The NIS 2 Directive is an EU regulation aimed at strengthening the level of cybersecurity across member states. You can read more about the directive’s objectives and the entities it covers in the first article of this series - The NIS 2 Directive – what is it and who does it apply to?
The directive introduces several changes designed to enhance the mechanisms for managing information security within companies. The areas that could have a direct impact on the operation of organizations include:
1. Responsibility of managing bodies
The NIS 2 introduces a mechanism whereby responsibility for managing technological risks is assigned to, and personal liability can be imposed on, managers, particularly board members of key or important entities.
According to the draft of the Polish law implementing the directive, a board member of such a company may face a fine of up to 600% of their salary (calculated based on rules used to determine cash equivalents for vacation pay). This penalty is independent of any fines imposed on the entity itself.
2. Technical and organizational measures
The NIS 2 places strong emphasis on implementing advanced technical and organizational measures. These include:
- An advanced threat detection system (IDS/IPS) and identity management systems that protect against unauthorized access to resources
- Regular penetration tests and security audits to identify vulnerabilities in IT infrastructure
- Access management, including the implementation of multi-factor authentication and restricting system access to authorized users only
- Encryption of sensitive data, both during transmission and storage
Organizations must adopt a holistic approach to cybersecurity, ensuring that the implemented technical measures are regularly updated and tested to keep pace with evolving threats.
3. Cybersecurity incident reporting process
The process for reporting any security incidents and irregularities is more detailed and stringent. Organizations will be required to:
- Report significant cybersecurity incidents within 24 hours of their detection, enabling faster responses to potential threats
- Provide a full incident report within 72 hours, including details about the nature of the incident, its impact, and the corrective actions taken by the organization
4. Organizational policies and procedures
The Network and Information Systems Directive 2 requires organizations to implement and maintain effective cybersecurity policies and procedures, which include:
- A risk management policy that defines how to identify, assess, and manage cybersecurity risks
- Incident response procedures outlining the steps to be taken when an incident is detected
- Regular cybersecurity training for employees and raising awareness of the threats associated with attacks on information systems