NIS2 Directive in Poland: Identification of essential and important entities in capital groups under the new draft act

Currently, work is underway on the fourth draft amendment to the National Cybersecurity System Act (DNCSA), driven by the implementation of the NIS2 Directive1, which introduces a number of significant changes2. One of these changes is the modification of the rules for identifying essential and important entities, particularly the introduction of two criteria for companies belonging to capital groups that exclude an entity from the regime of the Act.

An essential entity is defined as a natural person, legal entity, or organizational unit without legal personality indicated in Annex No. 1 to the draft Act, which meets the requirements for a medium-sized enterprise specified in Article 2(1) of Annex I to Commission Regulation (EU) No. 651/2014 (Article 5(1)(1) DNCSA).

An important entity, on the other hand, is defined as a natural person, legal entity, or organizational unit without legal personality indicated in Annex No. 1 or 2 to the draft Act, which meets the requirements for a medium-sized enterprise specified in Article 2(1) of Annex I to Regulation 651/2014/EU and which is not an essential entity (Article 5(2)(1) DNCSA).

A medium-sized enterprise is one that meets at least two of the following conditions:


  • Employs fewer than 250 employees;
  • Has an annual net turnover not exceeding 50 million euros, or an annual balance sheet total not exceeding 43 million euros.

Article 2(1) of Annex I to Regulation 651/2014/EU

The amendment, however, introduces two additional criteria that exclude an entity from qualifying as an essential or important entity, which must be considered when identifying entities in capital groups.

First, the independence of the entity's information system from the systems of its linked or partner enterprises.

Second, the lack of joint service provision with the entity's linked or partner enterprises.


JUSTIFICATION FOR EXCLUSION CRITERIA

A key factor for the changes under discussion is Recital 7 of the NIS2 Directive, which indicates the need to harmonize the criteria for identifying key entities covered by the regulation to eliminate discrepancies between Member States and ensure legal certainty for all entities. Previously, under the NIS1 Directive3, Member States were responsible for identifying operators of essential services, which led to significant differences in the interpretation and application of the regulations.

The introduction of a uniform criterion, based on the size principle, aims to ensure a consistent and predictable approach to identifying entities covered by the regulation. Recital 16 of the NIS2 Directive clarifies the principles for identifying entities within capital groups, allowing Member States to exclude the principle of considering the data of linked and partner companies when determining the size of a given entity. This flexible approach aims to avoid situations where entities that do not actually pose a cybersecurity threat would be subject to the new regulations.

As indicated above, the Polish legislator, in implementing the NIS2 Directive, has introduced two criteria that exclude qualification as a key or important entity.

The first criterion is the independence of the information system from the information systems of linked or partner enterprises. This means that if an entity's information system is completely independent of the systems of other entities within the capital group, there is no basis for imposing the stringent obligations foreseen for key or important entities on that entity.

The second exclusion criterion is the lack of joint service provision with linked or partner enterprises. If an entity does not provide services jointly with other entities within the group, the risk of incident propagation is minimal, and there is no justification for qualifying it as a key or important entity.

The introduction of these criteria by the Polish legislator is consistent with Recital 16 of the NIS2 Directive, which allows for the exclusion of the aggregation of data from linked and partner companies.


EVOLUTION OF THE DRAFT ACT

Analyzing the evolution of the provisions of Article 5(6) and (7) in successive drafts of the amendment to the National Cybersecurity System Act, one can observe changes in the approach to the qualification of entities within capital groups as essential or important entities. The draft law introduced criteria that exclude such qualification, even if the entity would exceed the thresholds for a medium-sized enterprise.

The first draft4 of the amendment did not take into account the specifics of capital groups and did not provide any criteria for excluding the qualification of an entity as key or important.

The second draft5 introduced Article 5(6) and (7), which stated that an entity is not considered a essential or important entity if its information system is independent from the information systems of related or partner enterprises. This criterion of "independence of the information system" was the first step towards a more flexible approach to the qualification of entities within capital groups.

The third draft6 maintained the criterion of the independence of the information system and simultaneously introduced a second exclusion criterion. According to this provision, an entity is not considered an essential or important entity if it does not provide services jointly with its linked or partner enterprises.

In the fourth draft, the provisions from the third draft were maintained, introducing exclusion criteria for the qualifying of an entity as essential or important were introduced, even if the entity would exceed the thresholds for a medium-sized enterprise.

It should be noted that the criterion for excluding an entity based on lack of joint service provision with linked or partner enterprises was proposed by the Minister for European Affairs. At the same time, the Minister for European Affairs pointed out that it is the state's authority that should assess whether an entity meets the criteria for being an essential or important entity, including whether it provides services jointly with other entities within the group7.

The Ministry of Digital Affairs partially took this comment into account by adding a provision to Article 5(6) and (7) regarding the examination of whether a given entity provides services jointly with companies within its capital group. However, the Ministry of Digital Affairs upheld the "self-identification" model, according to which the entity itself assesses whether it meets the criteria of a essential or important entity, including whether it provides services jointly with other entities within the capital group. The Ministry of Digital Affairs argued that previous experiences with the identification of key service operators through administrative decisions were lengthy and ineffective. According to the Ministry, the "self-identification" model is intended to streamline the process and reduce administrative burdens. At the same time, the competent authority for cybersecurity will have the right to inquire whether an entity meets the criteria for being an essential/important entity and may include an entity in the register that has not self-identified.


"JOINT SERVICE PROVISION" – INTERPRETATIVE CHALLENGE

While the criterion of an independent information system, applied when determining whether an entity should be considered essential or important entity, seems clear, the criterion of not providing services jointly with linked or partner enterprises may raise interpretative doubts.

The legislator did not specify what criteria must be met to consider that two or more entities are providing services jointly. Is it sufficient that they offer similar services in the same market, or is some form of collaboration or interdependence required, such as sharing infrastructure or resources?

Additionally, the "self-identification" model applied in the law shifts the burden of assessment onto the entity itself. This creates the risk of subjective evaluations, which may be motivated by a desire to avoid additional cybersecurity-related obligations. The lack of clear guidelines on how to assess whether entities are not jointly providing a service may lead to inconsistency in the application of the regulations and potentially weaken the effectiveness of the entire cybersecurity system.


REGULATORY DIFFERENCES IN GERMANY

In our opinion, the issue of determining the size of an enterprise in the context of the implementation of the NIS2 Directive constitutes one of the key regulatory issues. The German legislator has adopted a different approach, which is regulated in §28(3) of the BSIG-E draft8.

The basic assumption is the application of the criteria specified in Commission Recommendation 2003/361/EC9, with the exclusion of the application of Article 3(4) of the annex to this recommendation. This means that, in principle, when calculating the size thresholds of an enterprise, data from partner and related enterprises must be taken into account.

The German regulation provides for two possible interpretative approaches. According to the first, only those employees or turnover that serve the activities of the given enterprise should be considered. According to the second interpretation, in the case of dependent IT processes, all indicators of a linked or partner enterprise are to be considered.

A key element of the German regulation is the exclusion mechanism, under which data from partner or linked enterprises are not considered if the enterprise demonstrates independence in terms of information systems. Importantly, this independence is assessed from three perspectives: legal, economic, and factual, and applies to both the acquisition and operation of information systems, their components, and processes.

This approach by the German legislator differs from solutions adopted, among others, in Poland. The German regulation focuses exclusively on IT-related aspects, taking a more technical approach to the issue of entity independence.

The adopted solution could have significant practical implications for capital groups in which individual companies maintain autonomy in managing their IT infrastructure. In such cases, even if the entities are linked in terms of capital, they may be treated as independent under the national regulations implementing the NIS2 Directive.

However, it should be noted that assessing independence in terms of information systems may, in practice, pose interpretative difficulties, especially considering the need to account for all three aspects: legal, economic, and factual. The practical application of these regulations will reveal how supervisory bodies approach the verification of IT independence criteria.

BSJP bnt team, in collaboration with cybersecurity specialists, provides comprehensive advice on meeting the requirements set out in the NIS2 Directive. Should you have any questions regarding the changes, we encourage you to contact our experts Marcin Kroll (marcin.kroll@bsjp.pl) and Rafał Wieczerzak (rafal.wieczerzak@bsjp.pl).



1 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148

2 https://legislacja.gov.pl/docs//2/12384504/13055217/13055218/dokument695596.pdf

3 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

4 https://legislacja.gov.pl/projekt/12384504/katalog/13055207#13055207

5 https://legislacja.gov.pl/docs//2/12384504/13055217/13055218/dokument687141.pdf

6 https://legislacja.gov.pl/docs//2/12384504/13055217/13055218/dokument693213.pdf

7 https://legislacja.gov.pl/docs//2/12384504/13055217/13055218/dokument693217.pdf and https://legislacja.gov.pl/docs//2/12384504/13055217/13055218/dokument695598.pdf

8 https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/Downloads/referentenentwuerfe/CI1/NIS-2-RefE-24062024.pdf?__blob=publicationFile&v=2

9 Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (notified under document number C(2003) 1422), (2003/361/EC)