfair commercial practices.

Resolution of Consumer Complaints in the Digital Economy

Apart from a potential litigation process or the successful resolution of the issue through communication between the consumer and the seller, pursuant to the provisions of Joint Ministerial Decision 70330/9.7.2015, alternative consumer dispute resolution is a method of out-of-court dispute resolution in the digital economy. A neutral third party – the dispute resolution body (eg, the Greek Consumers' Ombudsman) – helps parties find an out-of-court solution on consumer complaints. For disputes with a seller established within the EU or the UK, online dispute resolution under the provisions of Regulation 524/2013 is also provided, with the European Consumer Centre of Greece being the relevant contact point.

In Greece, the use of cryptocurrency in the TMT sector is limited, but its impact is expected to grow as cryptocurrencies and blockchain offer new possibilities for payments and secure data exchanges. In the media sector, blockchain could enable new financing models for journalism, but also raises concerns over copyright and transaction legality. However, challenges such as the lack of regulatory frameworks, non-recognition of cryptocurrencies as legal tender, and issues of user security hinder broader adoption.

Blockchain presents both opportunities and challenges in areas like data protection, IP, consumer protection and civil law. Legal difficulties arise from blockchain’s decentralised nature, which complicates compliance with the GDPR, IP protection and consumer rights enforcement. Smart contracts and borderless transactions create jurisdictional issues, while the risk of money laundering and terrorist financing prompts regulatory efforts, including the EU Anti-Money Laundering Directive.

Despite the regulatory gaps, blockchain offers significant potential for innovation, including potential for improving data security, IP management and fraud reduction, and for automating legal processes via smart contracts.

Recent laws, such as Law 4961/2022 and Law 5113/2024, define blockchain and distributed ledger technology, establishing provisions for their use in Greece. The AML Law (Law 4557/2018) defines virtual currencies and sets regulations for service providers. In addition, the EU’s MiCA Regulation introduces stricter rules for crypto-assets, including investor protection and transparency requirements.

Law 4727/2020 defines cloud computing as a flexible service model providing shared resources based on user needs. It identifies three cloud models:

• Public, which is available to any customer, and managed by the provider;
• Private, which is exclusively for one organisation, and is managed in-house or by a third party; and
• Hybrid, which combines multiple models, ensuring interoperability.

The Ministry of Digital Governance oversees cloud adoption in the public sector, including creating a digital marketplace for cloud services.

Public administration prioritises cloud solutions via systems like G-Cloud, RE-Cloud and H-Cloud for government, education and health, with the aim for all public systems to migrate eventually.

In the financial sector, Acts 2577/2006 and 2597/2007 govern cloud use, aligning with GDPR where applicable.

In terms of data protection, GDPR and Law 4624/2019 regulate personal data in cloud services, requiring transparency, security and defined roles for controllers and processors.

In terms of cybersecurity, Law 5160/2024 incorporates the NIS2 Directive, mandating cloud providers to ensure security, conduct risk assessments, and report incidents to authorities.

AI-Related Laws

The AI Act (Regulation EU 2024/1689) introduces a risk-based framework categorising AI systems as unacceptable, high or low risk, with strict requirements for high-risk systems, including transparency and accountability.

Law 4961/2022 imposes obligations on public and private entities using AI systems.

Deepfake Technologies

Greece lacks specific regulations on deepfakes, but the AI Act mandates transparency for AI systems generating or manipulating deepfake content. Misuse may fall under existing laws covering:

• the dissemination of false information;
• defamation;
• GDPR personal data violations;
• personality rights violations; and
• intellectual property infringement.

AI in Transport

Autonomous vehicles

Ministerial Decision 393352/2022 permits driverless vehicles only for research in pilot programmes, requiring Municipal Council approval. Operations are limited to specific routes, periods and a 30 km/h speed limit, supervised by a legally designated driver.

Unmanned aircraft systems (UAS)

EU Regulations 2019/945 and 2019/947 govern UAS safety, privacy and data protection. Greece aligns with these rules under HCAA Decision Δ/ΥΠΑ/21860/1422, defining obligations based on UAS categories (“open”, “specific”, “certified”). Liability is addressed by the Greek Civil Code and the Consumer Protection Law.

Drone delivery services

Article 12A of Law 4053/2012 regulates UAS for postal services. Licensed providers require EETT approval, with technical and safety standards set by the Minister of Digital Governance in consultation with EETT and the Civil Aviation Authority.

Liability

AI liability in Greece is addressed case-by-case under existing laws, as follows.

• Product liability: Law 2251/1994 imposes strict liability on producers for defective products. Directive (EU) 2024/2853 will replace it by December 2026.
• Civil liability: the Greek Civil Code (Articles 914, 932) governs damages, requiring proof of fault, illegal action and causality, although autonomous systems complicate fault attribution.

Insurance

In Greece, IT service providers typically have general civil liability coverage, which can cover AI systems.

Transparency

AI transparency is governed by the following EU and national laws:

• the AI Act requires transparency for high-risk AI systems, general-purpose models and systems generating synthetic or deepfake content, ensuring that users are informed and that AI-generated content is labelled as such; and
• Law 4961/2022 mandates that medium and large enterprises must maintain AI system registers and disclose decision-making parameters for systems affecting employee or consumer decisions.

Data Protection

AI systems must comply with GDPR and Law 4624/2019.

Intellectual Property

Under the Greek Copyright Law 2121/1993, computer-generated and AI works may only be protected if the prerequisite of “human intervention” is fulfilled (ie, through the selection of the data to be entered into a machine or of the parameters determining the objective of the machine’s activity); inversely, works autonomously and exclusively produced by information technology systems are not copyrightable.

Jurisdiction

• Brussels I Regulation: jurisdiction lies with the member state where harm occurs (eg, Greek courts for harm in Greece).
• Rome II Regulation: non-contractual disputes follow the law of the harm's location.
• GDPR: applies to entities processing EU residents' data, even outside the EU.
• AI Act: extends to non-EU entities if their AI impacts the EU, including Greece.

Fundamental Rights

AI-related fundamental rights in Greece are based on:

• the Greek Constitution, which protects dignity, equality, data protection and freedom of expression;
• GDPR and Law 4624/2019, which ensure personal data rights;
• Law 4443/2016, which promotes equality and non-discrimination;
• Law 4961/2022, which mandates algorithmic impact assessments for public entities and data ethics policies for private companies; and
• the AI Act, which requires Fundamental Rights Impact Assessments for high-risk AI systems.

In November 2024, the Ministry of Digital Governance listed the authorities with power to ensure compliance with these rights, including:

• the Hellenic Data Protection Authority (HDPA);
• the Greek Ombudsman;
• the Hellenic Authority for Communication Security and Privacy (ADAE); and
• the National Commission for Human Rights.

According to Law 4961/2022, IoT is any technology that:

• enables devices or a group of interconnected or related devices, through their connection to the internet, to perform automatic processing of digital data on a programmed basis, including technology that involves the interconnection of physical things, in particular appliances, vehicles and buildings, with electronic components, software, sensors, actuators, radio links and network connectivity; and
• enables the collection and exchange of digital data in order to offer a variety of services to users, with or without human involvement.

National Cybersecurity Authority (NCSA)

The NCSA is the competent authority supervising compliance with the IoT security framework. Its powers include:

• overseeing the compliance of IoT manufacturers, importers, distributors and operators;
• assessing the conformity of IoT devices with the relevant technical specifications;
• receiving notifications from IoT operators about incidents or vulnerabilities;
• ordering corrective action to bring devices into conformity with the applicable legislation; and
• ordering devices presenting risks to be temporarily withdrawn from the market and replaced only after such risks have been removed.

Data Protection

Law 4961/2022 provides that personal data processing related to the operation of IoT technology devices must be carried out in accordance with EU and Greek data protection legislation.

Law 4961/2022 imposes legal obligations on manufacturers, importers, distributors and operators of IoT devices.

Manufacturers, Importers and Distributors

IoT devices intended to be made available to operators must be accompanied by:

• a declaration of conformity by the manufacturer;
• an instruction and safety information manual in terminology easily understood by end users; and
• a procedure for the management of cases where an incident or a security vulnerability is identified by users.

Before making the IoT device available to operators, importers and distributors must verify that the device is accompanied by the declaration of conformity. When they become aware that a device does not conform with the technical safety specifications, they must refrain from making the device further available until it does.

If the NCSA finds that an IoT device presents a security risk despite complying with the necessary technical security specifications, it orders the manufacturer, importer and distributor to take all necessary measures to withdraw the device within a reasonable period of time, and to ensure that the device will not present a risk when made available again.

IoT Operators

Law 4961/2022 introduces measures for the transparent and safe operation of IoT devices used by essential service operators and digital service providers. Such IoT operators are required to use IoT technologies in accordance with the technical security specifications, including cybersecurity measures, and bear several obligations.

• Operators are required to designate an IoT Security Officer, to be responsible for monitoring the proper implementation of the technical and organisational measures, and for maintaining the log created by the device for a reasonable period of time.
• Operators must keep and update a register of the IoT technology devices they use. This register is made available to the NCSA or the competent response team when requested.
• IoT operators must ensure that users of IoT devices are provided with information on their secure installation, configuration and operation, as well as detailed instructions for checking device security. They must also ensure that users are involved in the installation and operation of the devices as little as possible.
• If the IoT Security Officer suspects that an IoT device presents a risk, they shall make a recommendation to the operator, who shall in turn inform the NCSA, the competent response team, the manufacturer, the importer and the distributor of the device and suspend the use of the device to the extent necessary.
• Upon being notified by the NCSA, IoT operators must suspend the use of any IoT device that presents a security risk despite complying with the necessary technical security specifications.
• IoT operators must carry out an impact assessment of the envisaged processing operations of personal data related to the operation of the IoT device.

Cybersecurity

IoT devices must be designed and developed in such a way as to achieve an appropriate level of cybersecurity throughout their lifecycle and to prevent attempts by unauthorised third parties to alter their use or performance, and must incorporate measures to ensure an appropriate level of cybersecurity.

Administrative Sanctions

The competent body of the Ministry of Digital Governance may impose sanctions for non-compliance – ie, recommendations, reprimands and fines of up to EUR15,000, or up to EUR100,000 in case of recurrence.

Legislation in Greece has not yet delineated specific requirements with respect to data sharing in the context of IoT. The application of the EU Data Act is expected to significantly alter the regulatory framework and improve access to data in the EU market.

Main Requirements

Pursuant to the provisions of Greek Law 4779/2021 and provided that they fall within the Greek jurisdiction, the main requirements for providers of audiovisual media services include the following.

• Registration in the Register of the National Council for Radio and Television (ESR).
• Ensuring that the identification/contact information of the provider is easily, directly and permanently accessible to service recipients.
• Ensuring that the service does not contain any incitement to violence or hatred against a group of persons or a member of a group identified on the basis of race, colour, national or ethnic origin, descent, ancestry, religion, disability, sexual orientation, identity or gender characteristics.
• Ensuring the protection of minors, by not making available content that could be harmful to their physical, mental or moral development. Measures may include appropriate age marking, selection of the time of the broadcast and age verification tools. Unjustified violence and pornography shall be subject to stricter measures. Minors' personal data cannot be processed for commercial purposes, such as direct marketing, profiling and behaviourally targeted advertising.
• Gradually making the service accessible to people with a visual or hearing disability.
• Complying with multiple regulations with regard to audiovisual commercial communications, sponsorships, product placement, television advertising and teleshopping.

Authorisation Procedures

Pursuant to Law 4339/2015, licences for digital terrestrial free-to-air TV are granted by way of public auction. This procedure is carried out by the ESR, which issues the relevant notice. The notice specifies the conditions and the procedure for granting licences to content providers.

To qualify for participation in the auction, the applicants shall meet the following conditions set out in Law 4339/2015:

• minimum share capital;
• registered shares;
• legal form;
• non-conviction of shareholders and members of the board for certain crimes;
• not having entered into liquidation or insolvency procedures;
• compliance with tax and insurance obligations;
• the presentation of evidence regarding the source of the financial means available for the operation of the company; and
• not exercising control over another company operating in the same media sector.

The licensing framework for pay-tv and radio services via satellite, cable or frequencies is outlined in Law 2644/1998. Licences to provide subscription radio and TV services are held only by Sociétés Anonymes. Licences are granted by decision of the ESR and the conclusion of a concession agreement with the Greek State, excluding the provision of linear television services through broadband networks, for which Article 15 of Law 3592/2007 applies.

Electronic Communication Networks (ECNs) and Services (ECSs)

The applicability of the regulatory framework for electronic communications depends on whether the technology falls within the scope of ECNs and/or ECSs, as defined in Law 4727/2020 and EETT’s secondary legislation.

ECNs encompass all transmission systems, whether or not they are based on a permanent infrastructure or a centralised administration capacity. Where applicable, the category also includes switching or routing equipment and other resources (including network elements that are not active) used to convey signals, operated for public or private use, including wireless networks (eg, mobile, Wi-Fi), cable (eg, IP broadband network) and electricity cable systems, to the extent that they are used for transmitting signals, networks used for radio and television broadcasting, and cable television networks, regardless of the type of information conveyed.

ECSs encompass any service normally provided for remuneration via ECNs, including the following types of services, with the exception of services providing or exercising editorial control over content transmitted using ECNs and ECSs:

• internet access service;
• interpersonal communications service; and
• services consisting wholly or mainly of the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

Licensing

In order to provide any kind of electronic communications networks and/or services within the territory of Greece (except for number-independent interpersonal communications services), operators shall acquire a General Authorisation, in the form of a Registration Declaration to EETT.

Where the electronic communications activity is subject to the granting of rights to use numbers or radio frequencies, the person concerned must also obtain the required rights to use numbers or radio frequencies. Where no granting of individual rights to use radio frequencies is required, operators must meet the conditions set in the relevant regulation issued by EETT. Spectrum licences and the applicable secondary legislation specify the permitted use and the technical characteristics of the equipment that may be used, taking into account the principle of proportionality and technological neutrality.

Where applicable, operators shall obtain the appropriate licences for every antenna they use. The relevant framework was reviewed with Law 4635/2019 and EETT’s Regulation 919/26/2019.

Cybersecurity Requirements

Apart from the cybersecurity risk-management measures provided for in Article 21 paragraph 2 of NIS 2 Directive to manage the risks in the security of network and information systems, based on the provisions of Law 5160/2024, the essential and important entities, including telecoms providers, shall also:

• designate an Information and Communication Systems Security Officer;
• keep a single cybersecurity policy, which includes all the other individual measures, policies and procedures followed; and
• keep a comprehensive record of tangible and intangible information and communication goods, which are ranked according to their criticality.

Article 29 of the Law introduces provisions related specifically to providers of public electronic communications networks or providers of publicly available electronic communications services. Within the framework of its competences, ADAE may oblige providers of public ECN or publicly available ECS to take enhanced cybersecurity measures, in addition to those arising from other provisions. Until the issuance of the relevant Regulation by ADAE – and in any case no later than 27 May 2025 – ADAE decision no 28/2024 shall apply, to the extent that it concerns enhanced cybersecurity measures for these providers.

Regulation (EU) 2015/2120 establishes common rules to safeguard equal and non-discriminatory treatment of traffic in the provision of internet access services and related end users’ rights.

• Providers of internet access services shall treat all traffic equally, without discrimination, restriction or interference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used.
• Providers of internet access services are allowed to implement reasonable traffic management measures – ie, systems that are transparent, non-discriminatory and proportionate, and not based on commercial considerations but on objectively different technical quality of service requirements of specific categories of traffic. Such measures shall not monitor the specific content and shall not be maintained for longer than necessary.

EETT’s National Open Internet Regulation (Decision 1097/4Β/15-1-2024) specifies and clarifies specific issues of the EU Regulation.

• EETT’s regulation sets out information and transparency obligations for internet access service providers in accordance with Regulation (EU) 2015/2120, and provides for the prohibition on differentiated content charging practices based on the application, such as zero-rating for the content of the network provider or specific application. There are, however, some exceptions to this prohibition, for applications for speed measurement, balance updates, distance learning and emergency communications services.
• “Reduced connectivity offers” excluding services using specific protocols to communicate to specific parts of the internet, such as machine-to-machine/IoT applications, are not allowed.

Impact of Emerging Technologies on the Legal Framework of Telecommunications

The development of 5G in Greece is based on the use of frequencies such as 700 MHz, 3.5 GHz and 26 GHz, which allow high speeds and low latency. EETT has allocated these frequencies to operators through auctions, ensuring the smooth deployment of the network.

IoT services are anticipated to have a significant impact on the legal landscape of telecommunications in Greece. In this context, the Ministry of Digital Governance and the General Secretariat of Telecommunications and Post is focusing on developing a comprehensive national strategy for the use of IoT technology, and establishing a clear and coherent framework for their secure, responsible and regulated integration in Greece.

Emerging technologies like AI have not yet led to specific changes or developments in the legal framework governing telecommunications in Greece. The sector operates under the general regulatory framework established by EU directives and national laws. While AI's potential in optimising network management and enhancing customer service is recognised, there are currently no AI-specific regulations or policies tailored to the telecommunications industry in Greece.

Key Legal Considerations for TMT Companies Integrating Emerging Technologies

Companies in the TMT sector integrating AI must focus on three key legal considerations:

• data protection and privacy laws mandate transparency, accountability and the lawful processing of personal data used in AI systems, ensuring individuals' rights are respected;
• cybersecurity is critical to protect AI systems and their underlying data from breaches and unauthorised access, which could compromise sensitive information or operational integrity; and
• the EU AI Act introduces specific obligations for high-risk AI systems, including mandatory impact assessments to identify and mitigate risks to fundamental rights.

Licensing Model

In Greece, technology agreements are mainly regulated by the Civil Code and the Commercial Code.

Scope of the agreement

Although technology agreements usually take the form of software licences, some are much more complex. In many cases, the organisation procuring the technology services provides a solution that includes multiple components. This is important to bear in mind when drafting a technology agreement so as to:

• avoid any ambiguity;
• explicitly describe the parties’ obligations;
• include charges covering all the components; and
• foresee all possible risks that may lead to a breach of contract or exposure to liabilities.

Depending on the technology agreement, various chapters of the Civil Code may be applicable (ie, sales contracts, work contracts, service contracts). Due to the rapid development of technology and services provided via the internet, one of the challenges is the impossibility to include these agreements within the categories of Greek legislation.

Customisation

Some companies prefer a customised IT solution not through a licensing model, but through a software development agreement or an SaaS agreement (or PaaS). Other companies prefer the licensing agreement with the customisation it offers; this customisation, alongside the integration that may be required, creates a new set of provisions that need to be included in the agreement, especially referring to timelines, failures, rectifications and quality controls. In certain regulated industries, such as banking, the entities involved provide a complete set of services that an interested party may outsource to them, including technology services, applicable licences, monitoring, etc (ie, banking as a service). This type of agreement is not yet common among the IT service providers established in Greece. However, due to the development of new technologies such as AI and cloud computing, technology agreements are expected to be used frequently in the near future.

Maintenance

Service level agreements must be carefully drafted to include such items as the availability uptime, back-ups, disaster recovery, schedules of maintenance, and support means and response times, while taking into account business continuity and the possibility of termination of the agreement.

IP

Software, computer programs and databases are protected by Greek Copyright Law 2121/1993, and are considered works of intellectual creations of speech, art or science. Databases are also protected by a sui generis right, which protects the investment of manufacturers of databases. Therefore, the protection of copyright works in technology agreements is also based on specific provisions of Greek legislation, in addition to the Civil Code.

IPR warranty and indemnities

Clauses on the IPR warranty and the provision of indemnity from the original provider are traditionally included in almost all software and IT-related agreements and remain a necessity today, even in cloud computing agreements. The risk of a third party claiming ownership of software licensed to the organisation and thus prohibiting use of the licensed software and interrupting the business continuity is still present, and should be taken into account for indemnity provisions.

Liabilities

Software and technology services or technology agreements include clauses that limit the liability of the provider. A technology agreement must therefore include back-to-back provisions that fully cover intermediary parties (in B2B cases) and end customers (in B2C cases) against the original provider of the service. The clause setting a liability cap for the provider is of major importance – this cap is usually a multiple of the contract value.

From a judicial point of view, in B2C agreements, clauses that extensively limit the liability of the professional against the consumer – especially if they have not been negotiated – are usually considered as abusive and, thus, null and void. On the other hand, in B2B agreements under which the parties usually demonstrate similar bargaining powers, the freedom of the parties supersedes, unless one party has acted maliciously or in a grossly negligent manner, or has acted without previous experience and knowledge in this type of agreement, thus demonstrating a disadvantage in bargaining.

In Greece, it is common practice for the parties that offer IT services to have insurance coverage, in order to safeguard their business in case of breaching events such as cyber liabilities, data protection (personal data breaches) and network disruptions. The existence of these insurance agreements can increase the cost of the provision of the IT services, but they appear to be necessary in the contemporary international technology landscape. This becomes more significant in cases where the IT services are provided to regulated and supervised entities.

According to EETT Decision No 1103/2/2024 regarding the new Regulation for the definition of terms and conditions for the provision of access and interconnection services, when providing access to Application Program Interfaces (APIs), operators providing access through a platform of the same technology (such as IPTV, digital terrestrial, satellite) must:

• make available all necessary information to enable providers of digital interactive television services to provide all services supported by the APIs in a fully operational manner;
• co-operate with each other in order to regulate application management issues, through the open standards of the API with appropriate signalling of identifiers;
• co-operate with each other in order to regulate issues of presentation of services to the viewer and to ensure the proper functioning of the software to the receivers; and
• publish the technical characteristics of the APIs relating to openly published standards and/or specifications.

The negotiation between companies to reach technical and commercial access or interconnection agreements in Greece or in Greece and another member state, in accordance with EU law, is not subject to restrictions under Law 4727/2020. Providers of public electronic communications networks shall have the right to negotiate interconnection agreements for the provision of publicly available electronic communications services. Providers of electronic communications networks shall be obliged to negotiate in good faith the interconnection between their networks at the reasonable request of a third undertaking operating under a general authorisation to provide electronic communications services to the public. In such a case, the third undertaking shall submit a request to that effect to its access provider of an electronic communications network.

The content of interconnection agreements is freely negotiated between the providers concerned, subject to the obligations arising from the applicable legislation and the regulatory decisions of EETT. The interconnection agreement shall include at least some exclusively statutory matters, such as:

• the description of the interconnection services;
• payment terms;
• the locations of the interconnection points;
• the definition of one-off and/or periodic interconnection charges;
• the terms and conditions of termination of the agreement;
• technical standards for interconnection;
• intellectual and industrial property rights;
• the definition and limitation of liability and indemnification obligations;
• the dispute settlement procedure between the parties;
• the duration of the interconnection agreement;
• the procedure in the event of proposed changes to the network or services offered by one of the parties;
• traffic and network management;
• the maintenance and quality of interconnection services and the method of quality control;
• the confidentiality of parts of the interconnection agreement;
• numbering and signalling; and
• co-operation and maintenance (failures in contracting party networks and network availability).

A third undertaking – ie, a provider of electronic communications services – wishing to interconnect or to amend existing interconnection contracts of the access provider with other networks shall submit a written request to that effect. The request shall be addressed to its access provider and shall include at least the following:

• the networks it wishes to be interconnected;
• the services for which it wishes to interconnect networks;
• the desired activation date of the requested interface; and
• any information necessary to substantiate the reasonableness of this request.

The requested electronic communications network provider shall examine the request and either reject the request, in which case it shall inform the requested provider in writing, stating the reasons for the refusal, or accept the request, in which case it shall inform the requesting provider in writing and submit the relevant requests for interconnection. If no agreement is reached between the parties, the parties may appeal to EETT and request the resolution of the dispute by EETT issuing a binding decision.

TMT companies entering into interconnection agreements in Greece must take into account various legal, regulatory, technical and commercial issues to ensure compliance and effective co-operation. Companies must ensure that interconnection agreements comply with the Regulations and Guidelines of EETT, and with the obligations and conditions that EETT may impose on a case-by-case basis. The parties undertake to ensure the confidentiality of all information exchanged or brought to their knowledge before and during the negotiations for the conclusion of an interconnection agreement, during the execution of such agreement, and for five years after its termination. The network infrastructures of the parties involved must be compatible and support the uninterrupted flow of data. The agreement must include mechanisms to protect against cyber threats or other security problems, and mechanisms to address issues relating to the termination of the agreement and the settlement of disputes between the parties.

The legal framework in Greece consists mainly of Regulation (EU) 910/2014 (eIDAS Regulation), Law 4727/2020 and the EETT Regulation on the provision of Trust Services, the latter of which complement the eIDAS Regulation.

The eIDAS Regulation lays down the conditions under which member states may recognise electronic identification means falling under a notified electronic identification scheme of another member state. It also lays down rules for trust services, which are the electronic services normally provided for remuneration consisting of:

• the creation, verification and validation of electronic signatures, seals or time stamps, electronic registered delivery services and certificates related to those services;
• the creation, verification and validation of certificates for website authentication; or
• the preservation of electronic signatures, seals or certificates related to those services.

Qualified trust services may be provided by qualified or non-qualified “trust service providers”. In Greece, the supervisory body granting the qualified status to providers is EETT, which also maintains an electronic record of trust service providers established in Greece.

Trust service providers must meet specific security requirements, and must take the appropriate technical and organisational measures for the security of their trust services and inform EETT of any breach of security or loss of integrity that has a significant impact, within 24 hours of the incident.

Trust service providers are liable for damage caused due to a failure to comply with their obligations. Where trust service providers duly inform their customers in advance of the limitations on the use of their services and where those limitations are recognisable to third parties, trust service providers shall not be liable for damages arising from the use of services exceeding the indicated limitations. A qualified trust service provider providing qualified trust services must maintain sufficient financial resources and/or obtain appropriate liability insurance.

Personal data processing must be carried out in accordance with GDPR and Law 4624/2019. Where feasible, trust services provided and end user products used in the provision of those services must be made accessible for persons with disabilities.

In case of violation of the relevant legislation, EETT may impose one or more of the following sanctions, depending on the gravity of the violation:

• recommendation;
• a fine of up to EUR100,000; and/or
• the suspension or revocation of the rights deriving from the relevant EETT decisions for serious and repeated violations.

Electronic Signatures

An electronic signature is data in an electronic form that is attached to or logically associated with other data in electronic form, and that is used by the signatory to sign. The eIDAS Regulation provides for two particular types of electronic signatures:

• advanced electronic signatures; and
• qualified electronic signatures, which have a legal effect equivalent to that of a handwritten signature.

The legal effect and admissibility of the simple electronic signature as evidence in legal proceedings shall not be denied under the Regulation. However, a simple electronic signature cannot be considered equivalent to a handwritten signature, and therefore it cannot be used as a substitute for the electronic signature in legal transactions where using the written form is mandatory.

In this context, Law 4727/2020 states that an electronic document bearing a simple or advanced electronic signature or an advanced electronic seal of its issuer constitutes a mechanical representation within the meaning of Article 444 of the Greek Civil Procedure Code, and therefore shall have the force of a private document.

However, in cases where the use of written form is required and therefore a private document must have the handwritten signature of its issuer in order to produce evidence, a qualified electronic signature or electronic seal is required. Electronic documents with a simple or advanced electronic signature are freely evaluated as legal evidence, based on the applicable procedural provisions.

Digital Identity

In Greece, Gov.gr Wallet enables the creation, storage and control of citizens' digital documents. Digital ID cards, digital driving licences, digital disability cards, digital employment agency cards and digital ring cards are already supported. Gov.gr digital documents are equivalent to the paper documents for any legal use within the Greek territory, but are not international travel documents.

Furthermore, the Greek government has announced the development of “Kids Wallet”, a mobile application designed to enhance online safety for minors by regulating their internet access. Scheduled for launch in March 2025, the app will enable automatic age verification and provide parental controls to manage children's screen time and application usage. It will integrate with the existing Gov.gr Wallet used by adults for digital identification.

The gaming industry in Greece is mainly regulated by Law 4002/2011, which establishes the legal framework for the operation, management, supervision and control of gaming activities.

Law 4002/2011 distinguishes between the following

• “Amusement-skill games”, where the outcome depends exclusively or mainly on the technical or intellectual skills of the player, and they are conducted at a public place, solely for amusement purposes. The outcome of such games may not be considered as a wager placed between any persons, and the player cannot be given any form of financial gain.
• “Games of chance”, which meet the following cumulative conditions:
1. chance must be one of the factors influencing the outcome, even partially; and
2. there must be a financial wager, irrespective of its value, in order to seek a direct or indirect financial gain from the outcome of the game.

Responsible Gaming

Responsible gaming regulations aim to prevent the harm of excessive gaming and promote responsible decision-making. The Hellenic Gaming Commission (HGC) has issued guidelines to ensure gaming is conducted responsibly and to minimise risks from careless participation.

The HGC has recently identified critical gaps in Greece’s gaming regulations, calling for reforms to better protect players and highlighting the rapid growth of the sector as a weakness in the regulatory framework. Citing the Betshop case, which involved a EUR25 million penalty from tax audits, the HGC emphasised the need for stronger legal protections to prevent player funds from being treated as company assets. After revoking Betshop’s licence, the HGC began efforts to return funds to affected players. On 23 September 2024, the liquidation of guarantee letters deposited by the provider with the HGC was offered to cover the amounts owed. An online application allowing players to submit claims and the organisation of the refund process is anticipated in the coming months.

Another key challenge is the fact that the Greek legal framework focuses almost exclusively on games of chance, leaving amusement games in a grey area. The meaning of “amusement games” has changed over the years, and the HGC acknowledges that energy is now being expended without any benefit to the public interest, and that unnecessary bureaucratic and financial burdens are being imposed on businesses not involved in the organisation and conduct of games of chance. The need for a more modern and clearer regulatory framework is evident, so that amusement games can be treated according to their nature and purpose.

Games of chance require licensing and HGC supervision. Participation is restricted to individuals aged 21 or older, and their promotion is regulated. Violators face criminal and administrative penalties. The “loot box” mechanism closely resembles games of chance.

Key Offences

Article 52 of Law 4002/2011 prohibits the organisation and conduct of gaming without a licence or certification. Those who do not have the necessary licences and certifications face imprisonment and fines ranging from EUR100,000 to EUR700,000. Even if games are only organised and not conducted, they can be punished with imprisonment of at least one year and a fine of between EUR70,000 and EUR150,000. Installing or operating amusement skill games without the appropriate certification can result in imprisonment of at least two years and a fine of between EUR5,000 and EUR50,000 per gaming machine. Installing or operating games of chance without the appropriate certification can result in imprisonment of at least three years and a fine of between EUR150,000 and EUR200,000 per gaming machine.

Every electronic technical-amusement game intended for installation or already installed on certified gaming machines and played in certified establishments must be certified by the HGC. Electronic technical-amusement games are considered certified if they have already been certified by other national authorities, recognised international or European organisations, or certification bodies with which the HGC has signed a recognition agreement.

To be certified as an electronic technical-amusement game, the following cumulative conditions must be met:

• the game must be a software application embedded in or installed on electronic supporting media (hardware), and its execution must be influenced exclusively or primarily by the player’s technical or intellectual abilities, such as knowledge, choices and skills;
• it must have a purely technical-amusement character and must not be or transform into a game of chance at any stage of its operation;
• it must have obtained an age rating licence under the “Pan-European Game Information” (PEGI) system;
• if it does not have an age rating licence, its content must have been reviewed by the manufacturer, importer or lawful owner or operator of the game, concerning descriptive indicators related to the game’s content (indicators of violence, offensive language, pornographic content, discrimination, substance abuse, etc); and
• it must include all information, instructions and other elements related to its use and operation.

The HGC is the independent administrative authority responsible for regulating, supervising and controlling games conducted within the Greek territory. Its purpose is to regulate the conduct of fair games, ensure compliance and protect players from addiction, particularly minors and other vulnerable social groups. The HGC has the authority to inspect, classify, categorise and certify all types of games or their software, and to issue or revoke related decisions. These actions may be undertaken either upon request or on the HGC’s own initiative.

The HGC is also responsible for imposing administrative sanctions. According to Article 51 of the Law, in case of violation of the provisions on gaming in force, the HGC shall issue a decision imposing a lump sum fine ranging from EUR1,000 to EUR2 million, or a percentage of gross income, for every violation and/or for each gaming machine, and/or revoking the licence provisionally for up to three months, or permanently, depending on the severity and frequency of the violation.

The Regulation for the Conduct and Control of Games specifies the cases when a fine is imposed per violation or per gaming machine, and qualifies the imposed administrative sanctions of this paragraph per violation or per categories of violations.

At its discretion, and before the imposition of an administrative penalty for the violations, the HGC may provide instructions, guidelines and recommendations in order for the violators to comply. Nevertheless, non-compliance constitutes an aggravating circumstance when imposing the administrative sanction. Any entity conducting games of chance without using and controlling player cards shall be issued a fine of between EUR5,000 and EUR7,000 per infringement.

Furthermore, it is prohibited for ISPs with a registered office, headquarters or permanent establishment in Greece to allow online access to illegal gaming providers included on the relevant black list kept by the HGC. ISPs violating this obligation shall be fined according to the provisions of the Regulation for the Conduct and Control of Games.

Finally, if licence holders fail to install the necessary technical infrastructure for the conduct of games of chance using gaming machines or via the internet connected to the PSEE via Central IT Systems, they shall be fined between EUR100,000 and EUR500,000, and the HGC shall suspend their operation temporarily or even permanently revoke their licence.

The HGC has imposed the following administrative sanctions.

• Decision 43/2/30.10.2023: an administrative fine of EUR50,000 was imposed on a gaming company for violating the terms of licences for conducting online games of chance (Type 1 and Type 2).
• Decision 37/1/21.09.2023: the administrative sanction of permanent licence revocation was imposed on a casino licence holder due to non-compliance with the terms of the licence and the private agreement. A further fine of EUR220,000 was imposed for the casino’s non-operation, which resulted in financial losses for the Greek State.
• Decision 19/4/23.05.2023: an administrative fine of EUR5,000 was imposed on a casino operator for violations of casino operating terms.

With regard to IP protection of video games, a distinction must be drawn between the software through which they are performed and their audiovisual presentation.

The software is protected like all computer programs, which, as well as the preparatory material for their design, are regarded as works of speech protected under IP law. Protection is granted to any form of expression of a computer program (ie, object and source code), and to programs embedded in hardware. However, ideas and principles on which any element of a computer program is based are not protected. A computer program is considered original if it is the author's own intellectual creation, which is a crucial element for their protection and a challenge faced by game developers. Computer-aided design files are also protected if they include source code.

The presentation of video games is protected as an audiovisual work, while individual images are protected as works of photography.

The titles, names, logos and other graphic elements of video games that characterise and distinguish them from others may be protected as trade marks, and their use by third parties who may use similar marks that may confuse consumers is prevented. However, the protection of computer programs specifically under trade mark law is only possible indirectly, as only the title of the program can be protected as a trade mark, if it is lawfully registered as such, when it is contained in manuals, accompanying material or the packaging of the program.

With regard to legislation regulating social media platforms, the following should be noted:

• the DSA establishes rules for intermediary digital services provided to users residing in the EU, regardless of whether or not the provider’s country of establishment is within the EU;
• Law 5099/2024, which complements the implementation of the DSA, establishes oversight institutions for the domestic market of intermediary internet service providers, the competent supervisory authorities for the DSA, and sanctions in case of violations;
• Law 4779/2021, which is the transposition of the Audiovisual Media Services Directive, includes social media network services under the jurisdiction of Greece within its scope, with regard to their audiovisual content, to the extent that they provide programs, videos generated by users or both, for the purpose of information, entertainment or education, for which the service provider has no editorial responsibility and provided that this provision is a basic function of the social networking service;
• social media platforms are regulated under Presidential Decree131/2003, which transposed the e-Commerce Directive; and
• Law 5160/2024, which transposes the NIS2 Directive, has included providers of social networking services platforms under the jurisdiction of Greece within the entities that fall within its scope.

Legal Obligations

The DSA and Law 5099/2024 define the obligations of providers of intermediary digital services. In addition to obligations that are common to all, further obligations are established depending on the size of the providers and the type of services, including:

• registration in the register of providers of intermediary services;
• the adoption of notice and action mechanisms;
• a ban on targeted advertising on online platforms;
• the publication of transparency reports; and
• notification of suspicions of criminal offences.

Pursuant to Law 4779/2021, among other obligations, social networking services under the Greek jurisdiction are required to take appropriate measures for the protection of minors and for the protection of the general public from content with incitement to violence or hatred against groups identified on the basis of race, colour, national or ethnic origin, descent, ancestry, religion, disability, sexual orientation, identity or gender characteristics.

With regard to cybersecurity challenges, Law 5160/2024 establishes various obligations for the entities that fall within its scope, such as social networking services. Examples include requirements for:

• registration at the relevant register;
• implementation of certain cybersecurity risk management measures; and
• reporting a significant incident.

It should be noted that a proposal for age restriction on social media is strongly discussed as an intention of the Greek government for the near future, in the context of an upcoming National Strategy for the Protection of Minors from Internet Addiction. However, no official legal framework has yet been published.

Regulatory Bodies

With regard to the obligations arising from the DSA and Article 4 of Law 5099/2024, EETT is designated as the Digital Services Co-ordinator responsible for supervising and co-ordinating intermediary service providers, including social media platforms. The following authorities are also designated as being competent for overseeing intermediary service providers:

• the ESR, regarding issues related to advertising and the protection of minors from risks threatening their safety; and
• the HDPA, concerning matters related to informing users about the manner in which advertisements are displayed and targeted, as well as the protection of minors' personal data.

With regard to the obligations arising from Law 4779/2021 on social media network services under the jurisdiction of Greece with regard to their audiovisual content, the competent authority is the ESR.

With regard to the obligations arising from Law 5160/2024 on cybersecurity issues, the competent authority is the National Cybersecurity Authority.

Enforcement Powers

EETT

Under the DSA and Law 5099/2024, EETT may request information from intermediary service providers and from any other person acting for purposes related to their commercial, business or professional activities that may reasonably have knowledge of the alleged infringement. Furthermore, EETT has the authority to order the cessation of infringements and to impose corrective measures on providers, proportional to the infringement. It may also impose a fine or periodic financial penalty, or request the imposition thereof by a judicial authority.

HDPA

The HDPA has powers such as warnings for potential violations, compliance orders, restriction or prohibition of processing, confiscation of equipment and data, and suspension or destruction of records and data to protect personal data.

ESR

In case of violation of the obligations under Law 4779/2021 concerning social media in the sense of their affiliation to video sharing platforms established in Greece, the following sanctions may be imposed:

• recommendation for compliance;
• a fine of between EUR1,000 and EUR500,000;
• the temporary suspension of the operation of the platform for a period of between one day and three months; or
• permanent suspension of the operation of the platform.

NCSA

The NCSA has the power, among others, to issue warnings about infringements, adopt binding instructions and guidelines, and order the entities concerned to cease conduct. Depending on the violation of Law 5160/2024, the NCSA is authorised to impose administrative sanctions, covering a wide range of possible fines.