NIS2: A new era of cybersecurity in the European Union

26 July 2024 | Knowledge, News, The Right Focus

NIS2, the Directive on measures for a high common level of cybersecurity across the Union, is a response to increasingly serious digital threats and strengthens the protection of critical sectors of the economy against cybercrime and covers all Member States.

Key changes include:

  • Extending the range of covered entities
  • Defining minimum security requirements
  • Strengthening requirements and penalties for incidents
  • Imposing supply chain security obligations

Member States have until 17 October 2024 to bring their national legislation into line with NIS2. The new regulations will come into force one day later, on 18 October. The Ministry of Digital Affairs plans to adopt the relevant act in the third quarter of 2024.

How to prepare for NIS2 obligations

The NIS2 brings with it a number of obligations to ensure cybersecurity, risk management and incident reporting.

However, the first step should be to assess internally whether the company concerned is subject to the obligations imposed by NIS2, based on the relevant criteria.

The NIS2 will cover medium-sized or large enterprises (with at least 50 employees and an annual turnover and/or annual balance sheet total of more than EUR 10 million) that operate in the following sectors:

  • Sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space
  • Other critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, research

In addition, the NIS2 regulations may cover small enterprises and microenterprises if they play a key role for society, the economy or for specific sectors or types of services.

NIS2 responsibilities, procedures and standards

If the above criteria are met, certain requirements must be met in terms of:

  • Risk management: Entities must implement appropriate technical and organisational measures to protect their networks and systems from cyber threats
  • Incident reporting: There is an obligation to promptly report significant incidents to the competent authorities and to inform customers of potential threats
  • Threat analysis: Regular risk assessments are required to identify and respond to emerging threats
  • Cooperation with authorities: Entities must actively participate in the exchange of information on threats
  • Training: Employees and managers should receive regular cybersecurity awareness training

Importantly, NIS2 also sets out the responsibilities of management boards. Indeed, the management bodies of essential and important entities should approve cybersecurity risk-management measures and oversee their implementation.

Their members, meanwhile, will be required to undergo regular training to acquire the knowledge and skills to identify risks and assess cyber threat management practices and their impact on the services the organisation provides. They will also have to offer similar training to their staff.

Powers of supervisory authorities and associated penalties

The NIS2 gives supervisory authorities a range of powers to monitor implementation and enforce the new rules.

These include carrying out audits, requiring entities to provide necessary information, recommending or ordering entities to ensure compliance with the Directive, ordering them to cease a particular conduct or to implement audit recommendations. In the case of essential entities, if the above measures are ineffective the authorities may temporarily suspend a certification or authorisation for services or activities, or temporarily prohibit the exercise of managerial functions in the entity concerned.

Financial penalties for non-compliance will also be increased:

  • For essential entities, up to EUR 10 million or 2 % of total annual turnover
  • For important entities, up to EUR 7 million or 1.4 % of total annual turnover

The NIS2 Directive represents a major change in the approach to cybersecurity in the European Union.

It is fair to say that it will substantially change the level of awareness in many sectors. For some organisations, implementing its requirements may prove to be quite a challenge and in line with this, we encourage you to contact us now – we will be happy to help you through the process.

Any questions? Contact us

Maciej Kuranc

Mikołaj Kuterek

Latest Knowledge

New Technology Law in 2025 – what will the new year bring

The new year of 2025 will see a number of important changes in new technology law. These range from AI and data regulations, through cyber security to the financial sector and digital services. We list the most important dates and look at upcoming regulations that will change the technological legal landscape.

Labour law in 2025

The possibility of working on sick leave, Christmas Eve as a public holiday, and additional maternity leave for the parents of premature babies – let’s take a look at what has changed in labour law after the New Year.

2024 from the Ukrainian Desk

The third year of the war is also the third year that our Ukrainian Desk has been working to support the Ukrainian economy and strengthen Polish-Ukrainian relations. The cornerstones of this work are balance and dynamism. We create solutions that build not only our clients’ businesses, but also lasting bridges of understanding and foundations for future post-war reconstruction.

Withholding tax – Minister of Finance’s general tax rulings and companies’ doubts

November saw the issue of two important general rulings on withholding tax. The first concerns certain conditions for dividend exemptions and the second, conditions for interest and royalties. In addition, some notable tax clarifications are expected to appear by the end of the year. We take a closer look at the Ministry’s general rulings and their possible implications.

Energy summary 2024

It has been a busy year in the field of energy and climate change, so it is worth briefly summarising all the changes that will be relevant to businesses operating in these areas.

Contact us:

Natalia Kotłowska-Wochna

Natalia Kotłowska-Wochna

Attorney-at-Law / Head of New Tech M&A / NewTech Practice Group / Head of the Poznan Office

+48 606 689 185

n.kotlowska@kochanski.pl

Maciej Kuranc

Maciej Kuranc

Attorney-at-Law / Senior Associate / NewTech / Data Protection and Cybersecurity

+48 22 326 9600

m.kuranc@kochanski.pl