What is AI regulation in Greece?
AI regulation: countries and regions
Greece regulates AI through a mix of directly applicable EU law and domestic rules. The EU AI Act is the main framework, while Greek Law 4961/2022 adds public sector conditions on AI decision support, transparency, procurement and registers, plus private sector duties around worker information, internal AI registers and data ethics. Nationally, policy is coordinated through the Ministry of Digital Governance and Artificial Intelligence, while the Hellenic Data Protection Authority stays central wherever personal data is involved.
What this means
Greece does not have a single national AI code that replaces the European regime. If you build, buy or use AI in Greece, the main rulebook is the EU AI Act, read together with Greek data protection law and the domestic AI provisions in Law 4961/2022.
That matters because some Greek duties already exist before the later EU high-risk dates arrive. Public authorities need an express legal basis before using AI in rights-affecting decisions, plus impact assessment, transparency and a register. Private employers using AI in hiring or evaluation already face worker information duties, and many medium and large businesses have record-keeping and data ethics duties too.
The institutional picture is partly settled and partly still emerging. Greece has published its list of AI Act fundamental-rights authorities, but the wider public map for market surveillance and related AI Act supervision is still less clear in the official material reviewed.
Why it matters
If you are a founder, buyer, supplier, adviser or public official, the Greek layer changes what compliant AI deployment looks like in practice. A business cannot assume that Greek law only starts to matter once the EU high-risk regime is fully live. In Greece, domestic rules can already affect HR systems, consumer profiling, public procurement, administrative transparency and the governance of AI used by the state.
It also matters because the Greek rules are operational, not just aspirational. They affect what must be written into public tenders, what must be disclosed to workers or affected persons, what internal registers larger businesses should keep, and which authority may become involved if something goes wrong. For organisations using AI in Greece, the safest approach is to treat AI Act, GDPR, labour, procurement and public-law questions as one connected governance issue.
How it works
The basic legal model
AI regulation in Greece starts with the EU AI Act because it is an EU regulation, not a directive. Greece does not need to transpose its core obligations into national law before they matter. Current official European Commission material says prohibited AI practices and AI literacy obligations already apply, GPAI and governance rules already apply, transparency rules start in August 2026, and, after the May 2026 political agreement on simplification, the main high-risk dates move later: 2 December 2027 for Annex III systems and 2 August 2028 for AI embedded in regulated products.
For Greece, that means the central compliance architecture is European, but the institutional and administrative layer around it is national. Greek organisations therefore need to look at both levels at once: the Union rules that classify systems and set provider and deployer duties, and the Greek rules that govern public administration, employment uses, transparency and local supervision.
What Law 4961/2022 adds
Before the EU AI Act began to apply in stages, Greece enacted Law 4961/2022 on emerging information and communication technologies. It is not a Greek substitute for the AI Act and it does not create a complete national product-safety regime for AI. What it does do is add domestic governance rules for public sector AI use, certain AI-related duties in the private sector and an institutional structure for national AI strategy and monitoring.
That law also created a cross-government Coordinating Committee on AI, a Supervision Committee for the national AI strategy and an AI Observatory inside the Ministry. In other words, Greek AI regulation is not only about prohibitions and later market surveillance. It is also about planning, transparency, registers, inter-agency coordination and the way the state itself uses AI.
Public sector controls
For Greek public bodies, the most important domestic rule is strict. If an AI system is used for decision making, or to support decision making, or the issue of an administrative act that affects the rights of a natural or legal person, that use must be expressly provided for in a specific law containing appropriate safeguards. A procurement contract or general digitisation mandate is not enough.
Before such a system starts operating, the public body must carry out an algorithmic impact assessment. The assessment must cover matters such as the purpose pursued, the public interest served, the system's capabilities and operating parameters, the categories of decisions or acts involved, the categories of data processed, the risks to rights and legitimate interests, and the expected public benefit weighed against possible harms. Greek law also makes clear that this algorithmic impact assessment does not replace a GDPR data protection impact assessment where one is required.
Greek law then adds transparency duties. Public bodies must publish basic information about the system, including when it started operating, how it works at a basic level, which categories of decisions it supports and whether an algorithmic impact assessment was carried out. They must also ensure that the affected person can understand the parameters on which a decision or act was based, in an accessible form. Each public body must keep a register of the AI systems it uses, update it regularly and provide it to the National Transparency Authority on request.
Public procurement is also regulated more tightly than many suppliers expect. Where a Greek public authority buys or commissions an AI system, the tender and contract must require the contractor to provide the information needed for the authority's transparency duties, to avoid blocking those duties through claims of secrecy, to deliver the system on terms that let the authority study how it works and improve it, and to take measures that keep the system compatible with legality and core rights such as privacy, data protection, non-discrimination, accessibility and good administration. This is especially important for suppliers selling to the Greek state.
The public-sector chapter of Law 4961/2022 does, however, have a boundary. It excludes the Ministry of National Defence, the Ministry of Citizen Protection, their supervised entities and the National Intelligence Service.
Private sector duties that are easy to miss
Greek domestic law also reaches into the private sector. If a private employer uses an AI system that affects any decision-making process about workers or job applicants and has an impact on working conditions, selection, recruitment or evaluation, it must provide clear and sufficient information before the first use. At a minimum, that information must include the parameters on which the relevant decision is based. The employer must also respect equal treatment and anti-discrimination rules.
This is not a symbolic duty. Law 4961/2022 links breaches of the worker-information rule to the Greek labour enforcement framework, with the competent authority for administrative sanctions identified as the Labour Inspectorate. So an HR team using AI-assisted screening, ranking or evaluation in Greece should not treat this as a future issue.
For medium and large private entities, the law goes further. If they use AI for consumer profiling or for the evaluation of workers or associated natural persons, they must keep an electronic register of those systems. They must also maintain a data ethics policy describing the measures, actions and procedures they apply when using AI. For certain companies that issue a corporate governance statement, that statement must include information about the data ethics policy used.
The practical consequence is simple: some Greek businesses already have domestic documentation duties now, even where the later EU high-risk deadlines have not yet arrived.
Who is in charge
At policy level, AI in Greece now sits inside the Ministry of Digital Governance and Artificial Intelligence. In 2025 the government announced a dedicated Special Secretariat for AI and Data Governance and tied it to national AI strategy work, data governance and public sector AI projects. That signals a more centralised governance model, with one ministry expected to steer AI policy rather than leaving it entirely to scattered sector bodies.
For AI Act implementation, Greece has already taken one clear formal step. The Ministry published its list of national authorities and bodies responsible for protecting fundamental rights in relation to high-risk AI systems. The list names four bodies: the Hellenic Data Protection Authority, the Greek Ombudsman, the Authority for the Assurance of the Confidentiality of Communications and the National Commission for Human Rights. According to the Ministry, these bodies gain the AI Act's additional powers of access to relevant compliance documentation from 2 August 2026.
The Hellenic Data Protection Authority remains especially important wherever AI uses personal data. Under the GDPR and Greek implementing law it has independent supervisory, investigative and corrective powers, and it represents Greece in European data protection cooperation. In practice, many important AI questions in Greece will still pass through a data protection lens even where the AI Act is also relevant.
Enforcement in practice
Greek AI supervision already works through several legal tracks at once. A public-sector transparency failure under Law 4961/2022 may involve the National Transparency Authority. A worker-information breach may involve labour enforcement. Personal-data issues fall within the Hellenic Data Protection Authority's remit. AI Act-specific market surveillance, notified-body and conformity-assessment questions sit in the national competent-authority layer required by the EU regime.
That split is not theoretical. In February 2025, the Hellenic Data Protection Authority announced an ex officio investigation into the DeepSeek AI application as made available in Greece, examining its lawfulness under the GDPR. The wider lesson is practical: AI products can already face real regulatory scrutiny in Greece even before the later high-risk dates, especially where personal data, profiling or opaque processing is involved.
What is still unsettled
The clearest published Greek AI Act measure so far is the list of fundamental-rights authorities. The broader enforcement map is less tidy in public official material. The European Commission says each Member State should have designated and empowered its national competent authorities by 2 August 2025. Yet the Commission page on market surveillance authorities, last updated in September 2025, still showed Greece without a listed Single Point of Contact.
That does not prove that Greece has failed to act since then. It does show that public-facing confirmation has lagged. For organisations with time-critical plans, especially those dealing with higher-risk cases, the safe position is to verify the current Greek route for market surveillance, notifying authorities and related implementation channels close to launch or market entry.
A second moving part is timing. The European Commission's current AI Act pages reflect the May 2026 political agreement on simplification, which pushes the main high-risk compliance dates later than originally expected. Businesses operating in Greece should therefore not rely on older timelines copied from mid-2024 material. They should monitor the current EU pages and the final published legislative text, together with developing standards and guidance.
Examples
Public authority decision support. If a Greek authority wants to use AI to support a permit, benefit, inspection or other administrative act that affects a person's rights, it cannot rely on a general digitisation project. It needs express statutory authorisation, then an algorithmic impact assessment, public transparency measures, an accessible explanation route and an internal register. If the system is bought from a supplier, the contract must also preserve the authority's access to operating information and its ability to study the system.
HR screening and evaluation. A private employer using AI for screening applicants or evaluating staff must inform candidates or workers before first use and disclose the main decision parameters, while still respecting equal-treatment and anti-discrimination rules. If the employer is a medium or large entity and the tool is used for staff evaluation, it should also keep the Greek AI register and data ethics policy required by Law 4961/2022.
Consumer AI app with personal data. The Hellenic Data Protection Authority's 2025 DeepSeek investigation shows how an AI launch can move straight into GDPR supervision in Greece. A business cannot assume that waiting for the later AI Act high-risk dates removes present compliance pressure if the service profiles individuals, processes personal data or creates major transparency gaps.
Common misunderstandings
Misunderstanding: Greece has its own single AI code that replaces the EU AI Act. Correction: the EU AI Act is the main rulebook, and Greek law adds local governance and sector-specific duties around it.
Misunderstanding: The GDPR stops mattering once a system is considered under the AI Act. Correction: in Greece, data protection law still applies in parallel wherever personal data is processed.
Misunderstanding: A vendor can keep an AI system effectively opaque when selling to the Greek public sector. Correction: Greek law brings transparency and documentation into tendering and contracting from the start.
Misunderstanding: Greek businesses only need to care when the full EU high-risk regime arrives. Correction: worker information duties, internal registers, data ethics policies and GDPR obligations can already apply now.
Misunderstanding: Greece has already published a complete and final AI Act enforcement map. Correction: the list of fundamental-rights authorities is public, but the wider public map for market surveillance and related implementation channels is still less clear in the official sources reviewed.
Risks and boundaries
AI regulation in Greece is not the same thing as complete EU AI product compliance. A company placing a high-risk AI system on the Union market still needs to deal with the EU classification, conformity assessment and post-market duties, not just the Greek domestic rules.
It is also not only a privacy topic. Some Greek duties concern public law, procurement, labour information and administrative transparency, even where privacy is only one part of the picture. A system can raise no obvious high-risk AI Act issue today and still trigger Greek HR notice duties or GDPR scrutiny.
There are important limits and live uncertainties. The public-sector chapter of Law 4961/2022 excludes defence, citizen-protection bodies and the intelligence service. The final national AI Act enforcement architecture is still not easy to read from public official sources in one place. And the EU timetable for high-risk systems has been reshaped by the May 2026 political agreement on simplification. If timing or authority mapping is business critical, check the current official EU and Greek pages at the point of action.
What to do next
Start with an inventory, not a policy slogan. Map every AI use by purpose, whether it affects individual rights, whether it sits in the public sector, employment or consumer profiling, and whether personal data appears in training, prompts, logs or decision flows.
Then separate the workstreams. For Greek public-sector uses, test the statutory basis, run an algorithmic impact assessment, build the register and rewrite procurement clauses. For private-sector HR uses, prepare worker and candidate notices and check anti-discrimination controls. For medium and large businesses using AI for profiling or evaluation, create the internal AI register and data ethics policy. Across all of that, align AI governance with GDPR, cyber security, procurement and internal audit rather than treating AI as a stand-alone compliance project.
Finally, assign an owner for regulatory monitoring. Someone inside the organisation should track the Greek authority map, the current AI Act timetable, new Commission guidance and developing harmonised standards. The architecture is now clear enough to require action, but not yet static enough to ignore.
FAQs
Does Greece have its own standalone AI Act?
Not in the sense of a single national code replacing the EU regime. The EU AI Act applies directly in Greece, and Greece layers domestic rules on top of it.
Which Greek law matters most apart from the EU AI Act?
Law 4961/2022. It governs public-sector AI use, certain procurement and transparency duties, worker-information duties, and internal record-keeping and data ethics obligations for some larger private businesses.
When do the main EU AI Act duties matter in Greece?
Current official Commission material says prohibited practices and AI literacy already apply, GPAI and governance rules already apply, transparency duties start in August 2026, and the main high-risk dates are later under the May 2026 political agreement: 2 December 2027 for Annex III systems and 2 August 2028 for AI embedded in regulated products.
Can a Greek public body use AI for decisions affecting rights without a specific law?
No. Law 4961/2022 requires express statutory authorisation with safeguards when AI is used to support decision making or acts that affect rights.
Do employers in Greece already have AI-specific duties?
Yes. If AI affects selection, recruitment, evaluation or working conditions, workers and applicants must be informed before first use, and equal-treatment rules still apply.
Do larger Greek companies need an internal AI register?
In certain cases, yes. Medium and large businesses must keep an electronic register when they use AI for consumer profiling or for evaluating workers or associated natural persons, and they must maintain a data ethics policy.
Who supervises AI in Greece?
The answer depends on the issue. The Hellenic Data Protection Authority remains central for personal-data matters, the National Transparency Authority handles certain public-sector transparency complaints under Law 4961/2022, labour authorities enforce worker-information duties, and AI Act market surveillance sits in the national competent-authority layer.
Is Greece's full AI Act enforcement map final and easy to find?
Not yet in one clear public package, at least from the official sources reviewed. Greece has publicly listed its fundamental-rights authorities, but the broader public path for market surveillance and related implementation arrangements is still less obvious.