The NIS2 Directive, i.e. the new EU regulation on cybersecurity, has significantly increased the number of entities subject to obligations. This is due to the standardization of the identification criteria. Moreover, the Directive sets out specific requirements which must be implemented.

What is the NIS2 Directive? 
The Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) entered into force on 16 January 2023. It lays emphasis on security requirements, including, among other things, supply chain security issues, reporting obligations and control-and-supervisory mechanisms on the part of the State authorities. Moreover, the NIS2 lays down a basic criterion for identifying entities (based on company size) which will be covered by the new regulations, and it also indicates new rules for reporting security incidents. The requirements in the context of the obligation to maintain business continuity in an emergency situation are also important. The NIS2 Directive requires implementing in Poland by way of adopting an appropriate resolution (an amendment to the Act on the National Cybersecurity System).

Who will be covered by NIS2?
The NIS2 Directive has pointed out 18 sectors of the economy in which entities (private or public) will be required to implement enhanced cybersecurity requirements. These sectors include, among other things, energy, health, manufacturers and distributors of medicines, transport, digital infrastructure (e.g. providers of cloud services), providers of ICT-managed services, producers and distributors of food, manufacturers of, among other things, computers, the automotive sector or manufacturers and distributors of chemicals.

How will I know if my organization is subject to NIS2?
The NIS2 Directive recommends establishing a self-identification mechanism, i.e. the entities will have to determine themselves whether they come under the Directive. Most frequently this process will be fairly easy, but in certain cases an in-depth analysis may be required, e.g. in the context of enterprises operating in the production sector. The draft Polish regulation implementing NIS2 has pointed out explicitly that such applicability analysis is the entities’ responsibility.

NIS2 has introduced clear criteria which allow recognizing whether a given organization falls within the scope of the regulation. What is important, they are universal, i.e. they will apply in all 27 EU countries, regardless of whether any state should decide to establish additional criteria or requirements. The criteria are twofold: company size and the provision of services or operating in the EU in one of the 18 sectors of the economy indicated in the Directive.

The NIS2 Directive recognizes an entity (public or private) as falling within the scope of the regulations, provided that it meets the medium-sized enterprise criterion. This means that each organization which has 50 and more employees and which generates annual turnover of more than EUR 10 million or which has total assets/equity and liabilities of more than EUR 10 million and, furthermore, which provides the services indicated in the Directive in the territory of the EU is automatically included within the scope of NIS2. Therefore, the first step which an organization should take is to analyse its operating profile (the services it provides) and to determine the company size. We should also bear in mind that NIS2 has introduced a number of exceptions to the “medium-sized enterprise” rule. The Directive points out explicitly to several categories of services in which the entities are automatically classified as coming under NIS2 regardless of company size. They are entities which provide several types of digital services (the digital infrastructure sector), e.g. provision of DNS services or qualified trust services.

That is why it is worth making a preliminary assessment now so as to have more time to adapt to the new requirements, if necessary. Check whether your organization will be subject to NIS2 requirements.

However, we should remember that the NIS2 Directive has introduced a harmonization minimum, which means that countries may introduce additional criteria for coming under the regulation.

You already know your company profile and size – what now?
The previous EU regulation on cybersecurity (NIS1 of 2016) made state institutions (the so-called competent authorities) responsible for conducting the process of identification and decision-making regarding the entities which fall within the scope of the regulation. NIS2 has changed this approach.

NIS2 provides for the establishment of mechanisms by the Member States which will allow entities to register on their own. That is, it is entities are required not only to check whether they fall within the scope of the regulation, but also to notify this to the competent state authority which will be responsible for maintaining a national register of entities (in keeping with the rules and procedures adopted in the relevant national regulations).

In the draft Polish regulation implementing NIS2, the regulator has laid down the rules and procedures enabling self-registration on the list of entities which are subject to NIS2, including, among other things, deadlines for registration.

How will NIS2 affect your organization?
NIS2 approaches risk management in a proactive manner. The entities covered by NIS2 are obliged to implement appropriate security policies in order to ensure a systematic and in-depth risk analysis. These policies should be based on an approach which takes into account all possible risks to ICT system security, including those related to physical security (an all-hazard approach). Organizations should implement appropriate (technical, operational and organizational) measures which ensure the expected level of cybersecurity within the organization.

The risk management measures should be proportionate to the estimated risk, and they should cover, among other things, areas such as: security incident management, ensuring ICT system security, maintaining business continuity and human resources security.

The Directive governs requirements and obligations for two categories of entities: essential and important ones. This distinction is the result of the division of the sectors of the economy into these two categories in NIS2. What is important, is that the requirements for cybersecurity are the same. Whereas the differences are as follows: the approach to supervision by the state authorities (entities essential ex ante vs. entities important ex post) and the administrative penalties that may be used, which in NIS2 are standardized at EU level and may be severe for entities (different limits on possible financial penalties for the two categories: essential ones – a maximum of EUR 10 million or up to 2% of the annual turnover and important ones – a maximum of EUR 7 million or up to 1.4% of the annual turnover).

It is worth remembering that the Directive sets minimum harmonization at EU level. The Member States may set additional requirements in their national regulations.

When will NIS2 become an applicable law?
The EU countries were required to transpose the EU Directive to their national legal systems, e.g. by means of an act, by 17 October 2024. So far, only a few EU countries have declared that they have adopted appropriate national regulations. In most countries, including Poland, the legislative processes are still pending, and the countries are at different stages of completion of this task. Therefore, we recommend that the work on the relevant national regulation be monitored on an ongoing basis.

What is important, organizations which operate in several EU countries may be in a situation in which one of the locations will be subject to the regulation (e.g. in Italy, Belgium or Romania), and the other one will not, because the relevant national regulations have not yet been adopted. As a result, each time such a company will be required to analyse the regulations of the country in which it operates.

It is worth assessing the readiness of organizations to the minimum requirements set out in the NIS2 Directive now, without waiting for appropriate national regulations.

The assessment will make it possible to identify gaps or areas (if any) in the cybersecurity policies, which will require updating or even redesigning. The organizations which are now subject to the requirements of the NIS1 Directive should also review their policies and procedures, primarily with regard to risk management and reporting obligations. The assessment of compliance and the analysis of gaps (if any) will make possible the preparation of a comprehensive strategy for adapting to NIS2.

Authors:
Marek Chlebicki, Partner PwC, Cybersecurity
Szymon Grabski, Senior Manager, Cybersecurity
Tomasz Wlaź, Senior Associate, Cybersecurity