Feel free to contact us:(+48) 22 113 14 51

The NIS 2 Directive – what is it and who does it apply to?

The NIS 2 Directive (Network and Information Security Directive) is the European Union's response to the growing cybersecurity threats faced by businesses.
Author:
Paulina Ryndak
Corporate Services Senior Consultant
Maria Matyka
Senior Corporate Services Consultant

The NIS 2 Directive serves as an extension and update to the NIS 1 Directive, strengthening, harmonizing, and, crucially, expanding regulations related to cybersecurity and cyber resilience across the EU's businesses, in terms of both obligations and the inclusion of new entities.

Challenges in cybersecurity

Each year, new reports surface about successful cyberattacks. One of the most well-known is the 2014 attack on Marriott hotel chains (publicly disclosed in 2018), where hackers gained access to customer data, leading to fines for violating data protection regulations, class action lawsuits, and legal costs.

However, the theft of personal data is not the only objective of cyberattacks; other priorities may include:

  • Stealing government information (the attack on the U.S. company SolarWinds, whose clients included government agencies – 2018)
  • Disrupting service continuity (such as the attack on Sony PlayStation in 2018, which caused nearly a month-long service outage and resulted in the theft of user data)
  • Ransom demands (the recent high-profile attack on ALAB Laboratories in Poland, where the company's management refused to pay the ransom, leading to the disclosure of sensitive patient data)

Objectives of NIS 2

The European Commission designed the NIS 2 Directive with the goal of enhancing the cyber resilience of key businesses across the entire EU. As demonstrated by the above examples, cyberattacks can seriously hinder business operations, generate financial losses, and undermine customer and user trust in a company.

Sectors and entities covered by new obligations

The question of the scope of NIS 2 regulations is complex. Generally speaking, all entities involved in the sectors listed below that also meet the criteria of a medium or large enterprise should assess whether they fall under the NIS 2 regulations. This applies to entities employing more than 50 people and having an annual turnover or balance sheet total exceeding €10 million.

Important

1. Essential entities

The directive introduces the concept of "essential entities" and "important entities." 

Essential entities provide services that are crucial to the functioning of society and the economy. Ten sectors are listed in the annex:

  1. Energy
  2. Transport
  3. Banking and financial market infrastructure
  4. Healthcare
  5. Drinking water
  6. Wastewater
  7. Digital infrastructure
  8. ICT service management
  9. Public administration
  10. Space

With some exceptions (e.g., trust service providers), essential entities will generally only include large entities employing more than 250 people, with annual turnover exceeding €50 million and/or a balance sheet total exceeding €43 million.

2. Important entities

The second category introduced by NIS 2 includes important entities, such as:

  • Medium-sized entities operating in the key sectors listed above;
  • Medium or large entities operating in the "other critical sectors" outlined in Annex II of NIS 2. These include:
  • Postal and courier services;
  • Waste management;
  • The production, processing, and distribution of chemicals;
  • The production, processing, and distribution of food;
  • Manufacturing, particularly of medical devices, computers, electronic and optical products, certain types of electrical equipment and machinery, motor vehicles, and other transport equipment;
  • Digital service providers for online marketplaces, search engines, and social networks;
  • Scientific research.

These NIS 2 requirements may be modified at the national level. The current draft of the Polish law implementing NIS 2 expands the scope of regulated entities by:

  • Including large businesses operating in sectors listed in Annex II of NIS 2 (mentioned above)
  • Reclassifying some sectors from Annex II as key sectors, particularly in the manufacturing industry

The draft law is currently in the phase of public consultation and review

Important

A significant factor influencing the adoption of the NIS 2 protection standard is the requirement for essential and important entities to ensure cybersecurity across their supply chains. As a result, they will demand that their suppliers and clients adhere to appropriate standards, even if these suppliers and clients are not identified as essential or important entities themselves.

The NIS 2 Directive introduces the principle of self-identification—businesses must assess their own status based on the definitions of medium and large entities and the sectors in which they operate.

Deadlines

The deadline for implementing NIS 2 into national law is October 18, 2024. Meanwhile, the draft amendment to Poland's Act on the National Cybersecurity System is still under public consultation and review, so delays in the adoption of the EU regulations into Polish law are expected. However, from October 18, 2024, Polish businesses should be prepared to implement appropriate cybersecurity measures. Implementing the right technical and organizational measures, risk awareness, and regular audits will be key to successfully meeting the NIS 2 requirements.

Skrócony formularz EN
Order online advice

Pursuant to the Personal Data Protection Act of 29 August 1997 (Journal of Laws Dz.U. 2016 item 922, as amended), I consent to receive commercial and marketing information from KR Group sp. z o.o. sp. k. with its registered office at ul. Skaryszewska 7, 03-802 Warsaw, and to introduction into the database and processing by KR Group sp. z o.o. sp. k. of my personal data provided in this form. I also acknowledge that my consent is voluntary and that I have the right to review, correct or remove my data.

usersearthmagnifiercrossmenuarrow-right