NIS2 Audit

NIS2 is a new, updated directive on network and information systems security in the European Union. This directive is an extension of the previous NIS (Network and Information Security) directive and aims to strengthen the level of cybersecurity across the EU.

The primary objective of NIS2 is to increase resilience against cyberattacks throughout the Union by improving cooperation between member states and establishing stricter cybersecurity regulations.

The NIS2 directive, as an extension and update of the previous NIS directive, covers a broader range of entities than its predecessor:

1. Operators of Essential Services (OES): Entities from sectors considered essential for society and the economy, such as energy, transport, healthcare, water supply, digital infrastructure, finance, digital service providers, public administration, and the space sector.
2. Digital Service Providers: Including online platforms, cloud services, data centers, and search engines.
3. Public Sectors: Under NIS2, all EU member states are required to implement appropriate cybersecurity measures in their public institutions.
4. Expanded Definitions: NIS2 broadens the definitions of sectors covered by the directive, adding new categories such as the space sector and the critical raw materials production sector.

From the date the directive came into force, January 16, 2023, EU member states have 21 months to implement its provisions into national law. The original plan aimed for this to be completed by October 17, 2024. However, on October 7, the Ministry of Digital Affairs announced that the likely implementation date will be at the beginning of 2025.

Yes, the directive introduces rules for imposing financial penalties. The amount of the fines will depend on various factors, such as the type and scope of the violation, its duration, the financial capacity of the entity, and the level of its cooperation with supervisory authorities.

We recommend implementing advanced firewall systems, IDS/IPS solutions, identity and access management tools such as NAC, MFA systems, network monitoring tools, and user behavior analysis solutions. All our technologies comply with the latest NIS2 requirements.

Our approach to implementation includes a preparatory phase, where we define the scope and objectives, followed by the implementation phase, during which we deploy the solutions. The final phase is maintenance and optimization.

The standard implementation timeline consists of:

1. Preliminary analysis (2-4 weeks)
2. Implementation (8-12 weeks)
3. Testing and optimization (4-6 weeks)

The amendment to the National Cybersecurity System Act (KSC) aims to align Polish law with the EU’s NIS2 directive and strengthen the national system of protection against cyber threats.

The KSC Act introduces mandatory risk analysis for businesses, with the scope of obligations dependent on the risks associated with their activities. The new regulations require the implementation of security standards within six months and the first audit to be conducted within two years. The required measures must be adapted to the level of risk and the latest cybersecurity knowledge standards.

The uKSC amendment also introduces the obligation for employee training, the appointment of responsible staff members, and the documentation of security incidents.

Our clients include companies and organizations operating in various industries. We support clients in sectors such as manufacturing, warehousing, transportation, healthcare, as well as public administration and local government units.