On March the 1st, 2023, the provisions of articles 32 to 42 of Law 4961/2022 (“Emerging IT and communications technologies, strengthening digital governance and other provisions”, Official Gazette 146/A/27-7-2022) are set to be in effect, with which a strict legislative framework regarding the use of Internet of Things technology has been implemented. The need for appropriate cyber security measures is highlighted as well as the obligations of the manufacturers of those devices, the importers, the distributors, their operators and the National Cyber Security Authority.
DEFINITION OF THE TERM “INTERNET OF THINGS”
The Internet of Things (IoT) is any technology that:
- a) allows devices or a group of interconnected or related devices, through their connection to the Internet, to perform, based on a program, automatic processing of digital data, including the technology related to the interconnection of physical things, such as devices, vehicles and buildings, with electronic components, software, sensors, actuators, radio links and network connection and
- b) allows the collection and exchange of digital data to offer a variety of services to users, with or without human participation.
THE PROVISIONS OF LAW 4961/2022
Those legislative interventions are primarily aimed at manufacturers, importers, distributors and operators of devices who make use of the Internet of Things technology, aiming to ensure a high level of security of the information that flows through them, especially when there an interaction with people, either directly or indirectly.
The manufacturers of these devices are obligated to:
- Take the necessary measures to achieve an appropriate level of cyber security.
- Draw up for each device a declaration of compliance to the technical and safety provisions of the ministerial decision of par. 12a of article 113 of law 4961/2022, which should be accompanied by a user manual and security information.
- Draw up preliminarily the appropriate policy for predicting and addressing possible security infringements.
Importers and distributors, before the distribution of those said device, must:
- Confirm that the device is accompanied by the manufacturer’s declaration of compliance.
- Deliver the declaration in question to the National Cyber Security Authority or any competent response team, following a relevant request.
The operators of those devices must:
- Make use of the devices in accordance with the technical and safety specifications, according to the ministerial decision of par. 12a of article 113 of Law 4961/2022.
- Appoint an IoT Security Officer.
- Maintain an archive of all interconnected devices, which should be updated on an annual basis.
- Provide all possible information to users of the said devices regarding their installation and operation, while ensuring a high level of security.
The National Cyber Security Authority is authorized to undertake the inspection and evaluation of compliance of the above-mentioned people and receive notifications from the operators of IoT devices, regarding the occurrence of security infringements or detected vulnerabilities.
Finally, the protection of personal data in accordance with the relevant legislative provisions (GDPR, Laws 4624/2019 and 3471/2006) is emphasized, through the implementation of a data processing impact assessment.
SANCTIONS
Sanctions have been implemented for the violators of the legislative provisions, with the strictest of those being the imposition of a fine of up to one hundred thousand (100,000) euros for repeat offenders.
As published on the Official Government Gazette here FEK-2022-Tefxos A-00146-downloaded -15_02_2023