Greece's AI Act implementation law: what changes for businesses
Greece's national AI Act bill in plain terms: the HDPA and EETT as authorities, a regulatory sandbox, penalties, and what already applies to every business.
Greece is getting its national framework for AI. The bill titled "Measures implementing Regulation (EU) 2024/1689" — the EU AI Act — cleared the competent parliamentary committee on July 13 and goes to a plenary vote on July 16, 2026. For most businesses operating in Greece, the question isn't political but practical: who supervises us, what already applies, what's coming, and what needs to be in order — by when. This guide answers exactly that.
What is Greece's AI Act bill?
The EU's AI regulation applies directly across the Union — it needs no transposition the way directives do. But every member state must designate its national supervisory authorities, set the penalty regime, and stand up support instruments like regulatory sandboxes. That's what the Greek bill does: roughly 42 articles from the Ministry of Digital Governance, also amending Law 4961/2022 on emerging technologies.
Its path was quick: public consultation from June 21 to July 6, 2026 — drawing just 23 comments, a telling measure of how few businesses are paying attention — tabled in Parliament on July 7, committee stage passed July 13, plenary July 16. In committee, only the governing majority backed the bill in principle; the other parties reserved their positions or voted against, and the minister promised amendments in plenary — so details in the final Gazette text may still shift.
Context worth stating: Greece missed the regulation's original August 2025 deadline for designating authorities, but with this bill it lands one of the more complete national frameworks in the EU — at a moment when several member states still haven't named their authorities at all.
Who will supervise AI in Greece?
The bill assigns the roles to existing independent authorities rather than inventing a new agency:
The Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ) becomes the central market-surveillance authority and the single national contact point. It supervises the Article 5 prohibited practices, Annex III high-risk systems, and the Article 50 transparency obligations — meaning chatbots and synthetic content. Practically: if a Greek business breaches the regulation, the file generally ends up there.
The National Commission for Telecommunications and Posts (EETT) takes the notifying-authority role — certifying and notifying conformity-assessment bodies — and hosts the new AI Coordination and Expertise Centre supporting all competent authorities technically.
The Special Secretariat for AI and Data Governance at the Ministry of Digital Governance (created in June 2025) keeps policy coordination and the public-sector AI systems registry. For fundamental rights, the HDPA is joined by the Greek Ombudsman, ADAE, and the National Commission for Human Rights.
A single complaints mechanism is foreseen, centred on the HDPA, with automatic escalation if a competent authority misses its response window. The consultation also surfaced criticism worth tracking: the HDPA concentrates a dual role for some system categories (conformity assessment and market surveillance together), and staffing questions for the authorities remain open. Points to watch in enforcement — not reasons to do nothing.
What already applies to every business in Greece — today?
Here sits the most common misconception: many teams are waiting "for the law to pass" before doing anything. The regulation applies directly, and three sets of obligations are either live already or land within weeks:
Since February 2, 2025: the prohibited practices — social scoring, manipulative systems, emotion recognition in the workplace — and the Article 4 AI-literacy duty: whoever provides or deploys AI systems must see to their staff's training. If your team uses AI tools daily with no training and no policy, the gap already exists — it isn't coming.
Since August 2, 2025: obligations for general-purpose AI models — mostly a model-maker concern, not one for businesses using them.
From August 2, 2026 — weeks away — Article 50 on transparency activates: chatbots must disclose that the user is talking to an AI system, and synthetic content — deepfakes, generated imagery, text published to inform the public — must be labelled. Systems already on the market before August 2 get a transition until December 2, 2026 for the machine-readable marking requirement; anything placed on the market after that date must comply immediately. If your site runs a support chatbot or you publish AI-generated content, this is the deadline that concerns you — not 2027.
What did the Digital Omnibus change?
In June 2026 the EU finalized the "Digital Omnibus on AI" — the simplification package amending the regulation. Parliament approved it on June 16 and the Council gave final sign-off on June 29; Official Journal publication is expected within July. The changes that matter to businesses:
- Annex III standalone high-risk systems — recruitment and staff evaluation, credit scoring, education, critical infrastructure — get more time: obligations apply from December 2, 2027 instead of August 2, 2026.
- Product-embedded systems (Annex I — machinery, medical devices, toys) move to August 2, 2028.
- Article 50 transparency did not move — it stays at August 2, 2026, as above.
- SME relief: simplified technical documentation for SMEs and small mid-caps, a more proportionate fines regime, and a legal basis for processing special-category data when done to detect and correct bias.
- A new prohibition from December 2, 2026 on systems generating non-consensual intimate imagery or child sexual abuse material.
The high-risk delay happened because the CEN-CENELEC harmonised standards are late — none has been published yet. But it gets mistranslated as "the AI Act froze." It didn't; the order of deadlines changed, and the front line now is transparency, not high-risk. We walk through the full post-omnibus checklist in our EU AI Act compliance guide for SMEs.
What does the Greek regulatory sandbox offer?
The bill establishes an AI Regulatory Sandbox — a controlled environment where, primarily, startups and SMEs can test systems under real conditions with state support and supervision, protected from punitive fines while participating. Operating details — the operator, the entry process, any fees — will settle during implementation; the EU deadline for an operational national sandbox moved to August 2, 2027 anyway, so there is time to build it properly.
The sandbox connects to a bigger picture: Greece was selected among the EU's first seven AI Factories with the Pharos project and the "Daedalus" supercomputer at Lavrio, has had a national AI strategy since June 2025 — with the ministry itself renamed to include Artificial Intelligence — and the Daskalakis committee's "Blueprint" as its strategic base. The regulatory framework is one leg of a broader push, not an isolated obligation.
What penalties apply — and which error is circulating in the media?
The fine ceilings come directly from the EU regulation: up to €35M or 7% of worldwide turnover for prohibited practices, up to €15M or 3% for most operator obligations, and up to €7.5M or 1% for misleading information to authorities. A crucial detail for smaller companies: for SMEs and startups the lower of the two amounts applies at each tier — not the higher, as for large firms.
The national bill adds Greece's enforcement toolbox: warnings and reprimands, administrative fines, publication of decisions, and — here care is needed — periodic penalty payments of up to 2% of average daily worldwide turnover for each day of continued non-compliance. Several Greek outlets reported that "2%" as the law's maximum fine; it isn't. It's a daily coercive penalty, on top of the regulation's fines.
What should a Greek SME do now?
No panic — but no deferral to 2027 either. The realistic list is five steps:
- Inventory what you use. Every AI system and tool in operation — from the site chatbot to CRM scoring. Without an inventory, everything downstream is guesswork.
- Classify by risk. Most SME uses are limited-risk; but if AI touches hiring, staff evaluation, or credit decisions, you're on the high-risk track with a December 2027 horizon — and that preparation doesn't happen in a quarter.
- Close the Article 50 gap before August 2. A disclosure on every chatbot, labels on deepfakes and synthetic content, and a plan for machine-readable marking.
- Train your staff. The Article 4 duty has applied since 2025 — and of all the obligations it has the best business case: a team that knows what it's doing extracts more value from the tools.
- Write a usage policy and set up oversight. Which tools are sanctioned, which data never leaves, who approves what, and how decisions are logged — so that in an audit or due diligence you can show your work.
If you want help with the technical and operational side — inventory, classification, policy, audit trails — that's exactly what our AI governance service does, always alongside your legal counsel, who owns the legal interpretation. And if you don't know where to start, the free readiness self-check gives you a first read in three minutes — "risk & governance" is one of the four dimensions it scores.
The plenary votes on July 16. Whatever shifts in the details, the direction is set: the era of AI operating in Greece without rules is over — and the businesses that take that seriously first will turn it from a compliance cost into an advantage.