Written by Skopa - Zanganas & Associates Date 05 Aug 2022

Greece - Newly Introduced legal provisions concerning emerging technologies- Artificial Intelligence/Blockchain/Internet of Things (Law 4961/2022)

Greek Law 4961 was published in the Government Gazette last week (Government Gazette A' 146/27-07-2022). The new law is entitled: "Emerging information and communication technologies, strengthening digital governance and other provisions", and constitutes a first legislative attempt to regulate issues related to new technologies, such as artificial intelligence, the Internet of Things, Blockchain, and Smart Contracts, in Greece.

This attempt, while containing provisions and elements which suggest that the legislative process was rushed and not optimal, introduces several obligations and interesting provisions which apply to organizations which are either using these new technologies or are operating in markets related to them.

This newsletter provides a brief overview of some of the key provisions and obligations introduced by the new law:


A) Provisions relating to the use of Artificial Intelligence (AI)


The Section of the new Law containing the provisions regulating the use of AI technologies has, perhaps justifiably, already become a topic of controversy between legal practitioners.

Critics have already voiced their concerns in regard to the fact that the new legislation constitutes an attempt to introduce a national provision to regulate the use of AI systems and protect the fundamental rights which may be affected by it, while a proposal to centrally regulate the issue, at EU level, has already been introduced by the Commission (AI Act)[1].

Indeed, one of the purposes of the AI Act proposal is to prevent fragmentation of the single market due to the existence of different national laws on the use of AI. The new law seems to be going in the opposite direction by introducing national provisions which could contribute to the abovementioned fragmentation.


1. Obligations concerning Public Bodies


The new law defines the framework within which public bodies may legally use AI technologies. According to some of the key provisions on that subject:

  • Public bodies may, in the exercise of their functions/powers, legally use an AI system, which either entails automated decision-making or contributes to a, human-run, decision-making process, only if the use of the AI system is expressly provided for in a specific legal provision. The abovementioned specific legal provision shall also contain all the safeguards necessary to protect the rights of natural and legal persons which may be affected by the decision-making process.
  • An obligation to carry out an Algorithmic Impact Assessment (AIA) is introduced for any public body, which wishes to use the abovementioned AI systems. The AIA must be carried out before the system is used, and it should include, at a minimum, a description of the capabilities and intended use/purpose of the system, as well as the type of decisions which the system will be making. The purpose of the assessment is to weigh the benefits of the system against the potential risks to the rights and legitimate interests of the natural and legal persons affected by the use of the system.

It shall be noted that both the content and essence of the provisions related to carrying out the AIA differ, both in terms of when the obligation is triggered and the necessary content of the AIA, from the corresponding provisions of the proposed EU AI Act.

  • A number of obligations are created relating to: i. the establishment and maintenance of a Register of algorithmic decision making systems of the public body concerned, ii. the compliance with the principle of transparency in the use of AI systems and the provision, by the public body to the general public and the potentially affected businesses, of information relating to the existence and modus operandi of AI systems, and the methodology of decision making executed by them. Compliance with these obligations is monitored by the National Transparency Authority (NTA).
  • Finally, the Law introduces a set of minimum contractual obligations to be undertaken, vis-à-vis the concerned Contracting Authorities, by prospective contractors of public contracts/tenders relating to the development or design of AI systems.



2. Obligations concerning Employers and Medium or Large Enterprises


Employers, both in the public and private sector, who use AI systems which influence decision-making about an employee or prospective employee must:

  • Provide detailed information to the employee/prospective employee on the parameters that determine the decision.
  • Ensure that the use of AI does not adversely affect the principle of equal treatment and the prohibition of discrimination in the workplace.


The violation of the above obligations is controlled by the Labour Inspectorate and violators are subject to the sanctions of Law 3996/2011.

Additional obligations are introduced for companies that constitute Medium or Large Entities, according to the size definition of the Greek Accounting Standards. In particular, Medium and Large Enterprises are now required to:

  • Keep an electronic register of the AI systems used in the context of consumer profiling or employee/co-worker evaluation. The register should include comprehensive information on the operational parameters, purposes, and prevention/protection measures of each system.
  • Establish and maintain an ethical data use policy, which describes the measures and procedures to be applied during the use of AI systems (AI Ethics). SAs, which are already required to draft a corporate governance statement in accordance with Art.152 of Law 4548/2018, must include their data ethics policy in the corporate governance statement.

It shall be noted that all the obligations regarding the use of AI, introduced by the new Law, are treated as independent legal obligations and thus, in cases where an AI system is used -inter alia- for the processing of personal data, they do not overlap or affect the application of the legal framework for the protection of personal data (GDPR, Law 4624/2019, etc.)

Finally, it is noted that the above obligations, which relate to the use of AI, will enter into force on 1 January 2023.



B) Provisions relating to Blockchain, IoT, Smart Contracts, and 3D Printing.


Section B of the new law contains a series of provisions that regulate, for the first time under Greek law, a series of issues concerning technologies and applications that have developed rapidly in recent years on a global level. To that end, definitions are introduced for terms such as "blockchain", "Distributed Ledger Technology-DLT", "Internet of Things (IoT), "smart contract", "3D Printing", and "Design Data".


1. Provisions on the Internet of Things (ΙοΤ)

Rules aiming to an increased level of cybersecurity throughout the life cycle of IoT devices, are introduced for manufacturers, importers/distributors, operators, and users of IoT devices.

For the purposes of the new Law, the term "operator of IoT devices- IoT operator" includes: i. Essential Service Providers (Law 4577/2018), ii. Digital Service Providers, and iii. Public Utility Companies, if they use IoT devices.

  • Manufacturers of IoT Devices.

Manufacturers of IoT devices, which are intended for use by IoT operators, must comply, by design, with the measures and information security safeguards for IoT devices established at a national level by the competent authorities[2]. Additionally, IoT devices shall always be accompanied by simple and comprehensible instructions of use, safety information, and the Manufacturer’s declaration of conformity of the device with the abovementioned measures/safeguards.

Manufacturers shall also establish procedures for the management and handling of the IoT device in cases where the user identifies either the occurrence of a security incident or the existence of a security vulnerability in the device.

  • Importers and Distributors

Importers and distributors of IoT devices must: i. verify that the devices are accompanied by the manufacturer’s declaration of conformity, ii. cooperate and comply with the instructions of the National Cybersecurity Authority (NCA), and iii. Inform the NCA if they become aware of the fact that an IoT device does not comply with the national information security measures and safeguards. In the latter case, the Importer/Distributor is also obligated to refrain from placing products on the market.

  • Operators of IoT Devices

IoT operators are burdened with several obligations under the new law.

Firstly, they must use the IoT devices in accordance with their safety and technical specifications, and appoint an IoT Security Officer, who shall be responsible for monitoring the above-mentioned compliant use of the devices. Secondly, IoT operators shall establish and update a detailed register of the interconnected devices they use. In addition, operators must provide clear information on the use and the configuration, as well as detailed instructions on the control and security of the IoT devices to their users. Finally, when personal data are processed through the IoT device, the IoT operator shall fully respect the applicable data protection legislation and carry out a Data Protection Impact Assessment, in accordance with Art. 35 GDPR, before using the devices.

Breaches of the provisions on the use of IoT devices can lead to fines of up to 100,000€.

The obligations relating to the use of IoT technologies shall enter into force on 1 March 2023.


2. Provisions on DLT, Blockchain, and Smart Contracts


For the first time on a national level, the Law introduces provisions regulating the usage of distributed ledger technologies (DLT), Blockchain, and Smart Contracts.

In particular, the ability to record data or transactions, via Blockchain or other DLTs is legally and explicitly recognized by the new Law. The same applies to the ability to enter into a binding "smart contract", which may constitute either: i. a part of a separate agreement which was concluded by other means (i.e. traditionally signed agreement) or ii. a stand-alone agreement, the terms of which are embedded in computer program code or predefined in a Blockchain or other DLT.

The law expressly states that smart contracts shall, in terms of their evidential value, be considered “documents” within the context of the Greek Code of Civil Procedure. At the same time, the new law recognizes that the invalidity, nullity, and pre-contractual liability provisions of the Greek Civil Code apply directly to both blockchain, DLTs, and smart contracts.

Although the new law provides a basic degree of security for transactions, by recognizing the validity of transactions and agreements which take place using these technologies, it do not seem to take into account the specific nature of each technology in order to establish clear and specific rules which would allow the resolution of practical transactional issues and provide increased legal certainty for the users of these technologies. Therefore, it is very likely that increased legal certainty will only be provided, both to the users of these technologies and to the companies that deploy them as part of their business model, when the Courts begin issuing case law on the provisions/issues.


3. Provisions on Intellectual Property and consumer protection issues related to 3D Printing and Computer Aided Design Files (C.A.D files).

The new law also introduces provisions to clarify intellectual property issues arising from the use of technologies and devices related to 3D printing, as well as to the creation of CAD files, design files and digital models. Some of the main provisions of the law in this regard are as follows:

  • Article 2(3) of Law 2121/1993 (Greek Intellectual Property Act) is amended to expressly provide that digital computer-aided design files (Computer Aided Design File - C.A.D Files) are protected as works of speech, under Greek Intellectual Property Law, if they contain source code.
  • 3D printers and scanners are explicitly recognized as technical means within the meaning of Article 18.3 of Law 2121/1993, and the relevant reasonable renumeration for their use shall apply.
  • A prohibition is introduced on the use, hosting, and sharing of digital model, digital design, or STL files on online platforms without the prior consent of their creator/legal rightsholder.
  • A standalone obligation is introduced for the provider of the online platform, through which the abovementioned illegal hosting, use, or sharing is carried out, to take all necessary measures to remedy the infringement as soon as it is notified of it (takedown action).
  • Digital models and files related to 3D printing, as well as 3D printed objects and 3D printers/scanners are recognized as “goods” and the liability of their creators and sellers for their defects is explicitly introduced, in accordance with the Greek Consumer Protection Law.



For the provision of further information, carrying out Algorithmic Impact Assessments, or for general support in complying with the new provisions, do not hesitate to contact us directly.




[1] Proposal for a “Regulation of the European Parliament and of the Council laying down harmonized rules on Artificial Intelligence (Artificial Intelligence Act) and amending certain Union legislative acts”, COM(2021) 206 final, 2021/0106(COD),



[2] The specific measures and information security safeguards will be specified, at a later date, by means of a Ministerial Decision of the Minister of Digital Governance, following the recommendation of the National Cybersecurity Authority, in accordance with paragraph 12a of article 113 of Law 4961/2022.

Follow Us


The office maintains a wide network of lawyers as well as specialized professionals (engineers, notaries, accountants) throughout Greece so as to quickly serve the needs of our clientele.


77 3is Septemvriou, Athens, 10434, Attika

Telephone: +30 210 - 8213894

Fax: +30 2108213894

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.