NIS2 Directive – new cybersecurity requirements for companies in Poland

NIS2 Directive – new cybersecurity requirements for companies in Poland

Jan Jadczak
by Jan Jadczak Cybersecurity

The modern world, based on digitization, brings not only new opportunities but also serious threats in the form of cyberattacks. To address these challenges, the European Union has adopted the NIS2 Directive, which introduces new requirements for risk management in cybersecurity for companies operating in key sectors of the economy. The directive aims to improve the level of digital security in member states and ensure consistent standards for the protection of critical infrastructure. The NIS2 Directive encompasses a wide range of obligations and procedures that must be followed by companies and public institutions. In this article, we will take a closer look at the key aspects of the new regulation and present how Wazuh, an open-source solution, can help meet the directive’s requirements.

Who does the NIS2 directive apply to?

The NIS2 Directive covers a wide range of entities operating in sectors critical to the functioning of society and the economy of the European Union. It requires special attention to cybersecurity from organizations that have a significant impact on public, economic, and health security. Here are the sectors covered by the regulations:

  • Energy – including systems for the production, distribution, and transmission of electricity, gas, hydrogen, and oil.
  • Transport – air, rail, water, and road transport.
  • Banking and financial market infrastructure – credit institutions, trading system operators, and central counterparties.
  • Health – entities providing healthcare, manufacturers of essential pharmaceuticals and critical medical devices.
  • Drinking water – water supply systems.
  • Sewage – management of sewage disposal systems.
  • Infrastructure and part of digital services – data center service providers, cloud processing, public communication networks, and trust services, network and IT system administrators.
  • Public administration – key units ensuring the continuity of state operations.
  • Space – sectors related to the exploration and use of outer space.
  • Chemicals – production, storage, and distribution of chemical substances.
  • Food – production, processing, and distribution of food products.
  • Specific fields of production – including the production of medical, electronic, optical, machinery, and transport equipment.

What is the NIS2 directive?

The NIS2 Directive, which came into effect on January 16, 2023, is a European legal act aimed at strengthening the common level of cybersecurity in EU member states. It covers key sectors such as digital infrastructure, transport, health, and energy, imposing on essential and important entities the obligation to implement cybersecurity risk management measures and report incidents.

Purpose and context of the NIS2 directive

The NIS2 Directive was introduced in response to the increasing number and sophistication of cyberattacks that threaten key sectors of the economy and public safety. Its main goal is to create a uniform level of protection for digital infrastructure in EU member states. NIS2 imposes on enterprises the obligation to implement effective risk management measures and mechanisms for responding to cybersecurity incidents. The directive particularly emphasizes the importance of cooperation between member states and the harmonization of actions regarding data protection and IT systems. By establishing uniform standards, NIS2 aims to counteract the fragmentation of regulations across different EU countries, which previously hindered effective protection against digital threats.

Revision and expansion of previous regulations, i.e., new obligations

NIS2 is an extension and update of the first NIS directive adopted in 2016. The new regulations introduce more stringent requirements for both the public and private sectors, taking into account the changing technological landscape and cyber threats. The scope of the directive has been significantly expanded to include new sectors such as water infrastructure, cloud service providers, as well as companies providing postal and courier services. One of the most important elements of the revision is the increased responsibility of company management for implementing cybersecurity policies. Organizations must also adjust their procedures to more detailed guidelines regarding supply chain security and incident management.

Implementation deadline and progress of work

The NIS2 Directive came into effect on January 16, 2023, and member states had until October 2024 to implement the regulations into national law. In Poland, intensive legislative work is underway to adapt national regulations to the new requirements. The implementing act for NIS2 will specify detailed obligations for enterprises and the operational principles of registers for essential and important entities. It will only come into force after the amendment of the Act on the National Cybersecurity System, which, according to the Ministry of Digital Affairs, is set to come into force in 2025.Cybersecurity in the NIS2 Directive

Scope of the NIS2 Directive: Critical Sectors and Entities

Critical Sectors under the NIS2 Directive

The NIS2 Directive covers critical sectors essential for the functioning of society and the economy, such as energy, health, transport, and digital infrastructure. Specifically, these are sectors providing essential services, the disruption of which could have significant consequences for public safety or the economy. For example, in the energy sector, the directive includes companies involved in the production and transmission of electricity as well as operators of electric vehicle charging points. The directive also addresses new areas such as water and wastewater management, cloud service providers, and enterprises in the chemical and food industries. The inclusion of these sectors reflects their growing importance in the digital context and global security challenges.

Key Entities: Strict Requirements and Responsibilities

Key entities are units that have the greatest impact on the stability of the state’s infrastructure and the safety of society. These are organizations operating in sectors recognized as critical for the functioning of the country, such as:

  • Energy – includes power plants, transmission and distribution operators that must implement systems to monitor threats and report any incidents to prevent interruptions in energy supply.
  • Healthcare – hospitals and medical service providers are required to protect patient data and diagnostic systems from attacks that could threaten health and life.
  • Transport – managers of airports, ports, and rail and road networks must secure logistics systems against disruptions.
  • Digital Infrastructure – data centers, cloud service providers, and operators of critical network nodes must implement systems to prevent ransomware attacks that could block the availability of online services.

Specific Requirements for Key Entities

Key entities must meet strict regulatory requirements, including:

  1. Proactive Incident Reporting: Any serious incident must be reported within 24 hours of detection, with detailed reports required within 72 hours.
  2. Threat Monitoring and Detection Systems: These companies must have advanced tools, such as Wazuh, that enable continuous monitoring of infrastructure and real-time threat identification.
  3. Audit and Risk Assessment: Regular audits must identify vulnerabilities, and the implementation of risk management policies is mandatory.
  4. Incident Response Plan: There is an obligation to have detailed procedures in place for responding to cyberattacks.

Important Entities: Less Stringent Requirements, but Responsibility Remains

Important entities are also subject to NIS2 regulations, but to a somewhat milder extent. This group includes organizations of significant importance, but whose activities do not have a direct impact on national security. Examples of sectors include:

  • Food Industry – e.g., food processing plants that are not critical to critical infrastructure but may affect market stability.
  • Retail and Wholesale Trade – retail chains responsible for the supply of products, especially in crisis situations.
  • Small Technology Enterprises – providers of local IT services and digital applications that must maintain basic security standards.

Specific Requirements for Important Entities

The requirements for important entities are less stringent:

  1. Incident Reporting: Incidents are reported post factum (after occurrence), provided they have a potential impact on key sectors.
  2. Minimal Regulatory Oversight: These entities are not subject to regular audits unless serious incidents occur.
  3. Flexible Risk Management: The implementation of security measures remains more flexible, allowing adaptation to their smaller budgets and resources.

Obligations and Exceptions for Companies (Small and Medium Enterprises) Resulting from the NIS2 Directive

Small and medium enterprises (SMEs) are covered by the directive if they operate in critical sectors or have been classified as key by the relevant national authorities. NIS2 requires them to implement proportionate security measures that take into account the specifics of their operations. Some SMEs, such as those operating solely in low-risk sectors, may be exempt from the obligations arising from the directive. However, companies that are part of the supply chain of larger entities often need to adjust their procedures to meet the requirements of contractors.

Differences Between Key and Important Entities

Criterion Key Entities Important Entities
Scope of Regulation Full NIS2 requirements Partial requirements
Reporting Obligation 24 hours to report an incident, 72 hours for a full report Reporting after the incident occurs
Audit and Monitoring Regular checks and audits No regular audits
Sectors Covered Energy, health, transport, digital infrastructure Retail, food industry

Why is the NIS2 Directive Important for Public Institutions?

Public institutions are particularly obligated to comply with the NIS2 regulations, as their activities are the foundation of the functioning of the state and society. Implementing the directive is crucial for:

  • Securing Critical Infrastructure: Interruptions in the supply of energy, medical services, or transport operations can lead to social chaos.
  • Protecting Citizens’ Data: State databases are frequent targets of cyberattacks, and breaches can have catastrophic consequences for national security.
  • Ensuring Continuity of Operations: Public administration systems must be resilient to disruptions to maintain citizens’ trust.

Critical Infrastructure: Definition and Scope

Critical infrastructure includes systems and resources essential for the functioning of the state, such as energy, water, and food supply. The NIS2 Directive emphasizes the importance of protecting this infrastructure from cyber threats that could lead to severe social or economic disruptions. In particular, there is an emphasis on supply chain security and cooperation between sectors.

Self-Identification Mechanism: Procedure and Importance

Companies must self-determine whether they fall under the NIS2 directive by analyzing their size and scope of operations in the context of the regulated sectors. If they meet the criteria, entities must register in the registry maintained by the relevant national authorities. The self-identification mechanism is crucial for ensuring consistency in the implementation of the directive.

Incident Reporting Obligations

One of the main requirements of the directive is the obligation to report serious cybersecurity incidents to the relevant authorities, such as CSIRT. Enterprises must inform about incidents within 24 hours of detection, providing detailed reports on the causes and effects of the event.

Voluntary Reporting: When and Why?

The directive also encourages voluntary reporting of cyber threats that may affect other market participants. This enables the building of a culture of trust and cooperation among entities, which increases the overall level of security.

NIS2 and International Coordination

International Cooperation for Cyber Resilience

Under the directive, member states are required to cooperate at the European level, exchange information, and coordinate actions in the face of cyber threats. The European Union Agency for Cybersecurity (ENISA) plays a key role in supporting states in the implementation of regulations.

Public Consultation Process and Impact on the Directive

In developing the directive, extensive public consultations were conducted, taking into account the needs of both the public and private sectors. As a result, NIS2 incorporates diverse perspectives and needs of enterprises in various member states.

How Wazuh Helps Meet NIS2 Requirements?

The Wazuh platform is a comprehensive tool that supports both key and important entities in meeting the requirements of the directive. Here’s how it works:

  1. Real-Time Monitoring: Wazuh enables log analysis from multiple sources, allowing for quick incident detection.
  2. Vulnerability Management: The tool identifies weak points in IT infrastructure, which is essential for audits and risk assessments.
  3. Incident Response Automation: Through integration with SOAR systems, Wazuh automatically responds to threats, minimizing their impact.
  4. Regulatory Compliance: Wazuh supports compliance with standards such as ISO 27001 and PCI DSS, helping organizations achieve compliance with NIS2 regulations.

Black Rack can assist institutions in implementing Wazuh and other solutions compliant with the directive, providing comprehensive consulting and deployment services.

Sources

Jan Jadczak
Jan Jadczak
View All Posts
Black Rack

Gwarancja bezpieczeństwa systemów IT

Black Rack Sp. z o.o. sp. k.
ul. Erazma Ciołka 13/300, 01-445 Warszawa
NIP: 7010830899
KRS: 0000739203
REGON: 380695737
Kontakt
Important links
Information

Copyright @2025 All Rights Reserved by Black Rack. Strona: Daniel Borowski