Home

Global

Contact

de|en|pl

49 countries – 110 offices – 5.800 colleagues – 1 firm |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

NIS 2 Directive – who will it apply to?

by Michał Majnusz and Alicja Szyrner

7 October 2024

NIS 2 Directive (Directive on measures for a high common level of cybersecurity across the Union), which took effect in 2023, lays down measures that aim to achieve a high common level of cybersecurity across the European Union.

The deadline for implementing the directive is 17 October 2024. Polish lawmakers are now working on the amended Cybersecurity Act which will transpose NIS 2 Directive.

Entities covered by NIS 2

NIS 2 Directive significantly expands the list of entities covered by its regulations and harmonises obligations for essential and important entities. Whether an entity qualifies as essential or important is assessed based on the sector it operates in and the entity's size.

As of now, the bill implementing the directive divides sectors into sectors of high criticality and other critical sectors as follows:

sectors of high criticality	other critical sectors
energy, transport, digital infrastructure, manufacturing, banking and financial market infrastructures, health, drinking water – supply and distribution, waste water, ICT service management, public administration, space, manufacture, production and distribution of chemicals	waste management, digital providers, research, postal services

Essential entities

Essential entities are entities that provide services essential for the functioning of the economy and society in the sectors of high criticality. As a matter of principle, essential entities include large enterprises (i.e. those that have over 250 employees and whose annual turnover exceeds 50 million euros and/or whose annual balance sheet total exceeds 43 million euros) and smaller enterprises that meet the criteria of being highly critical to society, the economy, specific sectors or types of services.

Important entities

Important entities are entities whose operations have a significant impact on the functioning of the EU economy and society. Important entities include medium-sized enterprises that operate in the sectors of high criticality and medium-sized or large enterprises that operate in the other critical sectors.

As can be seen, the scope of entities that can classify as essential and important is very broad. Notably, in most cases, it will be the enterprises themselves that will have to evaluate whether they qualify as an essential or an important entity and to assess on this basis to what extent they are covered by NIS 2 Directive.

Duties and responsibilities

Essential and important entities will be required to appropriately manage the cybersecurity risk, i.e. to implement:

policies on risk analysis and information system security;
incident handling;
business continuity, such as backup management and disaster recovery, and crisis management;
supply chain security;
security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
basic cyber hygiene practices and cybersecurity training;
policies and procedures regarding the use of cryptography and, where appropriate, encryption;
human resources security, access control policies and asset management;
the use of multi-factor authentication or continuous authentication solutions, where appropriate.

If they fail to implement appropriate cybersecurity risk management measures, both entities and members of their management bodies may be held liable, including facing administrative fines to the tune of ten million euros or as much as 2% of the annual turnover of the breaching enterprise.

As the deadline for implementing NIS2 is approaching, don’t wait and check now if you qualify as an essential or an important entity. Our experts will guide you through this process – contact us!