Feel free to contact us:(+48) 22 113 14 51

Key changes resulting from the NIS 2 Directive

What are the key changes introduced by the Network and Information Security Directive 2?
Author:
Paulina Ryndak
Corporate Services Senior Consultant
Maria Matyka
Senior Corporate Services Consultant

The NIS 2 Directive is an EU regulation aimed at strengthening the level of cybersecurity across member states. You can read more about the directive’s objectives and the entities it covers in the first article of this series - The NIS 2 Directive – what is it and who does it apply to?

The directive introduces several changes designed to enhance the mechanisms for managing information security within companies. The areas that could have a direct impact on the operation of organizations include:

1. Responsibility of managing bodies

The NIS 2 introduces a mechanism whereby responsibility for managing technological risks is assigned to, and personal liability can be imposed on, managers, particularly board members of key or important entities.
According to the draft of the Polish law implementing the directive, a board member of such a company may face a fine of up to 600% of their salary (calculated based on rules used to determine cash equivalents for vacation pay). This penalty is independent of any fines imposed on the entity itself.

2. Technical and organizational measures

The NIS 2 places strong emphasis on implementing advanced technical and organizational measures. These include:

  • An advanced threat detection system (IDS/IPS) and identity management systems that protect against unauthorized access to resources
  • Regular penetration tests and security audits to identify vulnerabilities in IT infrastructure
  • Access management, including the implementation of multi-factor authentication and restricting system access to authorized users only
  • Encryption of sensitive data, both during transmission and storage

Organizations must adopt a holistic approach to cybersecurity, ensuring that the implemented technical measures are regularly updated and tested to keep pace with evolving threats.

3. Cybersecurity incident reporting process

The process for reporting any security incidents and irregularities is more detailed and stringent. Organizations will be required to:

  • Report significant cybersecurity incidents within 24 hours of their detection, enabling faster responses to potential threats
  • Provide a full incident report within 72 hours, including details about the nature of the incident, its impact, and the corrective actions taken by the organization

4. Organizational policies and procedures

The Network and Information Systems Directive 2 requires organizations to implement and maintain effective cybersecurity policies and procedures, which include:

  • A risk management policy that defines how to identify, assess, and manage cybersecurity risks
  • Incident response procedures outlining the steps to be taken when an incident is detected
  • Regular cybersecurity training for employees and raising awareness of the threats associated with attacks on information systems
Skrócony formularz EN
Order online advice

Pursuant to the Personal Data Protection Act of 29 August 1997 (Journal of Laws Dz.U. 2016 item 922, as amended), I consent to receive commercial and marketing information from KR Group sp. z o.o. sp. k. with its registered office at ul. Skaryszewska 7, 03-802 Warsaw, and to introduction into the database and processing by KR Group sp. z o.o. sp. k. of my personal data provided in this form. I also acknowledge that my consent is voluntary and that I have the right to review, correct or remove my data.

usersearthmagnifiercrossmenuarrow-right