EN
  • pl
Get in touch
EN
  • pl
Get in touchcontact@cybernite.eu+48 508 404 923

New rules on the cybersecurity of network and information systems

NIS2 Directive

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS2) establishes common measures to enhance cybersecurity levels across the EU by imposing consistent requirements on risk management, incident reporting and supervision for essential and important entities operating in critical sectors. NIS2 introduces new duties for both public and private sectors, increasing the accountability of essential and important entities – and their management boards – for system security.

NIS2 Directive – comprehensive support from Cybernite

Table of contents

Does your organisation fall under NIS2?

We encourage you to book a free consultation to check whether your organisation is in scope of NIS2.

Penalties for non-compliance with NIS2

NIS2 includes significant administrative fines. For essential entities, penalties may reach up to € 10 m or 2% of global annual turnover; for important entities, up to € 7 m or 1.4% of global annual turnover. Beyond entity-level sanctions, the Directive also provides for personal liability of leadership of essential and important entities. Penalties must be effective, proportionate and dissuasive.

Whom does NIS2 apply to?

NIS2 applies to public or private entities, divided into two categories (essential and important), that qualify as medium or large enterprises and that provide services or operate in the EU. The core rule is that NIS2 applies to entities qualifying at least as medium-sized enterprises, i.e. those that: - employ at least 50 people and - have annual turnover exceeding € 10 m or a balance sheet total above € 10 m, and provide services or operate within the EU.

Note: certain entities (e.g. operators of essential services in energy) fall under NIS2 regardless of size.

Which industries does NIS2 apply to?

Both essential and important entities must implement cybersecurity measures, with the former subject to stricter supervision.

Essential entities: Energy, Transport, Finance, Healthcare, Digital infrastructure, Public administration, Space

Important entities: Postal and courier services, Waste, Chemicals, Food, Medical devices, Manufacture of critical goods, Digital service providers, R&D sector

Note: Member States may expand or narrow the list of entities covered by NIS2.

Key changes to NIS1

NIS2 succeeds the 2016 NIS Directive of July 2016 (in force since 2018). It has been implemented into the Polish law by the Act on the National Cybersecurity System of 5 July 2018. NIS2 also requires national transposition; at the time of writing, work continues on adapting the Polish Act on the National Cybersecurity System (UoKSC).

Beyond broadening scope, NIS2 sets a minimum list of technical, operational and organisational measures for managing IT risk, including:

  • Risk analysis and information system security policy
  • Incident handling
  • Business continuity, including backup, restoration and crisis management
  • Supply chain security, including supplier and provider relationships
  • Security of acquisition, development and maintenance of networks and IT systems (including vulnerability management)
  • Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  • Basic cyber hygiene and cybersecurity training
  • Policies and procedures on cryptography and encryption
  • Human resource security, access control policy and asset management
  • Multi-factor authentication (or equivalent)

Do you need support implementing NIS2 or preparing for updated national cybersecurity legislation?
Contact us today

Contact