Does implementing NIS2
apply to my company?

The test result helps determine whether your company or organisation is subject to the obligations arising from the NIS2 Directive. Based on your answers you will find out whether the company meets the criteria to be recognised as an essential entity or an important entity. This entails the necessity to implement specific cybersecurity risk management measures, report incidents and cooperate with the relevant supervisory authorities.

However, the test result is of an informational nature only and does not constitute a final assessment of compliance with the regulations. To obtain a full evaluation, contact cybersecurity experts or commission a full audit.

The NIS2 Directive (Network and Information Security Directive) is EU legislation aimed at improving the level of cybersecurity in Member States. It is the successor to the NIS Directive of 2016 and introduces more stringent requirements for key economic sectors such as energy, transport, health, finance, and other sectors important for critical infrastructure. In Poland the NIS2 rules apply on the basis of the Act on the National Cybersecurity System (UKSC).

The implementation of NIS2 covers sectors that are key to the functioning of the economy, including:

• •Energy
• •Transport
• •Healthcare
• •Banking
• •Digital infrastructure
• •Waste management
• •Production of chemicals and medical products
• •Digital service providers

Entities covered by the NIS2 Directive must meet a number of requirements related to cybersecurity risk management, including:

• •The application of appropriate technical and organisational measures to ensure the security of information systems.
• •Monitoring and responding to security incidents.
• •Reporting serious incidents to the relevant national authorities.
• •Cooperating with public authorities on cybersecurity.

Failure to comply with the requirements of NIS2 may result in financial sanctions, as well as other legal measures at the national level. Each Member State is obliged to implement appropriate supervisory and sanctioning mechanisms for breaches of the rules.

For breaches of the NIS2 provisions – essential entities may be fined up to €10 million, while important entities up to €7 million. Independently of imposing a penalty for breaches of the Act, the competent authority may impose a periodic financial penalty on an essential or important entity if it delays in performing the obligations imposed on it as part of supervisory activities or enforcement measures. Such a penalty ranges from 500 to 100,000 zloty for each day of delay.

According to the Act on the National Cybersecurity System (UKSC), the manager of an essential or important entity may be subject to a financial penalty for failure to perform the obligations indicated in the Act, if the time, scope or nature of the breach so warrant. The maximum amount of the penalty that may be imposed is also increased — to 300% of the remuneration received by the manager, calculated according to the rules applicable when determining the cash equivalent for annual leave (previously the penalty was a maximum of 200% of monthly remuneration).

We propose the following steps.

• •Assessment of current safeguards: Analysis of existing data protection and cybersecurity procedures.
• •Risk identification: Determining potential threats to IT infrastructure.
• •Documentation creation: Preparation of the necessary policies and procedures in compliance with the NIS2 Directive.
• •Staff training: Implementation of educational programmes.
• •Monitoring and audit: Regular monitoring and evaluation of compliance with the NIS2 Directive.

Full implementation should be consulted with data protection and cybersecurity experts.

We invite you to familiarise yourself with our offer.

The security of networks and information systems has never been more important. Every company subject to the NIS2 Directive must implement appropriate security measures to prevent cyberattacks and ensure the uninterrupted provision of services.

The NIS2 Directive introduces the requirement to apply measures in the following areas:

• •Risk management – protection of the supply chain, security of IT systems
• •Incident handling – rapid detection and reporting of threats
• •Cybersecurity audits – regular inspections and system testing
• •Staff training – awareness of threats within the organisation

NIS2 imposes strict penalties for non-compliance with the regulations. For key sectors, the penalty may be up to €10 million or 2% of annual turnover. In the case of important sectors, sanctions may reach €7 million or 1.4% of annual turnover.