NIS 2 – New requirements

The end of 2024 is not only marked by whistleblowers, but also by ‘Cyber Security’. We owe this to the NIS 2 directive and the DORA regulation. Today, a few words about NIS 2.

By 17 October 2024, Poland must implement the EU NIS 2 Directive, which is intended to ensure the resilience of entities important from a public interest perspective to cyber threats. This requires the implementation of appropriate procedures and training, including: risk analysis and IT system security, incident handling, business continuity, crisis management, supply chain security and others.
NIS 2 will cover a number of entities that have not yet been regulated under NIS 1. According to the draft amendments to the National Cyber Security System Act (UKSC), entities that should be particularly interested in NIS 2 include:
✔️ Energy
✔️ Transport
✔️ Banking
✔️ Infrastructure financial markets
✔️ Protection health
✔️ Supply drinking water and its distribution
✔️ Digital infrastructure
✔️ Wastewater
✔️ Management IT services
✔️ Public sector
✔️ Space
✔️ Postal and courier services
✔️ Waste management
✔️ production manufacturing and distribution of chemicals
✔️ Production food processing and distribution
✔️ Production
✔️ Providers of digital services
✔️ Scientific research

The list is long 😊. What’s more, the UKSC draft requires self-identification of entities that meet the criteria and registration in the relevant register.
The UKSC amendment, according to the draft, will come into force within one month of publication. This will not be sufficient time to fully implement the new obligations. Therefore, we are already proposing to audit and implement NIS 2 for our clients, based on the PN-EN ISO/IEC 27001, PN-EN ISO/IEC 22301 standards and market best practices. Once the legislation has been finalised, fine-tuning the procedures will be sufficient.

And you, are you ‘catching on’ to NIS2 and are you NIS-ready?