- NIS2 -

Network and Information Security Directive 2
NIS2 – The New EU Cybersecurity Directive
 

NIS2 (Network and Information Security Directive 2) is an updated European Union directive aimed at significantly strengthening cybersecurity across member states. It was adopted in December 2022 and replaces the original NIS directive from 2016. Each EU member state must transpose it into national law by October 2024.


What does NIS2 regulate?
NIS2 defines new, expanded requirements for the security of information systems, risk management, incident response, and breach reporting.
Key regulatory areas:
  • Protection of critical infrastructure, including:
    - Energy
    - Transportation
    - Banking and finance
    - Healthcare
    - Water and wastewater
    - Digital sector (e.g., cloud providers, online platforms)
    - Telecommunications
    - Public administration
  • Risk management and incident response:
    - Implementation of security policies
    - IT protection systems
    - Business continuity procedures
    - Incident reporting: within 24 hours of detection, full report within 72 hours
  • Organizational and technical requirements:
    - Staff training
    - Audits and controls
    - Regular risk assessments
 
 
 
Who does NIS2 apply to?
 

NIS2 significantly expands the scope of regulated entities. It applies to:
  • Operators of essential services: energy, transport, finance, healthcare, water
  • Digital service providers: hosting, cloud services, online platforms
  • Public institutions: central and local government
  • Operators of critical infrastructure: telecom, IT, broadcast media
Note: The directive also applies to small and medium-sized enterprises (SMEs) if they play a key role in critical infrastructure.
 Key obligations for organizations
 
  • Risk assessment and preventive measures – organizations must identify threats and implement appropriate safeguards such as firewalls, intrusion detection systems, network segmentation, etc.
  • Security policies and procedures – each entity must have documented data protection policies, incident management protocols, and contingency plans.
  • Incident reporting – preliminary report within 24h, full report within 72h after detection
  • Board-level responsibility – company management bears personal responsibility for NIS2 compliance.
  • Audits and inspections – supervisory bodies can conduct compliance checks and impose penalties for non-compliance.
  • Training and competency development – companies must invest in cybersecurity training for their staff.



NIS2 Supervisory Authorities
 
Each EU country must appoint a national authority responsible for implementing and supervising NIS2 regulations.
In Poland, this could be the Ministry of Digital Affairs or a specially designated body.
At the EU level, coordination is handled by ENISA (European Union Agency for Cybersecurity).




Penalties for Non-Compliance
 
Organizations that fail to comply with NIS2 regulations face strict penalties:
  • Financial fines – up to several million euros
  • Mandatory corrective actions
  • Operational shutdowns in extreme cases




Registration and Compliance
 
Although formal registration is not always required, organizations must be prepared for audits, controls, and reporting. In some countries, periodic compliance reports may be mandatory.