Top searches

PL

Resources

European response to cyberwar. NIS-2 – an opportunity for increased levels of cyber security?

30/09/2022

More than two months ago, on 13 July, after a political agreement was reached between the European Parliament and EU Member States, the European Parliament’s Committee on Industry, Research, Telecommunications and Energy approved a draft directive on measures for a high common level of cyber security within the Union, repealing Directive (EU) 2016/1148, the so-called NIS2 Directive. We are currently waiting for its approval by the European Parliament and then by the Council, after which the new law will be published in the Official Journal, and 20 days later the directive will enter into force. For Member States, this moment will mark the start of a 21-month period for the implementation of the directive in national legal orders. In Poland, this will be done by adopting a new (or amending an already existing) relevant law on cyber security.

Find more about our Media & Technology Practice here. The rest of the article below.

The differences between NIS and NIS2

The main differences between the first – still in force – cyber security directive, i.e. network and information security (NIS), and NIS2 concerns ‘obliged entities’; the technical and organisational measures to be implemented and the reporting of incidents and threats. In all the areas mentioned in NIS2, the scope is broadened compared to the provisions of the NIS Directive.

In the NIS2 Directive, ‘obliged entities’ have been divided into two categories: key entities, which includes, inter alia, cloud computing service providers, data centre service providers, content delivery network service providers; and relevant entities, which includes, inter alia, search engine providers, trading platform providers, social network providers and courier service providers. Obligations have been placed on both categories to prepare and implement appropriate cyber security procedures and measures, and to report incidents as well as cyber threats that may result in a significant incident to the relevant authorities.

NIS2 introduces stricter supervisory measures for national authorities, as well as stricter enforcement requirements, and aims to harmonise sanction regimes across Member States. The responsibility for ensuring cyber security will also be placed on those who manage the entities obliged by the directive.

Regulation at an EU level seems to be a necessary step

The regulation, at an EU level, of such a crucial issue as cyber security – especially today – seems to be a necessary step. However, as is usually the case with EU regulations, there is a risk that introducing such a law will be more of a burden (especially in terms of implementing additional measures, creating documentation, etc.) for those subject to it, rather than a real tool to defend the rights that formed the basis for the rationale of its enactment. This risk has been experienced, for example, in respect to the General Data Protection Regulation (RODO), which has translated very little into actual protection of personal data, but rather into the production of documents and the inundation of data subjects with quite often incomprehensible information.

NIS2 wants to increase the level of cyber security, using two tools primarily – the need for entities subject to its provisions to create appropriate documentation and procedures, and the reporting obligation (both of incidents and cyber threats) imposed on these entities. Used in the right way, these tools can achieve the intended purpose of the regulations introduced, but under certain conditions.

Human beings – the weakest link

First of all, it must be taken into account that the weakest link in the area of cyber security in any organisation is the human being. Machines follow all instructions without discussing them, humans are guided by many different factors when making a decision (e.g. whether or not to share information with someone). And this decision is not always in line with what is provided for in his or her procedures. In addition, a person is easily manipulated, especially when so much information about them is publicly available in the internet space.

Thus, in order for an organisation’s documentation, created under the NIS2 requirements of dealing with given cyber security situations and the measures taken to increase the level of cyber security, to be effective and applicable, those who will be required to comply with them need to understand why and for what purpose the various rules are put in place. They should also be aware of the consequences of not complying with them in various cases. It is therefore of the utmost importance that these persons are well and practically trained, and that they are involved in the creation of the rules to which they would then be subject. For these rules must reflect and fit in as much as possible with the actual functioning of the organisation to date. It is pointless to create artificial obligations that will not have a chance to exist in the current state of the organisation. Of course, to the extent that the actual state of the organisation does not correspond at all to the requirements of the directive, it is necessary to adapt the status quo to its provisions (and not vice versa), but this action requires prudence and time in order to be respected at all by those operating within the organisation.

Undoubtedly, it will be more effective to introduce the obligations that NIS2 imposes in an evolutionary manner than to implement them in the short time between the enactment and the entry into force of the Polish law transposing NIS2. Given that the purpose of the enactment of the Directive is ultimately to harmonise the legal orders of Member States, it may be assumed that national legislation will not deviate significantly from its provisions and already now start the process of implementing the new rules on their basis.

Main objective

Equally important will be the practice of application of the Directive’s provisions by the obliged entities. Practice developed at the outset will then be replicated. This places a heavy responsibility on the largest entities subject to the Directive’s provisions, which will initially be the focus of attention for the other smaller players within the markets covered by cyber security requirements. Prudent, rational and informed implementation of the obligations under NIS2 seems likely to achieve the expected goal of increasing the level of cyber security across the European Union, which is worth the effort and commitment of the obliged entities.

Contact us

Paulna Wyrostek

Attorney-at-Law, Counsel at B2RLaw

Media & Technology, Cybersecurity, Intellectual Property

[email protected]

View more resources

Catch up on the very latest B2RLAW
announcements and news here.

18/11/2024

B2RLaw at IFG Flagship Fraud Conference | 20-21 November 2024 London

Join us for the International Fraud Group’s flagship conference in London! Edyta Zalewska and Jakub Przybyliński won’t miss this unique […]

MORE
12/11/2024

B2RLaw at ReBuild Ukraine: Construction & Energy 2024

We are attending the 4th International Exhibition & Conference ReBuild Ukraine Construction & Energy 2024 (13-14 November, EXPO XXI Warsaw). The event […]

MORE
25/10/2024

B2RLaw recommended in IFLR1000 ranking 2024

We are proud to announce that in this year’s edition of IFLR1000 ranking we have been recommended in 2 categories. Ranking by practice: […]

MORE
23/10/2024

European Commission VAT Expert Group Workshop summary, 14-15 October, Brussels

On 14 and 15 October, Jan Sarnowski, head of B2RLaw’s tax department, participated in a workshop of the EC VAT […]

MORE
21/10/2024

Agnieszka Hajos-Iwańska and Małgorzata Tomaka at AI<>BA Conference 2024

Join us at the AI<>BA conference at Muzeum Śląskie in Katowice – the sole conference that blends a variety of […]

MORE
13/10/2024

B2RLaw represents Poland at the European Commission workshop on the future of European VAT

On October 14th and 15th, Jan Sarnowski (Counsel, Tax Advisor, LL.M., Head of B2RLaw’s Tax Practice), will participate in the the […]

MORE

Get in touch

Not sure who to contact? Let us help you find the right lawyer.

This site uses cookies to improve your experience More information.

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close