GREECE Law and Practice Contributed by: Nikos Nikolinakos, Dina Kouvelou and Alexis Spyropoulos, Nikolinakos & Partners Law Firm
4. Internet of Things 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection According to Law 4961/2022, IoT is any technol - ogy that: • enables devices or a group of interconnected or related devices, through their connec - tion to the internet, to perform automatic processing of digital data on a programmed basis, including technology that involves the interconnection of physical things, in particu - lar appliances, vehicles and buildings, with electronic components, software, sensors, actuators, radio links and network connectiv - ity; and • enables the collection and exchange of digital data in order to offer a variety of services to users, with or without human involvement. National Cybersecurity Authority (NCSA) The NCSA is the competent authority supervis - ing compliance with the IoT security framework. Its powers include: • overseeing the compliance of IoT manufactur - ers, importers, distributors and operators; • assessing the conformity of IoT devices with the relevant technical specifications; • receiving notifications from IoT operators about incidents or vulnerabilities; • ordering corrective action to bring devices into conformity with the applicable legislation; and • ordering devices presenting risks to be temporarily withdrawn from the market and replaced only after such risks have been removed.
Data Protection Law 4961/2022 provides that personal data pro - cessing related to the operation of IoT technol - ogy devices must be carried out in accordance with EU and Greek data protection legislation. 4.2 Compliance and Governance Law 4961/2022 imposes legal obligations on manufacturers, importers, distributors and oper - ators of IoT devices. Manufacturers, Importers and Distributors IoT devices intended to be made available to operators must be accompanied by: • a declaration of conformity by the manufac - turer; • an instruction and safety information manual in terminology easily understood by end users; and • a procedure for the management of cases where an incident or a security vulnerability is identified by users. Before making the IoT device available to opera - tors, importers and distributors must verify that the device is accompanied by the declaration of conformity. When they become aware that a device does not conform with the technical safe - ty specifications, they must refrain from making the device further available until it does. If the NCSA finds that an IoT device presents a security risk despite complying with the neces - sary technical security specifications, it orders the manufacturer, importer and distributor to take all necessary measures to withdraw the device within a reasonable period of time, and to ensure that the device will not present a risk when made available again.
105 CHAMBERS.COM
Powered by FlippingBook