Cybersec Update #2: How to prepare for NIS2

Who are we? Entity status under NIS2

Just as every person at some point in life asks themselves the fundamental question of who they are and what they should expect from themselves, every organization potentially subject to NIS2/KSC2 must begin by determining its status under these regulations. This is the first and crucial step – without it, we don’t know which specific requirements apply to us or whether we even have to comply at all. Determining this is often not straightforward – you need to take into account the sector in which the organization operates (the directive and the act specify essential and important sectors), as well as criteria related to the size of the entity (measured by the number of employees and revenue).

The act enters into force one month after its publication in the Journal of Laws, and the time to comply with its requirements is six months from that date – a total of seven months. However, we must not forget that we may have even less time to register in the list of essential and important entities. According to Article 34(3) of the act, the Minister of Digital Affairs will announce the schedule for submitting applications for entry into the list.

Gap audit – what do we have and what’s missing?

Once we determine that we are subject to the act and in what capacity (important/essential entity), it’s time to check whether and to what extent we meet the requirements. For this purpose, it’s worth conducting a so-called gap analysis to verify the organization’s readiness level.

As experience shows, many entities already partially have the appropriate legal and technical solutions in place – often without realizing it. A gap analysis will help inventory all of this and identify actual deficiencies.

Implementation – it’s more than just a few documents

Once we know what we have and what we’re missing, we can begin proper implementation. Contrary to what is sometimes believed, it will not be limited to drafting a few documents.

Real and full compliance with NIS2/KSC2 requirements must include comprehensive actions, such as:

• appropriately structuring the company’s organization and responsibilities
• conducting a risk analysis
• drafting and implementing necessary policies and procedures (e.g. information security policy, thematic policies)
• preparing document templates (e.g. supplier agreements, questionnaires)
• ensuring the necessary resources and technical measures (e.g. related to process automation and system monitoring)
• negotiating with ICT suppliers
• conducting regular training and security audits (for which appropriate contracts with specialized entities should also be concluded)

Compliance is a process, not a one-time effort

As one of the heroes of The Lord of the Rings might put it – the implementation ends, but the battle for NIS2 compliance is just beginning. One of the key requirements of the new regulations is the need for continuous verification of applied measures, proper oversight, and ongoing learning from exercises, tests, and daily practice.

Is ISO 27001 and 22301 enough?

In the previous edition of Cybersec Update, we analyzed whether implementing ISO standards automatically means compliance with NIS2/KSC2. The answer is: definitely not, although these certifications can significantly facilitate the adaptation process. ISO standards provide a certain framework consistent with the assumptions of NIS2, but they do not cover many of the specific requirements of the new regulations – from detailed rules for incident reporting and precise audit timelines to expanded management liability.

For more details on specific requirements, stay tuned for the next parts of the series, where together with Jarosław Straś and Andrzej Broniewski we’ll be breaking down NIS2.