US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • NIS2 – what is it and when is it valid?

    NIS2 – what is it and when is it valid?

    Date: 12.06.2023

    Category: Mobile Networks

    At the beginning of 2023, the EU NIS2 directive entered into force, introducing further changes in the field of cybersecurity. What do the new regulations mean for companies and which entities will have to meet additional cyber security requirements in connection with the update of the NIS regulations in force in Poland from 2018? We invite you to read our article, where you will learn everything you need to know about updating EU standards. Check if your company needs to prepare for NIS2.

    What is the NIS2 Directive?

    The recently introduced new European Union law aims to provide adequate legal means to increase the general standard of cyber security in all EU Member States. The NIS2 Directive, whose full name is:

    “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148” clarifies issues related to risk assessment and management, improves response to cyber threats and introduces the obligation to report events threatening digital security within the European Union.

    Under the new legislation, member states are required to take appropriate legal measures to ensure that they are prepared to:

    • efficiently respond to cyber incidents,
    • cooperate in the exchange of information and joint activities in the field of cyber security,
    • increase the culture of IT security in all strategic sectors from the point of view of the functioning of the state and the economy.

    Since when and who does NIS2 apply to?

    The new regulations entered into force on January 16, 2023, and the document itself was adopted by the European Parliament a few months earlier – on November 10, 2022. It is worth noting that the directive specifies the regulations in force since 2016, which functioned in Poland as the Act on the National Security System, introducing significant changes to the law. When looking for information on what NIS 2 is and when it comes into force, it is worth paying attention to the long-term of vacatio legis. Member states have 20 months to adapt their internal legal acts to the requirements of the new EU directive. This means that changes in accordance with the assumptions of NIS 2 in Poland should be expected no later than October 17, 2024. The day after this date, the new regulations will be in force in all countries belonging to the European Union.


    We should expect changes in accordance with the assumptions of NIS 2 in Poland no later than October 17, 2024.

    One of the main reasons for the amendment of EU legislation was the underestimation of the number of entities covered by the first version of the directive. Reality has shown that the original wording of the NIS provisions does not cover many strategic sectors of the economy and that not all entities obliged to comply with it fulfil their obligations. Therefore, the new legislation expands the catalogue of entities subject to additional obligations in the field of cyber security.

    The updated regulations depart from the division into operators of essential services and digital service providers, known from the first version of the NIS directive. Instead, the amended legal act included key entities and important entities. The obligation to adapt to the new regulations applies to both industries subject to the old directive and many entities not yet covered by these regulations. The first group includes digital service providers, healthcare, transport, banking infrastructure, financial markets, water supply, energy and digital infrastructure.

    NIS 2 introduces changes that also apply to a number of additional entities from sectors such as:

    • public administration,
    • water and wastewater management,
    • providers of public networks or electronic communication services,
    • social networks and data centers,
    • outer space,
    • food production,
    • courier and postal services,
    • pharmaceutical, medical and chemical industries.

    Preliminary estimates show that in addition to the entities already included in the first directive, several thousand more companies in Poland will have to adapt their cyber security standards to the amended regulations, which will come into force in the second half of 2024.

    NIS a NIS2 – major changes

    Compared to the first version of the directive, the changes in NIS 2 are far-reaching and do not only concern the extension of the catalog of industries subject to the new legislation. The amount of fines imposed on entities that fail to comply with the obligations imposed on them is also increasing. After the changes, they should be as follows:

    • for key entities – up to EUR 10 million or 2% of the total global turnover,
    • for important entities – up to EUR 7 million or 1.4% of the total global turnover.

    In addition to these changes, the NIS 2 Directive also introduces specific tools that must be used by organizations subject to the new regulations.


    To be NIS2 compliant, companies will need to implement, among other things:

    • the policy of risk analysis and security of the IT systems used,
    • plans to ensure business continuity and security of the supply chain,
    • incident management policy,

    for which the management bodies of the companies will be directly responsible.

    It is worth noting that the directive equalizes obligations in the field of cybersecurity for key and important entities, while introducing new supervisory tools, such as ad hoc inspections, the already mentioned fines or individual responsibility of decision-makers obliged to ensure compliance with NIS2 regulations.

    NIS2 compliant security audit

    If your company or organization is among the key or important entities, you are obliged to adapt cyber security standards to the new EU regulations. It is worth implementing the necessary actions now to avoid mistakes resulting from the hasty adaptation of procedures to the changes introduced by NIS 2. The first step to improving cybersecurity is to conduct a detailed audit, which should focus on several strategic areas listed below.

    Define the scope of the audit

    At the outset, it is necessary to determine which resources, systems and IT infrastructure will be subject to inspection. You also need to indicate its goals and expected results.

    Identify critical network resources

    In accordance with the directive, the obligation to report incidents requires their detection and thorough assessment, and these are only possible if key areas and network resources belonging to the organization are identified.

    Assess your security level

    The next step is a detailed analysis of the organization’s cybersecurity. The main focus should be on detecting potential security vulnerabilities and on solutions that will allow you to remove them using the tools you have or by implementing completely new systems.

    Risk assessment

    Performing a risk assessment allows you to identify potential threats and weak points in the system. It also helps to determine the likelihood of incidents and their impact on the organization.

    Penetration testing

    A cybersecurity audit may also involve conducting penetration tests to identify vulnerabilities in system security by simulating external attacks or internal incidents.

    Access control

    An important point is to verify the level of control of individual resources and to make sure that the data is properly protected against unauthorized access.

    Security reinforcement

    In order to increase the level of protection, it is worth focusing on comprehensive solutions due to the fact that staged or point-based implementations may lead to excessive load on the infrastructure and the creation of gaps in visibility.

    Incident Response Policy

    An element of the NIS 2-compliant audit is also the creation of procedures and models for responding to incidents related to breaching cyber security. Important and key entities are required to react quickly and adequately to threats, allowing them to minimize the risk of further incidents.

    In addition, important elements of the security audit conducted for NIS2 are:

    • identification of authorities, including national and international teams, with which the organization should cooperate in the field of cyber security,
    • checking whether the organization uses threat intelligence or data enrichment solutions,
    • ensuring that the security systems in place facilitate the response to security breaches,
    • developing security metrics and an incident response plan.

    Get ready for NIS2 with Grandmetric

    The introduction of the second cybersecurity directive means a big challenge for many enterprises to which the new legislation will apply in Poland. It is worth analyzing your infrastructure and network resources in detail today to make sure that the security meets the NIS2 requirements or implement tools that will allow you to adjust the organization’s cybersecurity standard to the new requirements.

    If you need help preparing your business for the changes brought by NIS 2, contact us today and take advantage of the help of Grandmetric experts. We will help you precisely define the obligations arising from the new regulations, perform a security audit and propose comprehensive solutions tailored to your needs to ensure the necessary level of protection.


    Joanna Sajkowska

    Experienced in the areas of portfolio management, communication strategy and technical content. Backed by her background in Systems Engineering and business development, Joanna puts focus on translating features into benefits and showcasing the unique values of Grandmetric products and services.

    Leave a Reply

    Your email address will not be published. Required fields are marked *