The NIS 2 Directive serves as an extension and update to the NIS 1 Directive, strengthening, harmonizing, and, crucially, expanding regulations related to cybersecurity and cyber resilience across the EU's businesses, in terms of both obligations and the inclusion of new entities.
Challenges in cybersecurity
Each year, new reports surface about successful cyberattacks. One of the most well-known is the 2014 attack on Marriott hotel chains (publicly disclosed in 2018), where hackers gained access to customer data, leading to fines for violating data protection regulations, class action lawsuits, and legal costs.
However, the theft of personal data is not the only objective of cyberattacks; other priorities may include:
- Stealing government information (the attack on the U.S. company SolarWinds, whose clients included government agencies – 2018)
- Disrupting service continuity (such as the attack on Sony PlayStation in 2018, which caused nearly a month-long service outage and resulted in the theft of user data)
- Ransom demands (the recent high-profile attack on ALAB Laboratories in Poland, where the company's management refused to pay the ransom, leading to the disclosure of sensitive patient data)
Objectives of NIS 2
The European Commission designed the NIS 2 Directive with the goal of enhancing the cyber resilience of key businesses across the entire EU. As demonstrated by the above examples, cyberattacks can seriously hinder business operations, generate financial losses, and undermine customer and user trust in a company.
Sectors and entities covered by new obligations
1. Essential entities
The directive introduces the concept of "essential entities" and "important entities."
Essential entities provide services that are crucial to the functioning of society and the economy. Ten sectors are listed in the annex:
- Energy
- Transport
- Banking and financial market infrastructure
- Healthcare
- Drinking water
- Wastewater
- Digital infrastructure
- ICT service management
- Public administration
- Space
With some exceptions (e.g., trust service providers), essential entities will generally only include large entities employing more than 250 people, with annual turnover exceeding €50 million and/or a balance sheet total exceeding €43 million.
2. Important entities
The second category introduced by NIS 2 includes important entities, such as:
- Medium-sized entities operating in the key sectors listed above;
- Medium or large entities operating in the "other critical sectors" outlined in Annex II of NIS 2. These include:
- Postal and courier services;
- Waste management;
- The production, processing, and distribution of chemicals;
- The production, processing, and distribution of food;
- Manufacturing, particularly of medical devices, computers, electronic and optical products, certain types of electrical equipment and machinery, motor vehicles, and other transport equipment;
- Digital service providers for online marketplaces, search engines, and social networks;
- Scientific research.
These NIS 2 requirements may be modified at the national level. The current draft of the Polish law implementing NIS 2 expands the scope of regulated entities by:
- Including large businesses operating in sectors listed in Annex II of NIS 2 (mentioned above)
- Reclassifying some sectors from Annex II as key sectors, particularly in the manufacturing industry
A significant factor influencing the adoption of the NIS 2 protection standard is the requirement for essential and important entities to ensure cybersecurity across their supply chains. As a result, they will demand that their suppliers and clients adhere to appropriate standards, even if these suppliers and clients are not identified as essential or important entities themselves.
The NIS 2 Directive introduces the principle of self-identification—businesses must assess their own status based on the definitions of medium and large entities and the sectors in which they operate.
Deadlines
The deadline for implementing NIS 2 into national law is October 18, 2024. Meanwhile, the draft amendment to Poland's Act on the National Cybersecurity System is still under public consultation and review, so delays in the adoption of the EU regulations into Polish law are expected. However, from October 18, 2024, Polish businesses should be prepared to implement appropriate cybersecurity measures. Implementing the right technical and organizational measures, risk awareness, and regular audits will be key to successfully meeting the NIS 2 requirements.