“- It is estimated that approximately 60 percent of organizations may not yet be prepared to meet the requirements of the EU NIS2 directive,” says Paweł Śmigielski, country manager of Stormshield. He is referring to the directive on measures for a high common level of cybersecurity in the European Union. The legal act expands the scope of entities subject to regulation. Non-compliance comes with high penalties.
The directive on measures for a high common level of cybersecurity in the EU, or NIS2 directive, came into effect on January 16, 2023. Member states must implement it into their legal order no later than October 17, 2024. According to expert assessments, over half of the entities may not be ready for the new rules.
“Approximately 60 percent of organizations may not yet be ready to meet the requirements of the NIS2 directive. There are several reasons for this situation, and one of the main ones is that there is still no Polish legal act that would introduce NIS2 into Polish law, so we are essentially talking about amending the Act on the National Cybersecurity System,” states Paweł Śmigielski in an interview with Newseria Biznes news agency.
But this is not the end of the list of problems facing organizations in Poland. The first of them is the lack of specialists in cybersecurity. It is estimated that in 2023 alone, Poland lacked between 10,000 and several ten thousand experts in this field.
A fundamental difference compared to the earlier NIS act, passed in the mid-2010s, is a broader scope of entities covered by this regulation. It includes areas such as supply chain security, supervisory mechanisms and obligations, and incident reporting principles.
The NIS2 Directive introduces several changes compared to the first part of the directive and our national act, the Act on the National Cybersecurity System. Importantly, the list of entities covered by the regulation has been extended, including both public administration units and companies dealing with sewage. Additionally, postal and courier operators are also covered by the new directive.
The directive also introduces a division of organizations into key and important entities, which affects the amount of potential penalties for non-compliance.
“Penalties for key entities can be up to 10 million euros or 2 percent of annual turnover, while for important entities, these penalties can be up to 7 million euros or 1.4 percent of annual turnover,” the expert calculates.
NIS2 Directive entails responsibility for non-compliance, including company boards or management. This means that individual high-ranking officials may be fined, or even banned from holding public office. The new law also imposes new duties.
“The directive specifies that an organization should inform the relevant authorities about an incident within 24 hours, and more detailed information about the incident should be sent within 72 hours. Another important obligation is to provide measures proportionate to the estimated risk,” says Paweł Śmigielski.
In practice, this mainly means providing technical and organizational resources, which should increase security levels in a given entity. The expert explains that these provisions will in fact not only apply to the company itself but also to its environment.
“An organization, apart from taking care of the security of its IT systems, should also look at and check how the degree of security or the level of compliance with the NIS2 directive looks among its suppliers and subcontractors. This is quite a big change and quite important from the point of view of cybersecurity specialists,” he emphasizes.
The NIS2 Directive also introduces a training requirement, which should also involve board members and managers. For regular employees, there is talk of maintaining cyber hygiene.
Many entrepreneurs may be surprised to find that their organization may fall under the NIS2 directive. On the one hand, the new law is considered a supplement to the Act of July 5, 2018, on the national security system (KSC Act). Its provisions were estimated to have covered several hundred entities so far. Meanwhile, NIS2 may affect several thousand organizations.
“Many of them are not prepared, and it is estimated that a quarter of companies in Poland do not even know that they should be covered by the NIS2 directive. So that’s quite a big challenge right from the start, reminding us that the deadline is October 2024 to align our organizations with NIS2 requirements,” says Paweł Śmigielski.
EY consulting firm points out that this new EU directive is a revolution in terms of building cyber resilience for many sectors of the economy. 36 percent of respondents have not yet analyzed this directive. 30 percent have looked into this issue but have not noticed a significant impact on their operating mode. This may mean that not all organizations are fully aware of the consequences of NIS2. This includes aspects such as reporting threats or the obligation to encrypt.
In recent times, there have been several dangerous incidents in the field of cybersecurity. Experts say that apart from the high-profile cases involving a laboratory and delivery platform providers, such events occur every week. Unfortunately, the number of similar incidents continues to rise.
“From my point of view, it is worth noting that an incident is something that should not be feared. Incidents have occurred, are occurring, and will continue to occur. The NIS2 directive also places a heavy emphasis on companies or organizations preparing business continuity plans and building competence in cyber resilience, or restoring a company or organization to normal operation after an incident,” the expert concludes.
In this case, the key is to “learn to live with such an incident” and react appropriately as literally demanded by the NIS2 regulations. Depending on the event, entities have 24 and 72 hours to pass on information about the incident to the relevant authorities. On the other hand, the directive should be seen as a guide to necessary changes within the organization itself.