PREPARE YOUR COMPANY FOR NIS-2

What is NIS-2 and why does it matter for your company?

NIS-2 is a European Union directive aimed at raising cybersecurity standards and enhancing organisations’ resilience to threats. It introduces uniform requirements across the EU, obliging businesses to implement appropriate protective policies.

In Poland, the NIS-2 directive will primarily be implemented through amendments to the National Cybersecurity System Act. Work is already underway, and although the timeline for adopting these regulations is not yet known, organisations will have limited time to adapt to the new requirements once they come into effect.

This means it is advisable to start preparations now.

WHICH COMPANIES WILL BE COVERED BY NIS-2?

Who does NIS-2 apply to?

The scope of entities covered by the NIS-2 directive is unprecedentedly broad.

It includes sectors such as energy, transport, banking, public administration, manufacturing, machinery, electronics, digital services, and courier services.

Moreover, it also applies to sectors not typically associated with cybersecurity, such as food production, chemicals, and healthcare – and this is still not a complete list!

The directive specifies a list of essential and important entities subject to the new regulation. Regardless of size and turnover, small and micro enterprises may also fall under NIS-2 and be classified as essential if their activities relate to specific sectors.

It is estimated that the directive will directly and indirectly cover around 30 000 enterprises in Poland.

 

Essential entities

Criteria:

  • more than 250 employees, and
  • annual turnover of more than EUR 50 million and/or
  • annual balance sheet total of more than EUR 43 million.

Economic Sectors:

  • Energy:
    • Electricity
    • District heating or cooling system
    • Oil
    • Gas
    • Hydrogen
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructure
  • Healthcare
  • Drinking water supply and distribution
  • Wastewater
  • Digital infrastructure
  • Management of ICT services (between enterprises)
  • Public administration
  • Space

Important entities

Criteria:

  • more than 50 employees, and
  • annual turnover of more than EUR 10 million or
  • annual balance sheet total of more than EUR 10 million.

Economic Sectors:

  • Postal and courier services
  • Waste management
  • Production, manufacturing, and distribution of chemicals
  • Production, processing, and distribution of food
  • Production:
    • medical devices
    • computers
    • electronic and optical products
    • electrical equipment and machinery
    • motor vehicles, trailers, and semi-trailers, as well as automotive parts
    • ships, aircraft, and boats
  • Digital services
  • Scientific research

 

TASKS FOR THE COMPANY

What obligations do entrepreneurs have?

Entities covered by the NIS-2 directive will be required to take various actions to ensure protection against cyber threats, including:

  • Systematic risk assessment
  • Risk management
  • Prevention, detection, and response to incidents
  • Implementation of technical and organisational measures
  • Monitoring vulnerabilities to cyber threats
  • Ensuring supply chain security

TASKS FOR ENTREPRENEURS

Why is it worth getting interested?

Even if your company is not directly subject to the new regulations, they may indirectly apply through the requirements set by suppliers in the supply chain.

Every company covered by the directive must ensure the security of its partners, which means that either your company will have to pass the requirements on to its suppliers, or additional requirements may be imposed on your enterprise.

RISKS FOR ENTREPRENEURS

Consequences for entrepreneurs

Non-compliance with the new regulations can lead to serious consequences:

High financial penalties:

  • at least EUR 10 million or 2% of annual turnover (for essential entities)
  • at least EUR 7 million or 1.4% of annual turnover (for important entities)
  • individual penalty of up to 600% of the salary for the person responsible for the cybersecurity area
  • liability of management, including prohibition from holding executive positions
  • suspension of licences or permits

In addition to direct financial penalties, non-compliance can also harm the company’s reputation, leading to a loss of trust among customers and business partners. In today’s globalised world, where data security is a priority, failure to adhere to regulations can have long-term negative consequences for any organisation.

OUR SERVICES

How can we help?

As NGL Group, we offer comprehensive, integrated support in adapting your company to the NIS-2 requirements, combining legal expertise with in-depth knowledge of organisational security aspects and the technological competencies of our experts and trusted partners.

Everything under one roof  – we handle the entire process, from documentation analysis to implementing changes and providing practical operational support, allowing our clients to focus on business growth without worrying about compliance with regulations.

Audit and recommendations for change

We conduct a detailed legal, organisational, and technological audit to assess your company’s current compliance status with the new regulations. We will identify areas needing improvement and develop a plan for implementing the necessary changes.

Implementation of recommendations

We will help prepare the necessary changes to the documentation, oversee the implementation of technical requirements, and organise training for the team.

Ongoing support and compliance with NIS-2

We will provide ongoing support in maintaining compliance with the NIS-2 implementation law and new requirements resulting from emerging threats. We also offer incident reporting assistance to minimise the impact on your organisation.

We guarantee full implementation compliance once the law is published in Poland

We know that work is underway on the implementation of the NIS-2 Directive into Polish law, so as part of our services, we ensure that if there are any differences arising from the Polish regulations after the publication of the law, our team will make the correction and make the final changes free of charge.

However, it is worth starting preparations now.

Contact us

Make an appointment with our expert and find out how we can help your company meet NIS-2 requirements.

Krzysztof Wiater, Ph.D.

strategic advice & business consultancy
corporate m&a
defence & public security
mediation & arbitration

go to bio

Krzysztof Wiater, Ph.D.

Managing Partner
Attorney-at-law
Corporate M&A
Defence & Public Security
Mediation & Arbitration

Marek Grzywacz, Ph.D.

energy, oil, gas & renewables

go to bio

Marek Grzywacz, Ph.D.

Partner
Attorney-at-law
Energy, Oil, Gas & Renewables