NIS2 Directive in Poland: Assumptions and implementation status

In the face of growing threats in cyberspace and the dynamic development of technology, the European Union has decided to amend the regulations concerning the security of networks and information systems. The NIS2 Directive^[1] replaces the previously applicable NIS1 Directive^[2] and significantly expands it, particularly in the area of risk management, introducing a number of important changes and new requirements for member states and entities operating in key and important sectors of the economy. This article aims to present the assumptions of this regulation and the work on its implementation into the Polish legal order.

Key assumptions of the NIS2 Directive

The main goal of the NIS2 Directive is to harmonize the level of cybersecurity across the entire EU and to strengthen the protection of critical infrastructure and key services for society and the economy. The new directive introduces several significant changes compared to the previous regulation. The most important changes introduced in the NIS2 Directive compared to the NIS1 Directive include:

• expansion of the scope of entities, covering a wider range of sectors. In addition to sectors such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space (essential entities), the directive also includes postal and courier service providers, waste management enterprises, production, manufacturing and distribution of chemicals, production, processing and distribution of food, manufacturing (including electrical equipment, transport equipment), digital service providers, and scientific research (research organizations) (important entities). This means that many entities that were not previously subject to specific cybersecurity regulations will have to comply with the new requirements;
• strengthening of security requirements. Entities covered by the regulation are obliged to implement advanced technical and organizational measures to manage cybersecurity risks and report incidents. This includes, among others, regular risk assessments, implementation of security policies, ensuring continuity of the supply chain, and employee training. The new regulations emphasize a proactive approach to risk management and continuous improvement of applied protective measures;
• harmonization of penalties for non-compliance with the directive's requirements. Uniform penalty frameworks have been established, including financial fines reaching at least EUR 10 million (essential entities) and at least EUR 7 million (important entities);
• expansion of the powers of supervisory authorities in enforcing regulations. These powers include conducting inspections, audits, and requiring entities to document the implementation of their adopted cybersecurity policies.

Although the NIS2 Directive came into effect on 16 January 2023, member states of the European Union, including Poland, have until 17 October 2024 to implement it into their national legal systems. In Poland, this process is being carried out through an amendment to the Act on the National Cybersecurity System and certain other laws.

Status of the implementation of the NIS2 Directive in Poland

Observing the current pace of legislative work, it is clear that Poland will not meet the deadline of 17 October 2024 for implementing the NIS2 Directive. During the legislative process, two drafts of amendments to the Act on the National Cybersecurity System have been developed. The first draft^[3] was published and subjected to extensive public consultations, during which various entities submitted numerous comments and proposals for changes. In response to these submissions, the Ministry of Digital Affairs prepared a second version of the draft law^[4], striving to incorporate key suggestions from stakeholders.

The first draft of the amendment to the Act on the National Cybersecurity System faced widespread criticism from entrepreneurs and industry experts. It proposed the introduction of very restrictive regulations, which in some aspects were stricter than the requirements of the NIS2 Directive itself. The draft included, among other things, the obligation to use specific ISO standards as the basis for the presumption of compliance with the regulations. Additionally, it imposed short deadlines for conducting the first audit (12 months) and required more frequent repetition (every 2 years). The proposed regulations also expanded the catalog of entities covered by the act and introduced strict requirements regarding supply chain security. These and other provisions raised concerns about excessive administrative and financial burdens for enterprises, which prompted the Ministry of Digital Affairs to develop a second, more balanced version of the draft.

The draft of the Act on the National Cybersecurity System dated 7 October 2024 introduces significant modifications aimed at facilitating entrepreneurs in adapting to the new requirements and better reflecting the assumptions of the NIS2 Directive. One of the key changes is the removal of provisions concerning ISO standards and the associated presumption of compliance. Instead, the obligation to apply guidelines developed by the European Commission has been introduced to ensure uniform security standards throughout the entire European Union. Additionally, in accordance with the NIS2 Directive, the catalog of sectors qualifying for the essential and important categories has been standardized, and the supply chain security requirements have been limited exclusively to direct suppliers.

Special attention should be paid to the key statutory deadlines related to the fulfillment of new obligations. Upon the entry into force of the act, essential and important entities will have 3 months to submit an application for entry into the appropriate register of entities, counting from that date or from the moment they meet the criteria for recognition as such an entity. They are given 6 months from the entry into force of the act or from meeting these criteria to implement an information security management system. An important change is also the extension of the deadline for conducting the first audit for essential entities from 12 to 24 months, and the validity period of this audit has been extended from 2 to 3 years. These modifications give enterprises more time to adapt to the new requirements, which should facilitate the effective implementation of the necessary security measures.

Currently, the draft of the act is awaiting further government work. According to the announcements of the Minister of Digital Affairs, it should be adopted by the Council of Ministers by the end of the year and submitted to Parliament at the beginning of next year.

Summary

The new regulations introduce a number of significant changes aimed at enhancing the level of protection of critical infrastructure and key services for society and the economy. Therefore, from the perspective of an entrepreneur, it is important to assess now to what extent the organization meets the minimum requirements specified in the NIS2 Directive. Conducting such an analysis will allow the identification of any gaps or areas requiring improvement in cybersecurity policies and procedures. Early preparation and a proactive approach to the new regulations will not only help avoid potential sanctions but also increase the organization's resilience to cyber threats.

BSJP bnt team, in cooperation with cyber security specialists, provides comprehensive advice on how to comply with the requirements set forth in the NIS2 Directive. If you have any questions related to the changes, we encourage you to contact our expert: Marcin Kroll (marcin.kroll@bsjp.pl).