NIS2 Directive

What is it and who does it concern?

What is NIS2?

NIS2

NIS2 (Network and Information Systems Directive 2) is a European Union directive whose main objective is to increase the overall level of cyber resilience in member states. It aims to ensure that services critical to the economy and society are better protected against cyber threats.

In Poland, the NIS2 regulations will be implemented through an amendment to the Act on the National Cybersecurity System (KSC). The directive focuses on risk management, incident reporting, business continuity, and supply chain security.

Who does it concern?

Compared to its predecessor, the NIS2 Directive significantly expands the list of entities subject to cybersecurity obligations. It classifies them into two main categories: Essential Entities and Important Entities , which differ in terms of, among other things, the level of oversight and potential sanctions.

Essential Entities

Energy

ICT service management

Drinking water and sewage

Banks and financial institutions

Public administration

Transport

Health

Digital infrastructure

Space

Important Entities

Postal and courier services

Waste management

Scientific research

Chemical production

Digital service providers

Food production

Production

Enterprise size criteria

NIS2 covers medium and large entities operating in the above sectors. According to EU definitions:

Medium enterprises

50-249 employees and less than
EUR 50 million in annual turnover
OR
below EUR 43 million of the balance sheet total

Large enterprises

250+ employees and over
EUR 50 million in annual turnover
OR
above EUR 43 million of the balance sheet total

There are important exceptions where entities, regardless of size, are subject to NIS2. These include:

Providers of public electronic communications networks or publicly available electronic communications services.
Trust service providers (qualified and non-qualified).
TLD (top-level domain) registries and DNS service providers.
Selected public administration entities.
Entities that are the sole provider of a given essential service in a Member State.
Entities whose disruption of operations could have a significant impact on public safety, public order or public health.
Entities recognized as critical infrastructure.

Penalties for failure to comply with obligations

Essential Entities

Maximum penalties:
10,000,000 EUR
or
2% of annual turnover

Important Entities

Maximum penalties:
7,000,000 EUR
or
1.4% of annual turnover

In addition to financial penalties, supervisory authorities may apply other measures, such as issuing binding recommendations, imposing audits or even temporarily suspending certifications or authorisations and banning persons responsible for violations from holding management positions.

NIS2 requirements in practice

NIS2 imposes specific managerial and technical responsibilities on covered entities. In practice, this means implementing or strengthening processes in the following areas.

Organizations must implement a formal, documented, and repeatable process for managing the risks associated with their network and IT systems. It's not enough to react to problems; they must proactively identify potential threats (e.g., malware, phishing attacks, human error, hardware failures), assess their likelihood, and assess their potential impact (financial, operational, reputational).

This requires the creation of a risk register, regular risk analyses, and the selection and implementation of appropriate security measures (both technical, such as firewalls, antivirus systems, and encryption, and organizational, such as security policies and access management procedures). Monitoring the effectiveness of these measures and periodically reviewing the entire process is also essential. Particular attention should be paid to supplier-related risks.

Organizations must be prepared to respond quickly and effectively to cybersecurity incidents. This requires procedures not only for detecting (e.g., through SIEM/SOC monitoring systems) and handling incidents (containing attacks and restoring systems), but also for classifying them (assessing their severity) and reporting them to the appropriate authorities.

An incident management process should be defined and responsible individuals/teams (e.g., an internal response team) should be designated. Adhering to very tight deadlines for reporting significant incidents to the appropriate CSIRT (Computer Security Incident Response Team) is crucial – initial notification within 24 hours of detection, and a detailed report within 72 hours. In some cases (e.g., when the incident involves personal data or may significantly impact service users), notification of affected individuals may also be required.

Organizations must ensure that their critical services can continue to function (or be quickly restored) even in the event of a major cybersecurity incident (e.g., a ransomware attack that encrypts data or a DDoS attack that blocks access to online services).

This requires the development of Business Continuity Plans (BCM), which describe how the organization will function in a disaster recovery mode, and Disaster Recovery Plans, which specify the technical steps for restoring IT systems. Importantly, these plans must address the specific nature of cyber threats and be regularly tested (e.g., through exercises and simulations) to ensure their effectiveness and validity.

NIS2 places great emphasis on the fact that risks to an organization can originate not only from within itself but also from its suppliers, especially those who provide ICT systems, software, or services (e.g., cloud providers, software companies, managed service providers). Organizations are responsible for the security of their entire ecosystem.

This requires identifying key ICT suppliers, conducting risk assessments related to collaboration with them (e.g., through security surveys, audits), and incorporating cybersecurity requirements into supplier contracts (e.g., incident reporting clauses, audit rights, security requirements). Supplier security levels should also be monitored throughout the relationship.

Employees are often the weakest link in the security chain. NIS2 requires organizations to raise awareness and improve the skills of their employees in the area of cyber threats.

Regular cybersecurity training should be organized for all employees (covering, for example, rules for safe use of email, phishing recognition, password policy). It is also necessary to implement and enforce access control policies (e.g., least privilege principle, regular access reviews) so that employees only have access to the resources they need for their work.

To effectively protect their systems, organizations must first know what they have. It's also essential to implement appropriate technical measures to protect data.

This requires maintaining an inventory of key ICT assets (e.g., servers, applications, databases) to facilitate management and risk assessment. Encryption (cryptography) should also be used where appropriate to protect data at rest (e.g., on disks) and data in transit (e.g., while being transferred over networks) to ensure confidentiality and integrity.

NIS2 clearly establishes that cybersecurity is no longer a technical issue, but a strategic element of organizational management. Management (management board, supervisory board) bears direct responsibility for ensuring regulatory compliance.

This means that the board must oversee the implementation of cybersecurity policies and measures, approve risk management strategies, ensure adequate resources (financial and human) for cybersecurity, and be held accountable (potentially personally in some jurisdictions) for gross negligence in this area. Management must also receive cybersecurity training.

How can BCMLogic One help you adapt to NIS2?

Implementing the complex requirements of NIS2 can be challenging, especially for organizations that have traditionally managed these processes in a fragmented manner. An integrated GRC platform like BCMLogic One provides tools that support organizations in meeting key NIS2 obligations in a single, cohesive environment.

Risk Management

The Risk Management Module in the BCMLogic ONE application enables the creation of a central register of ICT risks, linking them to specific systems, services, and processes. The platform supports systematic risk assessment (inherent and residual) according to the selected methodology, documentation of existing security measures, and the creation and monitoring of Risk Management Plans (mitigation) via workflows. The KRI functionality allows for ongoing monitoring of threat levels.

Incident Handling

The Incident Management Module provides a central registry for all security incidents. It facilitates their categorization, prioritization, and linkage to ICT resources. The module supports the definition of response plans (playbooks), management of response team tasks, and automation of communication and escalations. Reporting and audit trail functionalities facilitate the preparation of required CSIRT reports within 24/72 hours, as well as root cause analysis (RCA).

Supply Chain Security

The Vendor Management and Survey and Audit Modules facilitate maintaining a register of ICT suppliers and managing related contracts and SLAs. A key function is supporting the supplier risk assessment process, for example, by sending and analyzing security surveys. Assessment results and supplier compliance status are linked to their card in the system, supporting decision-making and risk monitoring in the supply chain.

Business Continuity

Business Continuity Management Module enables Business Impact Analysis (BIA) to be conducted, taking into account dependencies on ICT systems and services, allowing for the identification of critical digital assets. The module supports the creation, management (versioning, approval workflow), and sharing of Business Continuity Plans (BCM) and Disaster Recovery Plans (DRPs) specific to cyber incidents. The Testing functionality allows for the planning and documentation of regular testing of these plans.

Zrzut ekranu 2025-11-10 163402_edited.jpg

Want to learn more about how BCMLogic One can help your organization prepare for NIS2? Contact us!