5

NIS2: A new era of cybersecurity in the European Union

26 July 2024 | Knowledge, News, The Right Focus

NIS2, the Directive on measures for a high common level of cybersecurity across the Union, is a response to increasingly serious digital threats and strengthens the protection of critical sectors of the economy against cybercrime and covers all Member States.

Key changes include:

  • Extending the range of covered entities
  • Defining minimum security requirements
  • Strengthening requirements and penalties for incidents
  • Imposing supply chain security obligations

Member States have until 17 October 2024 to bring their national legislation into line with NIS2. The new regulations will come into force one day later, on 18 October. The Ministry of Digital Affairs plans to adopt the relevant act in the third quarter of 2024.

How to prepare for NIS2 obligations

The NIS2 brings with it a number of obligations to ensure cybersecurity, risk management and incident reporting.

However, the first step should be to assess internally whether the company concerned is subject to the obligations imposed by NIS2, based on the relevant criteria.

The NIS2 will cover medium-sized or large enterprises (with at least 50 employees and an annual turnover and/or annual balance sheet total of more than EUR 10 million) that operate in the following sectors:

  • Sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space
  • Other critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, research

In addition, the NIS2 regulations may cover small enterprises and microenterprises if they play a key role for society, the economy or for specific sectors or types of services.

NIS2 responsibilities, procedures and standards

If the above criteria are met, certain requirements must be met in terms of:

  • Risk management: Entities must implement appropriate technical and organisational measures to protect their networks and systems from cyber threats
  • Incident reporting: There is an obligation to promptly report significant incidents to the competent authorities and to inform customers of potential threats
  • Threat analysis: Regular risk assessments are required to identify and respond to emerging threats
  • Cooperation with authorities: Entities must actively participate in the exchange of information on threats
  • Training: Employees and managers should receive regular cybersecurity awareness training

Importantly, NIS2 also sets out the responsibilities of management boards. Indeed, the management bodies of essential and important entities should approve cybersecurity risk-management measures and oversee their implementation.

Their members, meanwhile, will be required to undergo regular training to acquire the knowledge and skills to identify risks and assess cyber threat management practices and their impact on the services the organisation provides. They will also have to offer similar training to their staff.

Powers of supervisory authorities and associated penalties

The NIS2 gives supervisory authorities a range of powers to monitor implementation and enforce the new rules.

These include carrying out audits, requiring entities to provide necessary information, recommending or ordering entities to ensure compliance with the Directive, ordering them to cease a particular conduct or to implement audit recommendations. In the case of essential entities, if the above measures are ineffective the authorities may temporarily suspend a certification or authorisation for services or activities, or temporarily prohibit the exercise of managerial functions in the entity concerned.

Financial penalties for non-compliance will also be increased:

  • For essential entities, up to EUR 10 million or 2 % of total annual turnover
  • For important entities, up to EUR 7 million or 1.4 % of total annual turnover

The NIS2 Directive represents a major change in the approach to cybersecurity in the European Union.

It is fair to say that it will substantially change the level of awareness in many sectors. For some organisations, implementing its requirements may prove to be quite a challenge and in line with this, we encourage you to contact us now – we will be happy to help you through the process.

Any questions? Contact us

Maciej Kuranc

Mikołaj Kuterek

Latest Knowledge

Amendments to the General Tax Code

The Polish tax system could be in for a revolution. The Ministry of Finance has announced draft changes aimed at simplifying, streamlining and, in some areas, tightening the rules for dealing with the tax authorities.

Family foundations – what do you need to know?

At some point, almost every family business is faced with the decision of how to develop the business they have built with their own hands, while at the same time protecting the capital they have accumulated over the years. A family foundation could be the answer.

Landmark ruling in case involving use of data to train AI

The U.S. District Court in Delaware has delivered a significant ruling in a case involving artificial intelligence trained on copyrighted Thomson Reuters’ data. Judge Stephanos Bibas ruled that Ross Intelligence had gone too far. This judgement, while not final, is a milestone in the legal world regarding the protection of content in machine learning.

M&A trends in the AI industry

Over the past two years, we have seen a significant increase in the number of M&A deals involving companies based on artificial intelligence or using AI components.

Contact us:

Monika Maćkowska-Morytz

Monika Maćkowska-Morytz

Advocate, Partner

+48 660 765 918

m.mackowska-morytz@kochanski.pl

Natalia Kotłowska-Wochna

Natalia Kotłowska-Wochna

Attorney-at-Law / Head of New Tech M&A / NewTech Practice Group / Head of the Poznan Office

+48 606 689 185

n.kotlowska@kochanski.pl