Data Centres: An International Legal and Regulatory PerspectiveSpotlight on Greece

Greece has enacted Law 5202/2025 (the “FDI Law”), establishing a comprehensive legal framework for the screening of Foreign Direct Investments (“FDIs”) with the intent to harmonise national legislation with the EU framework on FDI screening. The law introduces a mechanism to assess and, where necessary, restrict foreign investments that may pose risks to national security or public order.

Under the FDI Law, a FDI is subject to screening if it involves:

a third-country investor targeting a sensitive sector (such as infrastructure, assets, goods and services necessary in the sectors of energy, IT, digital infrastructure etc.);
an EU investor controlled by a third-country entity or government; and
an EU investor with ≥10% participation by a third-country person, entity or government, and the target operates in a particularly sensitive sector (such as infrastructure, assets, goods and services necessary in the sectors of defence, cybersecurity, AI etc.).

Investors must obtain FDI approval by the Interministerial Committee for the Screening of Foreign Direct Investments or be exempted from such obligation before completing the investment, by applying to the competent authority.

Failure to comply with the FDI Law requirements may result in fines or even the reversal or prohibition of the investment.

Cybersecurity Law

Network and Information Security 2 (NIS2) Directive of the European Parliament and the Council (Directive (EU) 2022/2557) was transposed into national legislation as Law 5160/2024 (the “Cybersecurity Law”). The Cybersecurity Law introduced a framework of cybersecurity risk management rules and measures which should be adopted by the public or private entities which fall under its scope. Supervisory and enforcement measures are also applicable.

The Cybersecurity Law is applicable to a wide range of entities categorised by sector and size. It is also applicable to entities whose services have a significant impact on the economy and society as well entities identified as “critical entities” under the NIS2 Directive, both irrespective of size. The entities concerned are those which are established or provide their services or operate within the Greek territory.

Among others, the Cybersecurity Law is applicable to private entities operating in “sectors of high criticality” and “other critical sectors”. Digital infrastructure is included in the sectors of high criticality, and data centre and cloud services providers are among the regulated entities.

The Cybersecurity Law distinguishes the regulated entities as “essential” or “important” depending on whether they fall under the parameters for medium-sized enterprises, their scope of business and nature. Both essential and important entities must comply with the requirements of the Cybersecurity Law and adopt risk management measures, such as incident handling, business continuity, use of cryptography, implementation of a unified cybersecurity policy compliant with the standards set by the National Cybersecurity Authority and reporting obligations; supervisory and enforcement measures may differ depending on the type of entity.

Personal Data Protection

Data centres operating in Greece are subject to the provisions of the EU’s GDPR (General Data Protection Regulation) and Law 4624/2019, on the protection of natural persons with regard to the processing of personal data.

GDPR and the national legislation regulate the processing of personal data by entities controlling and processing such data in Greece, or regarding operations in Greece, setting specific requirements in relation to the handling of personal data, the exercise of rights of the data subjects, the reporting obligations of the controllers and processors and the transfer of personal data to third countries.

The entities subject to the GDPR and the national legislation provisions must comply with the requirements set therein or face substantial fines.

Strategic Investment Incentives

Law 4864/2021 (the “Strategic Investments Law”) enables qualifying projects the opportunity to be classed as “Strategic Investments”. Such projects may be granted incentives to aid their development and operation – data centre projects are eligible to be approved as Strategic Investments.

Depending on their classification under the Strategic Investments Law, Strategic Investment projects may be eligible to receive one or more incentives, the ones most relevant to data centres include: