Administration and public services, as well as companies considered essential for the functioning of a given country, have only until October 18 of this year to adapt to the new EU directive on cybersecurity. They will have to “achieve compliance” with the cybersecurity regulations in force in the territory of the European Union. This adaptation will of course cost money. Anyone who delays or fails to take the appropriate actions will be threatened with penalties.
Who is affected by NIS2?
The directive will primarily have to be adapted by key entities. Namely, those that, firstly, operate in one of ten sectors of the economy: energy, transport, banking and financial market infrastructure, health care, drinking water, sewage, digital infrastructure, ICT service management, in the area of space or are public administration entities. Secondly, they are in the group of medium or large enterprises (employing more than 50 employees and their annual turnover and/or annual balance sheet total exceeding EUR 10 million).
However, if someone thinks that the directive does not apply to them because they do not meet any of the above conditions, they may be surprised. The NIS2 directive also covers microenterprises and small companies. As long as – as it is defined – they “fulfill a key role for society, the economy or specific sectors or types of services”. For example, these may be qualified trust service providers, entrepreneurs – DNS service providers or entrepreneurs maintaining name registries, so-called top-level domains.
What are “important entities”?
But that’s not all. The NIS2 Directive also introduces the concept of “important entities”, which, although they do not meet the criteria for key entities, their activities are important for the proper functioning of the economy. They can therefore be medium-sized entities operating in the indicated “key” sectors and medium or large entities operating in “important” sectors – specified in Annex II to the NIS2 Directive.
It is easier to define what kind of companies they are, i.e. what they do. So: they sell postal and courier services, deal with waste management, process and distribute chemicals, process and distribute food, industrial production and conduct scientific research. In practice, therefore, the directive applies to a great many entrepreneurs.
Companies are not ready
In a joint report by the CSO Council, EY Polska and Trend Micro entitled “Waiting for NIS2: state of preparations”, an assessment of the readiness of companies in Poland for the adoption of the new regulations was made. In general, the report showed a lack of preparation of entrepreneurs, both from the technical, organizational and procedural side. In order to be compliant with the requirements of the directive, entrepreneurs should take numerous actions for cybersecurity, paying attention in particular to the protection of critical infrastructure, IT incident management and security audits.
Costs, costs, costs…
The actions that the NIS2 directive obliges entrepreneurs to take should include updating IT systems, implementing IT security solutions and conducting audits of their systems and procedures – whether they are compliant with the provisions of the directive. The new regulations also force changes in the company’s business processes, which will also be associated with additional costs. Entrepreneurs will have to re-train cybersecurity specialists, and if they do not have them, they will have to hire them.
All of this will cost money, as will constant monitoring of systems, developing a response to IT incidents, regular reporting on your readiness and security audits.
Penalties, penalties, penalties…
The introduction of NIS2 is associated with the risk of sanctions for improper compliance with the regulations. Financial penalties and other consequences are foreseen. These penalties can be significant, and their amount will depend on the type of violation, the sensitivity of the data being secured and the scale of the company’s operations.
For example, a business will be fined if it fails to secure its systems and data in accordance with the requirements of the NIS2 directive. Penalties also apply for failure to report security incidents.
The exact amount of the fines will depend on the provisions of national law (primarily the Cybersecurity Act) and the so-called individual circumstances.