Implementation of the NIS2 Directive

The NIS2 Directive and its Polish implementation – the National Cybersecurity System Act (Krajowy System Cyberbezpieczeństwa, KSC) – introduce organizational and technical regulations aimed at ensuring an appropriate level of digital protection for essential enterprises. All for One Poland supports organizations throughout the entire security lifecycle – from a baseline audit, through all all required adaptation stages (organizational and technical), to the Security Operations Center service.

The NIS2 Directive (Directive of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity) is a new version of the NIS Directive. Its aim is to increase the level of cybersecurity in the European Union. NIS2 introduces new responsibilities for Member States and expands the scope of entities subject to obligations.

The introduced requirements demonstrate synergies with the global standards ISO/IEC 27001 and ISO/IEC 27002, which define the framework for an Information Security Management System.

The National Cybersecurity System (Krajowy System Cyberbezpieczeństwa, KSC) is an organized system designed to ensure cybersecurity at the national level through the coordination of activities and information exchange between enterprises, institutions, and public authorities. Its primary goal is to protect critical infrastructure and ensure the continuity of services in key industries.

The legal basis is the National Cybersecurity System Act, in effect since August 28, 2018, which implements the NIS Directive into Polish law. Work is currently underway on an amendment to the Act to align it with the expanded NIS2 requirements.

By implementing the requirements described in the aforementioned standards and obtaining certification from an accredited body, a company can demonstrate compliance with the obligations imposed by the Act. Effective implementation of the standard also facilitates demonstrating compliance with the General Data Protection Regulation (GDPR). Entities subject to the regulations that fail to meet the Act’s requirements are subject to significant financial penalties imposed by the relevant cybersecurity authorities.

The regulations apply to two groups of companies – those in important and essential sectors – which are subject to obligations related to cybersecurity management. Higher requirements apply, among others, to sectors such as energy, transportation, drinking water suppliers, and digital service providers. To a somewhat lesser extent, the new obligations must be met by companies in important sectors, such as postal services, waste management, food producers and distributors, and selected subsectors of industrial manufacturing (e.g., automotive).

In practice, this means that thousands of private and public entities will be required to meet a range of new cybersecurity requirements, including system auditing, penetration testing, and incident response.

Adaptation to NIS2/KSC

Compliance with the regulations is typically a multi-month project, during which an organization should, among other things:

implement risk management
establish appropriate regulations for security and business continuity, with particular emphasis on cybersecurity
provide solutions supporting multi-layered protection against threats
conduct training for senior management and employees
prepare solutions for ongoing threat analysis and incident reporting.

Drawing on over a decade of experience in implementing, auditing, and maintaining Information Security Management Systems and other management standards, All for One ensures clients meet the expectations arising from the directive and the act, particularly through expert assistance in implementing integrated information security systems based on the requirements of ISO 27001 and TISAX, as well as extending already implemented standards to include the specific requirements of the aforementioned standards.

We conduct baseline audits to assess an organization’s preparedness to meet NIS2 requirements and its readiness for certification. We also provide a 24/7/365 Security Operations Center service.