The implementation of the EU NIS2 directive on cybersecurity, the rollout of which in Poland will soon cover tens of thousands of entities across 17 sectors, presents significant organizational, financial, and technological challenges for domestic companies. Governing bodies will need to increase risk awareness and implement appropriate technical, operational, and organizational measures, as well as focus on risk analysis policy, incident handling, crisis management, and supply chain IT security. Companies will also need to place greater emphasis on employees’ cyber hygiene and train staff who, as indicated by a study by Grupa Progres, do not always follow cybersecurity rules, e.g., sending company documents to private emails. Non-compliance with the regulations will result in severe financial penalties, reaching up to 10 million euros or 2% of annual turnover. These can also affect the heads of organizations, who can be fined up to 600% of their wages for their mistakes.
The introduction of the NIS2 directive is one of the biggest regulatory challenges in cybersecurity that Polish businesses and institutions have faced so far. The new rules not only impose strict norms on companies but also shift a significant part of the responsibility onto governing bodies. This means that board members will need to be aware of the network risks and ensure adequate security. It’s coming soon. On October 7, the second version of the amendment to the Act on the National Cybersecurity System (the “Bill to amend the act on the national cybersecurity system and some other acts”) was published, which brings the EU directive into Polish law. The Ministry announces that by the end of 2024, it will be adopted by the Council of Ministers and then submitted to parliament, so that the new regulations can come into force at the beginning of 2025.
In the era of increasingly frequent and advanced online attacks, the battle against them is extremely important. This is especially true when we consider their scale. According to data from the Ministry of Digitization published in mid-April 2024, Poland is among the 3 most attacked countries in the world, with the number of cybersecurity incidents rising by nearly 200% (from 30,000 to 80,000 annually) year-on-year (2022 to 2023).
Implementing complex procedures on a large scale is necessary, therefore the implementation of the new regulations will cover a wide range of industries. This means that the Polish market faces a huge challenge to adapt to the new requirements, especially in organizations that may not have previously treated cybersecurity as a priority. Soon, it will be their responsibility to implement appropriate and proportional technical, operational and organizational measures in the company and to report network incidents. The list of requirements is long, and managing organizations and their employees face a serious challenge, especially as, contrary to appearances, there is not much time for implementing changes,” says Magda Dąbrowska, Vice President of Grupa Progres.
Entities covered by the new regulations will be obliged to ensure their organization has policies for risk analysis and security of IT systems, incident handling, continuity of operations, and crisis management. Companies are also required to have policies and procedures for assessing the effectiveness of risk management measures in cybersecurity, basic cybersecurity hygiene practices and training, human resources security, access control policies, and asset management.
One of the key aspects of the new regulations is also supply chain risk management. In its 2030 cyber threat forecast, ENISA predicts that supply chain security breaches will be one of the most likely cyber threats in the coming years. New regulations meet these predictions and require entities to implement a supplier security policy, including rigorous assessment criteria, monitoring, and ICT service provider security measures. When choosing suppliers, especially cloud ones, reputation analysis, SLA guarantees, audit rights, security standards, and certification will be key.
Human resources are a key aspect of the equation, as confirmed by Grupa Progres’ research, which reveals a problematic approach to cyber hygiene among employees in organizations. Although 75% of respondents claim that they did not use private email for work purposes, every fourth respondent – 25% – admits to doing so, often company files and work documents are on private emails as well. Most of these people did so several times or even regularly, mostly due to failure of the company’s email or servers, working outside the office, after hours or on weekends, overflowing email inbox or lack of access to it on a trip. When asked if using private mail for business purposes and sending files to it is allowable, 70% of respondents said it is not, with 30% claiming it can be done, for example, in exceptional circumstances.
Magda Dąbrowska suggests penalties aren’t the best way to implement the rules and cybersecurity habits effectively and wisely, but they certainly will be effective in many cases. The fines seem disproportionate to the offense, but with experience, we can consider that in the long term, they have the potential to achieve the goal of adhering to cyber security rules and regulations. Especially considering that the amounts for breaking the law will be severe.
The new regulations stipulate fines of up to 10 million EUR or 2% of revenue for crucial entities and up to 7 million EUR or 1.4% of revenue for important entities. In some cases, the penalty may amount to PLN 100 million if the violations pose a threat to state security or human life and health. The October amendment also provides for penalties for heads of key or important entities up to 600% of their wages calculated according to the rules applicable when setting the cash equivalent for leave. They can receive it if, for example, they neglect any of their duties specified in the bill, do not designate a sufficient number of persons to contact crucial entities or important entities, or to contact entities of the national cybersecurity system, do not provide the user with the possibility to report a cyber threat, incident or vulnerability related to the service provided. A penalty can also be imposed on the head of a key or important entity with a one-time neglect in fulfilling their duties.
The sectors covered by the regulations are divided into two groups. The first includes key sectors like energy (mining, electricity, heat, oil and fuels, gas, nuclear energy, suppliers of services for the energy sector, hydrogen), transport (air, rail, water, road), banking and infrastructure of financial markets, health care (provision of health services and public health, production and distribution of active substances, medicinal products and medical devices), drinking water supply and its distribution, collective sewage disposal, digital infrastructure (including electronic communication), management of ICT services, space and public entities (e.g., research institutes, National Bank of Poland, Bank Gospodarstwa Krajowego, Technical Supervision Office, Polish Air Navigation Agency, Polish Accreditation Center, Polish Financial Supervision Authority, National Health Fund, Wody Polskie, State Fund for Rehabilitation of Disabled Persons or Polish Press Agency).
The second group includes significant sectors like postal services, waste management (e.g., collection, transport, and processing of waste), production, manufacture and distribution of chemicals, production, processing and distribution of food, production (of medical devices and in vitro diagnostic medical devices, computers, electronic and optical products, electrical equipment, machinery and equipment, where not classified elsewhere, motor vehicles, trailers and semi-trailers, and other transport equipment), scientific research, digital service providers (internet trading platform, internet search engine, social network service platform).
Key entities are primarily large companies. In certain cases, a small or medium-sized company may also be a key entity. Important entities are most often micro, small or medium-sized entrepreneurs.
The Grupa Progres survey on digital security and employees’ cyber hygiene was conducted on a representative group of 1000 adult individuals residing throughout Poland. The study was carried out by the CAWI/CATI method.
Source: https://managerplus.pl/dyrektywa-nis2-rewolucyjne-zmiany-w-cyberbezpieczenstwie-dla-polskich-firm-i-instytucji-94406
