Information security management within an organisation currently constitutes a strategic minimum for effectively combating cybercrime. Implementing uniform preventive measures aids in the conscious development of basic protections and maintaining control over risk management processes. To meet these expectations in the context of enhancing cybersecurity, the European Parliament and Council Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union, also known as the NIS2 Directive, was introduced. Check out what changes it introduces and learn how these changes can impact everyday functioning in the digital world. Table of contents: 1. What is the NIS2 Directive? The NIS2 Directive is an EU legal regulation aimed at strengthening cybersecurity within member states. It is a revision of the original NIS Directive (Network and Information Systems Directive) from 2016, responding to the dynamically changing digital landscape and the increasing threats posed by cyberattacks. Key assumptions and objectives of the Directive: The new regulations aim to ensure a high level of protection for networks and information systems critical for the functioning of society and the EU economy. The NIS2 Directive covers a broad range of private entities, as well as public institutions, based on the following criteria: However, exceptions exist where even microenterprises can be covered by NIS2 if defined as critical for certain sectors (e.g., services whose disruption could threaten public safety or health; trust service providers; public administration units);
2. Which entities are covered by the NIS2 regulation?
3. When does NIS2 come into effect?
4. Was the introduction of changes necessary (NIS1 vs NIS2)?
5. Risk management measures
6. Obligations under NIS2 and their benefitsWhat is the NIS2 Directive?
Which entities are covered by the NIS2 regulation?
- Entities operating in specific sectors deemed essential by the EU.
Based on these criteria, entities covered by the NIS2 regulation are divided into essential entities and important entities.
Division of entities covered by the NIS2 regulation based on size:
Essential: >250 employees and annual turnover >50 million EUR
Important: >50 employees and annual turnover >10 million EUR
Division of entities covered by the NIS2 regulation based on sectors:
| ESSENTIAL SECTORS | IMPORTANT SECTORS |
| Energy | Postal and Courier Services |
| Transport | Waste Management |
| Banking | Production, Manufacturing and Distribution of Chemicals |
| Financial Market Infrastructure | Food Production, Processing and Distribution |
| Healthcare | Manufacture of Medical Devices |
| Drinking Water | Manufacture of Electronic Products |
| Wastewater | Manufacture of Optical Products |
| Digital Infrastructure | Manufacture of Motor Vehicles |
| ICT Service Management | Digital Service Providers |
| Public Administration | Scientific Research |
| Space |
This division directly determines the type of responsibility and the level of administrative fines envisaged for specific entities in the event of non-compliance with the obligations imposed by the Directive.
When does NIS2 come into effect?
The NIS2 Directive (Network and Information Systems Directive 2) came into effect on 16 January 2023, giving EU member states time to implement its provisions by 17 October 2024. Member states thus have a specified period in which to adapt their national regulations and introduce appropriate processes and procedures within organisations to ensure full compliance with the requirements outlined in NIS2.
In the context of Polish legal order, the transposition of NIS2 provisions is likely to occur through amendments to the Act of 5 July 2018 on the national cybersecurity system.
Therefore, businesses should promptly begin work on implementing the new regulations to avoid potential sanctions and ensure the security of their information systems.
Was the introduction of changes necessary (NIS1 vs NIS2)?
In response to the need to enhance cybersecurity in the European Union, the NIS Directive was introduced in 2016. However, assessments to verify its effectiveness revealed inconsistencies in the implementation of EU regulations by member states, and since 2016, the digital landscape has undergone so many revolutionary changes that the existing regulations have become insufficient. This has directly contributed to an increase in cyber threats not only against citizens and companies, but also towards the continuity of critical state infrastructure.
NIS2 introduces significant changes compared to its predecessor, the NIS Directive of 2016. The key difference is the substantial increase in the number of entities required to comply with its regulations: entities are divided into essential and important. Additionally, a sectoral criterion is introduced alongside the size criterion.
While NIS primarily concerned operators of essential services in sectors such as energy, transport, banking, health and finance, NIS2 also covers additional sectors, including ICT service management, public administration, space and trust service providers. NIS2 (unlike the NIS Directive) adopts the principle of self-assessment. According to this principle, entities are required to evaluate whether they meet the criteria to qualify as an essential or important entity.
The new directive also includes detailed minimum requirements for risk management measures that obligated entities must implement. NIS2 stipulates that all entities must adopt appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks to networks and information systems. These measures include implementing IT security policies, updated procedures and technological solutions, cyber risk analyses, business continuity and crisis management plans, as well as security audits and penetration tests.
NIS2 provides for stricter oversight and enforcement of regulations by national authorities and places greater emphasis on risk management within the supply chain, addressing threats related to relationships between entities and suppliers.
NIS2 also assigns particular importance to training and cyber hygiene. It mandates periodic training for employees and collaborators at all levels, with education tailored to the specific needs of the organisation.
As a result, more enterprises – both large- and medium-sized – must comply with the new requirements, aiming to strengthen the resilience of network and information systems across the European Union.
Risk management measures
Under the NIS2 Directive, essential and important entities are required to implement risk management measures (Article 21 NIS2). Risk analysis under NIS2 goes beyond standard protective measures, which are still applied intuitively in organisations but may not always be regulated and systematic. It is now justified to refer to risk management standards (such as ISO 27001 or the ISO 31000 family of standards), especially in terms of preparing risk analysis and assessment methodologies.
According to Article 21 NIS2, risk management measures are based on an all-hazards approach aimed at protecting the networks and information systems, as well as the physical environment of those systems, from incidents and include at least the following elements: a) Risk analysis and IT security policies;
b) Incident handling;
c) Business continuity (e.g., backup management and disaster recovery and crisis management);
d) Supply chain security, including security aspects related to relationships between each entity and its direct suppliers or service providers;
e) Security in the acquisition, development and maintenance of networks and information systems, including vulnerability handling and disclosure;
f) Policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
g) Basic cyber hygiene practices and cybersecurity training;
h) Policies and procedures for the use of cryptography and, where appropriate, encryption;
i) Human resources security, access control policies and asset management;
j) Where applicable, the use of multi-factor authentication or continuous authentication, secure voice, text and video communications and secure emergency communications systems within the entity.
What do these provisions mean in practice for Autenti?
The key point is that, in terms of risk management measures for entities covered by NIS2 (including Autenti), two standards are envisaged as the documentary basis:
- NORMATIVE DOCUMENTATION: To fulfil this obligation, Autenti has implemented an Information Security Management System (in accordance with ISO/IEC 27001:2017) and a Business Continuity Management System (in accordance with ISO 22301:2020). Based on these standards, Autenti has introduced and applies a series of normative documents, such as information security and business continuity policies, which declare legal compliance and measures provided for in the Directive, risk management methodologies and actions to ensure the continuity of services.
- OPERATIONAL DOCUMENTATION (responding to normative requirements): To fulfil this obligation, Autenti maintains an incident register, a risk register, a violations register, a training plan and record of completed training, a backup register and an inventory of processes, assets and devices.
Obligations under NIS2 and their benefits
The NIS2 Directive imposes a range of obligations on entities covered by its provisions. Autenti, as an obligated entity, adheres to all the requirements, thereby strengthening its market credibility and increasing its resilience to cyber threats.
NIS2 mandates that essential and important entities implement risk management measures and monitor and respond to security incidents.
Obligated entities should have procedures for managing and handling incidents; documentation of incident response actions and information sharing with the relevant CSIRT. Additionally, entities must monitor and detect incidents regarding confidentiality, availability, integrity and authenticity.
Organisations are required to report incidents without undue delay and inform service recipients of potential threats and remedial measures. Security audits are another element required by both NIS2 and the draft Act on the National Cybersecurity System. Audited entities are subject to control in strictly defined areas, such as information security management, change management, maintenance and development of information systems, physical security and the security and continuity management of the service chain.
From these and other obligations imposed on specific entities, many benefits arise in practice. Organisations enhance their resilience to cyber threats – regular training for management bodies provides knowledge and, more importantly, awareness of cyber risk management. The directive promotes the use of innovative and advanced technologies such as data encryption, cryptography, segmentation and access management, ensuring the confidentiality and integrity of information. Penetration testing helps organisations identify security gaps and implement corrective measures, thereby increasing overall digital security.
For Autenti, as a provider of trust services, ensuring cybersecurity is today a fundamental, undeniable requirement – not just a possibility or alternative. Knowing that Autenti meets all stringent conditions imposed by the NIS2 Directive, Autenti's clients need not have any concerns regarding the security of the digital infrastructure operating within Autenti.
Learn how we can help you accelerate business processes with NIS2-compliant document workflow solutions.
Schedule a meeting
Zaneta Truszkowska
Lawyer
Visit author's profile