The NIS 2 Directive and the amendment to the uKSC

Poland anticipates passing the draft act in 2025.

The following analysis begins a series of posts on the obligations and sanctions arising from the new NIS 2 Directive and from the draft amendment to the Act on the National Cybersecurity System.

In this part of the series, we present general information about the NIS 2 Directive and identify the entities it applies to.

What is the NIS 2 Directive?

The NIS 2 Directive, that is, the Directive on measures for a high common level of cybersecurity across the Union, aims to strengthen cyber protection in the European Union.

This is to be achieved by harmonizing IT security standards throughout the Union and adapting them to new threats.

This is connected with the continuous growth of cybercrime.

The NIS 2 Directive establishes general cybersecurity standards for essential and important entities.

Who will be affected by the new regulations?

Both the NIS 2 Directive and the amendment to the Act on the National Cybersecurity System (uKSC) broaden the range of entities subject to the new requirements compared with the previously applicable NIS 1 Directive.

A division into essential and important entities has been introduced.

Under the rule set out in the draft amendment to the uKSC, essential entities are those listed in Annex I to the uKSC that are at least large enterprises, while important entities are those listed in Annex I or Annex II to the uKSC that are at least medium-sized enterprises.

Medium-sized enterprises are considered to be enterprises that employ at least 50 people or whose annual turnover and/or annual balance sheet total exceeds EUR 10 million.

A large enterprise, in turn, is one that employs 250 or more people, or one that, despite a smaller workforce, has exceeded both financial criteria (annual turnover exceeding EUR 50 million and total annual balance sheet of EUR 43 million). "Medium-sized enterprises are considered to be enterprises that employ at least 50 people or whose annual turnover and/or annual balance sheet total exceeds EUR 10 million.

A large enterprise, in turn, is one that employs 250" Jan Kowalski Manager Annex I Annex II energy (extraction of minerals, electricity, heat, oil and fuels, gas and nuclear power, hydrogen) postal services transport (air transport, rail transport, water transport, or road transport) waste management (waste collection, waste transport, waste processing, activities carried out as a waste dealer or broker) banking and financial market infrastructure manufacturing, production, and distribution of chemicals healthcare (provision of healthcare services and public health, production and distribution of active substances, medicinal products, and medical devices) production, manufacturing, and distribution of food drinking water supply manufacturing in other areas (medical devices and in vitro diagnostic medical devices, computers, electronic and optical products, electrical equipment, machinery and equipment not elsewhere classified, motor vehicles, trailers and semi-trailers, other transport equipment) wastewater collection and treatment scientific research digital infrastructure digital service providers ICT service management space public entities. The changes will, however, also cover entities that do not meet the size requirements, that is, entities smaller than medium-sized enterprises.

This applies to: DNS service providers; trust service providers (for example, electronic signatures); investors in or operators of nuclear power facilities; critical entities; essential entities; public entities; entities operating a top-level domain (TLD) name registry. The Ministry of Digital Affairs may also decide by way of an administrative decision that specific state legal persons will be subject to the obligations arising from the NIS 2 Directive.

In such a case, the Ministry classifies the given entity as an essential entity if it meets specific criteria.

Such classification may result from an assessment of the company's role for society, the economy, specific sectors, or types of services, where the public tasks it performs are of significant importance at the national level, or where their disruption would pose a serious threat to state security, public safety and order, defense, or public health.

Key changes introduced by the NIS 2 Directive. A broader range of entities subject to regulation: compared with the previously applicable NIS 1 Directive, the NIS 2 Directive extends the range of regulated entities to include, among others, digital service providers, the manufacturing sector (which covers, among other things, the production of computers, electronic and optical products), and the scientific research sector. Obligation to manage cyber risk: the new provisions impose on entities the obligation to introduce technical and organizational measures to manage cybersecurity-related risk. Incident reporting: entities will be required to report security incidents within 24 hours of detecting them, which requires increased operational readiness and the implementation of monitoring systems.

Amendment to the Act on the National Cybersecurity System. In order to implement the EU regulations into the Polish legal system, the uKSC will be amended.

The amendment aims to align national law with European standards.

However, the Polish legislator is introducing changes relative to the NIS 2 Directive, including by extending or modifying the catalog of entities that must comply with cybersecurity requirements.

In some cases, the amendment to the uKSC may also cover small and medium-sized enterprises, which under NIS 2 would be exempt from such obligations.

As a result of consultations, public consultations, and the opinion-gathering process, 1,567 comments were submitted to the first draft of the amendment to the act.

These comments have already been reviewed, and a new draft of the amendment to the act has been published.

As a result, for example, the time for telecommunications operators to submit an early warning was extended from 12 hours to 24 hours.

Summary. The NIS 2 Directive and the amendment to the Act on the National Cybersecurity System introduce a range of changes aimed at improving the protection of infrastructure and cybersecurity in the European Union, including in Poland.

The new provisions mean that enterprises operating in key sectors will need to adapt to higher standards of risk management and to incident reporting obligations.

To adapt effectively to the new requirements, it is worth conducting an audit of existing cybersecurity systems now and implementing appropriate protective measures.

We will help you assess whether your company is covered by the NIS 2 Directive and adapt it to the new requirements.

Contact us to learn more!

Author: Agnieszka Stasiak. Have a question?

Let's talk. A 20-minute conversation.

No briefs, no forms.

We will answer directly.

Book a call → See more articles