At the beginning of 2023, the EU NIS2 directive entered into force, introducing further changes in the field of cybersecurity. What do the new regulations mean for companies and which entities will have to meet additional cyber security requirements in connection with the update of the NIS regulations in force in Poland from 2018? We invite you to read our article, where you will learn everything you need to know about updating EU standards. Check if your company needs to prepare for NIS2.
The recently introduced new European Union law aims to provide adequate legal means to increase the general standard of cyber security in all EU Member States. The NIS2 Directive, whose full name is:
“Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148” clarifies issues related to risk assessment and management, improves response to cyber threats and introduces the obligation to report events threatening digital security within the European Union.
Under the new legislation, member states are required to take appropriate legal measures to ensure that they are prepared to:
The new regulations entered into force on January 16, 2023, and the document itself was adopted by the European Parliament a few months earlier – on November 10, 2022. It is worth noting that the directive specifies the regulations in force since 2016, which functioned in Poland as the Act on the National Security System, introducing significant changes to the law. When looking for information on what NIS 2 is and when it comes into force, it is worth paying attention to the long-term of vacatio legis. Member states have 20 months to adapt their internal legal acts to the requirements of the new EU directive. This means that changes in accordance with the assumptions of NIS 2 in Poland should be expected no later than October 17, 2024. The day after this date, the new regulations will be in force in all countries belonging to the European Union.
NOTE!
We should expect changes in accordance with the assumptions of NIS 2 in Poland no later than October 17, 2024.
One of the main reasons for the amendment of EU legislation was the underestimation of the number of entities covered by the first version of the directive. Reality has shown that the original wording of the NIS provisions does not cover many strategic sectors of the economy and that not all entities obliged to comply with it fulfil their obligations. Therefore, the new legislation expands the catalogue of entities subject to additional obligations in the field of cyber security.
The updated regulations depart from the division into operators of essential services and digital service providers, known from the first version of the NIS directive. Instead, the amended legal act included key entities and important entities. The obligation to adapt to the new regulations applies to both industries subject to the old directive and many entities not yet covered by these regulations. The first group includes digital service providers, healthcare, transport, banking infrastructure, financial markets, water supply, energy and digital infrastructure.
NIS 2 introduces changes that also apply to a number of additional entities from sectors such as:
Preliminary estimates show that in addition to the entities already included in the first directive, several thousand more companies in Poland will have to adapt their cyber security standards to the amended regulations, which will come into force in the second half of 2024.
Compared to the first version of the directive, the changes in NIS 2 are far-reaching and do not only concern the extension of the catalog of industries subject to the new legislation. The amount of fines imposed on entities that fail to comply with the obligations imposed on them is also increasing. After the changes, they should be as follows:
In addition to these changes, the NIS 2 Directive also introduces specific tools that must be used by organizations subject to the new regulations.
NOTE!
To be NIS2 compliant, companies will need to implement, among other things:
for which the management bodies of the companies will be directly responsible.
It is worth noting that the directive equalizes obligations in the field of cybersecurity for key and important entities, while introducing new supervisory tools, such as ad hoc inspections, the already mentioned fines or individual responsibility of decision-makers obliged to ensure compliance with NIS2 regulations.
If your company or organization is among the key or important entities, you are obliged to adapt cyber security standards to the new EU regulations. It is worth implementing the necessary actions now to avoid mistakes resulting from the hasty adaptation of procedures to the changes introduced by NIS 2. The first step to improving cybersecurity is to conduct a detailed audit, which should focus on several strategic areas listed below.
At the outset, it is necessary to determine which resources, systems and IT infrastructure will be subject to inspection. You also need to indicate its goals and expected results.
In accordance with the directive, the obligation to report incidents requires their detection and thorough assessment, and these are only possible if key areas and network resources belonging to the organization are identified.
The next step is a detailed analysis of the organization’s cybersecurity. The main focus should be on detecting potential security vulnerabilities and on solutions that will allow you to remove them using the tools you have or by implementing completely new systems.
Performing a risk assessment allows you to identify potential threats and weak points in the system. It also helps to determine the likelihood of incidents and their impact on the organization.
A cybersecurity audit may also involve conducting penetration tests to identify vulnerabilities in system security by simulating external attacks or internal incidents.
An important point is to verify the level of control of individual resources and to make sure that the data is properly protected against unauthorized access.
In order to increase the level of protection, it is worth focusing on comprehensive solutions due to the fact that staged or point-based implementations may lead to excessive load on the infrastructure and the creation of gaps in visibility.
An element of the NIS 2-compliant audit is also the creation of procedures and models for responding to incidents related to breaching cyber security. Important and key entities are required to react quickly and adequately to threats, allowing them to minimize the risk of further incidents.
In addition, important elements of the security audit conducted for NIS2 are:
The introduction of the second cybersecurity directive means a big challenge for many enterprises to which the new legislation will apply in Poland. It is worth analyzing your infrastructure and network resources in detail today to make sure that the security meets the NIS2 requirements or implement tools that will allow you to adjust the organization’s cybersecurity standard to the new requirements.
If you need help preparing your business for the changes brought by NIS 2, contact us today and take advantage of the help of Grandmetric experts. We will help you precisely define the obligations arising from the new regulations, perform a security audit and propose comprehensive solutions tailored to your needs to ensure the necessary level of protection.
Leave a Reply