Law.5193/2025: Supplementary Provisions for the Implementation of Regulation (EU) 2022/2554 (DORA)

Articles 148–152 of Law 5193/2025 (Government Gazette A’ 56/11.04.2025) establish the national legislative framework necessary to supplement Regulation (EU) 2022/2554 on the digital operational resilience of the financial sector (DORA).

On 11 April 2025, the Act no. 5193/2025 was published in the Government Gazette under the title “Strengthening of the Capital Market and Other Provisions” (Government Gazette A’ 56/11.04.2025, hereinafter the “Act”).

Chapter C of Part F (Articles 148–152) of the Act designates the competent national authorities responsible for supervising compliance with Regulation (EU) 2022/2554 (DORA), and sets out their respective powers and responsibilities, including the imposition of administrative measures and sanctions.

According to the explanatory memorandum of the Act, the adoption of national implementing measures is necessary because provisions concerning digital operational resilience and information and communication technology (ICT) security have not yet been fully or coherently harmonised across the Union. As a result, ICT risks continue to present a significant challenge to the operational resilience, performance, and stability of the EU financial system.

Furthermore, Chapter D of Part F (Articles 153–170) of the Act transposes Directive (EU) 2022/2556 into Greek law, introducing legislative amendments aimed at modernising the national legal framework in light of the new digital operational resilience requirements.

These amendments ensure compatibility with Regulation (EU) 2022/2554 (DORA), thereby complementing the existing sectoral framework. In particular, modifications are introduced to the relevant provisions of Laws 4099/2012 (A’ 250), 4209/2013 (A’ 253), 4261/2014 (A’ 107), 4335/2015 (A’ 87), 4364/2016 (A’ 13), 4514/2018 (A’ 14), and 4537/2018 (A’ 84), aligning them with the DORA Regulation.

1. Designation of competent supervisory authority

The Law designates the Bank of Greece and the Hellenic Capital Market Commission as the competent supervisory authorities for the implementation of DORA Regulation, depending on the type of entity supervised.

In specific, the Bank of Greece is designated as the competent authority for the supervision of the financial and insurance sectors. In specific, the Bank of Greece shall supervise the implementation of DORA by systemic and other credit institutions, payment institutions and electronic money institutions, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, as well as entities engaged in insurance intermediation as a secondary activity.

With respect to investment services providers, investment firms, central securities depositories, central counterparties, trading venues, data reporting service providers not subject to supervision by the European Securities and Markets Authority (ESMA), as well as alternative investment fund managers and management companies, the competent supervisory authority under the Law is the Hellenic Capital Market Commission.

For providers of equity financing services, the competent supervisory authority is either the Hellenic Capital Market Commission or the Bank of Greece, depending on their respective areas of responsibility, in accordance with Article 151 of Law 4920/2022 (A’ 74).

Finally, for crypto-asset service providers and issuers of asset-referenced tokens, the competent authority is likewise either the Bank of Greece or the Hellenic Capital Market Commission, as determined by their respective competences pursuant to the relevant provisions of Law 5193/2025, which lay down the national implementing measures for the regulation of crypto-asset markets.

2. Powers of the competent supervisory authorities

Under the provisions of the Act no. 5193/2025, the supervisory authorities possess the following compliance enforcement powers:

• The right to access documents or data and take copies;
• The ability to conduct on-site inspections, including requesting written or oral explanations, examining natural persons, and other relevant activities;
• The authority to impose administrative fines of up to 10% of the total net turnover of the liable entity, or up to EUR 5,000,000 in the case of a natural person, or to withdraw an operating license and/or apply any other measure deemed necessary by the Authority.
• The imposition of administrative or corrective measures on both the supervised financial entity and the members of the board of directors or other individuals responsible for the breach that occurred in the performance of their duties. These measures may include, among others, orders to cease the illegal activity and to refrain from such activity in the future.
• The removal of directors of the obligated entity in the event of non-compliance with the decisions of the supervisory authority.

The Law stipulates that decisions made by the Hellenic Capital Market Commission may be challenged, where applicable, through an application for annulment or an appeal on the merits before the competent administrative court. In contrast, decisions made by the Bank of Greece may be contested by means of an application for annulment before the Council of State.

3. Sectoral legislative amendments

The Act introduces amendments to sectoral legislative provisions to align the organizational requirements related to financial services with the provisions of the DORA Regulation.

In particular, amendments are introduced to Law 4099/2012 (A' 250) concerning the organizational requirements for applying for a license to operate Mutual Fund Management Companies. These amendments also address the existence of security mechanisms for the electronic processing of data related to network and information systems in accordance with the DORA Regulation.

Changes are made to Law 4364/2016 (A' 13), introducing a requirement for effective governance systems and measures to ensure the continuity of activities for insurance and reinsurance undertakings.

Additionally, Law 4261/2014 (A' 107) is amended to impose an obligation on credit institutions to establish an appropriate internal governance system, along with policies and business continuity plans. Amendments are also introduced to the supervisory review and assessment process conducted by the Bank of Greece.

Furthermore, changes are made to Law no. 4335/2015 (A' 87) regarding the options included in the resolution plans of institutions, as well as measures to ensure their continuity and digital operational resilience.

Amendments are made to Law No. 4514/2018 (A' 14) concerning the organizational requirements applicable to Investment Service Companies.

These amendments provide measures to ensure the continuous and regular execution of investment services and activities, establish requirements regarding the delegation of essential business functions to third parties, and outline risk assessment procedures along with specific requirements for algorithmic transactions.

In addition, amendments are introduced regarding the organizational requirements for regulated markets, including requirements for the development of business continuity policies and plans, as well as procedures for testing algorithms.

Changes are made to Law 4537/2018 (A' 84) concerning applications for operating licenses of payment institutions. These changes aim to incorporate regulations on the use of ICT services, incident notification obligations, business continuity policies, and ICT response and recovery plans in accordance with the DORA Regulation. Changes are introduced in the same law concerning the conditions for outsourcing, security risk management, and incident reporting.

The Act is available here.