Expert opinions
Is your organization ready for NIS2?
As early as October 2024, changes in the cybersecurity world will take effect across the European Union due to the NIS2 directive. What does it consist of? Who does it apply to? How to prepare for the changes?
Adam Przybylski, an expert responsible for contacting Safesqr key customers, answers questions about NIS2.
What is NIS2?
NIS2 is the new implementation of cyber security requirements, which have already formally entered into force on January 16, 2023. EU countries, including Poland, have until October 2024 to implement this directive. There are quite a few changes, so it is worth making good use of this time.
What are these changes?
The main ones are a significant expansion of the scope and the extension of validity to new entities such as public administration, industry, waste management, postal services, chemical and food production. There has also been a significant increase in the amount of fines, which are now up to €10 million or 2% of a company’s total worldwide turnover.
What obligations does NIS2 bring in?
NIS2 mandates specific risk management solutions, such as risk analysis and information systems security policies, incident management, business continuity and crisis management policies, procedures for assessing the effectiveness of risk management and security.
How many companies will be covered by this directive?
It is estimated that in Poland it will be up to several thousand companies. Compared to the several hundred companies covered by the current NIS directive, this is a very significant increase. The regulations have become mandatory for new entities that previously remained outside these regulations. The “entry threshold” has also been lowered, meaning that even medium-sized companies, i.e. those with more than 50 employees, will already be addressed. The names of the types of entities have also changed, introducing a division into key and important sectors.
How to prepare and where to start?
If I were to give any advice, I would start by checking whether these changes will apply to my organization. If the answer is positive, a gap analysis should be done, an indication of what is missing so that my organization can be compliant with NIS2 and its national implementation, in the form of the National Cyber Security System Act. The important thing is that the start of the directive in October 2024 means that from then on we must already be in compliance.
That is, all the work involved in complying with the requirements should be done before that date!
Do you want to check if your organization is ready for NIS2?