The new government will have many issues to deal with that companies and institutions are waiting to be regulated. Next year, organizations will have to adapt to a number of key EU regulations including NIS2 and DORA related to cybersecurity, or KSeF, electronic invoice circulation. National institutions and enterprises are awaiting specific decisions in the face of new directives. Each change brings specific requirements and consequences for companies.
From NIS to NIS2
The NIS2 Directive on network and information systems security requires companies and organizations in the most vulnerable industries to implement appropriate protections and report all security breaches. The changes are aimed, among others, at the energy, healthcare, IT, banking and finance, transport, sewage management, postal and courier services or the production, processing, and distribution of food. The NIS2 Directive, adopted at the beginning of 2023, obliges EU countries to adapt their laws to its requirements by October 17, 2024.
– It may seem that there is plenty of time, but due to the broad scope of changes introduced by NIS2, the schedule is tight. More companies must also comply with a number of new requirements as the directive covers additional industries compared to current regulations. Businesses and institutions should familiarize themselves with their new IT security responsibilities assess their processes and implement missing safeguards as quickly as possible – explains Sebastian Toczewski, IT Security Manager at Beyond.pl, a data center, cloud, and Managed Services provider. – The scope of work within adapting to NIS2 requirements will depend on the organization’s level of maturity in the area of cybersecurity. Special attention should be paid by companies from the industries indicated in the directive, which employ more than 250 people or their annual turnover exceeds 50 million EUR. However, there are sectors in which new requirements apply regardless of the size of the company. Companies from sectors which previously did not fall under any regulations and which do not employ cybersecurity specialists or possess extensive IT competencies may find themselves in the worst situation.
DORA – Financial Industry Yet Safer
DORA is the EU Digital Operational Resilience Act, which tightens IT security requirements for entities operating in financial markets, including banks, insurance companies, fintechs, or EU ICT service providers servicing the industry. The aim of the directive is to eliminate inconsistencies, prevent duplication of requirements in different legal acts and guarantee end consumers access to services and products, even in case of unpredictable events. National organizations subject to DORA must adapt to the new regulation by January 17, 2025. Its implementation in Poland will be supervised by the Financial Supervision Authority (KNF).
– Financial institutions are fundamentally very mature in terms of digital security due to the regulations already in force in Poland. However, DORA heralds a new approach to risks associated with the use of modern technologies, obligations related to the documentation of procedures, or regular testing of services responsible for business continuity – explains Sebastian Toczewski from Beyond.pl, adding: – On the other hand, we can assume that DORA will force IT service providers servicing financial entities to professionalize their operations, boost the importance of technological partners with certifications and generate demand for services increasing business continuity, such as backup and disaster recovery services.
The requirements for the financial sector are expected to be a revolutionary change, comparable to the introduction of the GDPR a few years ago. Hence, it is crucial that entities covered by DORA regulations start preparing for new standards and adapting their processes and systems. In this way, they will not only avoid high penalties but also increase their competitiveness and gain the trust of customers.
National e-Invoice System
The KSeF is a national system that enables the issuance and receipt of structured invoices. At the beginning of 2023, Poland, as one of the first EU countries, was to introduce an electronic invoice circulation system, but the date was postponed to the beginning of 2024. The new deadline declared is July 1, 2024, for all B2B transactions. However, this is uncertain. If the Ministry of Finance does not make available by the end of this year all the necessary documents for companies and organizations to adapt and connect their financial and accounting systems with the KSeF, there will be very little time left for implementation and testing by mid-2024.
– According to the Ministry of Finance data, by mid-November this year, 690 entities issued electronic invoices in the KSeF. There were a little over 31,000 documents in total. The trend is upward, as there were more invoices in the first half of November than in the whole of September, but still, only a small percentage of companies are running tests with the KSeF – explains Tomasz Kuciel from EDITEL Poland, the operator of the Electronic Invoicing Platform. – Companies are currently in limbo. Although there is already an API and some regulations, work on others is still ongoing. Time is decidedly not on the side of entrepreneurs, as we estimate that adapting to the KSeF requirements can take up to 12 months – adds Tomasz Kuciel.
The lack of specific administrative decisions and education of all interested sectors on the changes undertaken causes managers of organizations to hold off on taking specific decisions and may lead to problems in planning budgets necessary for adapting to new requirements. Adapting internal procedures to NIS2, DORA, and KSeF regulations means significant reforms and considerable costs for some companies and institutions, which businesses would prefer to plan sensibly. There is still hope that changes at the top will run smoothly, and organizations will soon receive clear guidelines, upon which their first decisions in 2024 will depend.