The NIS2 Directive (European Parliament and Council (EU) Directive 2022/2555) is generating a lot of excitement in the business community. It aims to strengthen the level of cyber security in the European Union, but businesses often receive conflicting information about what they should do and when. There are a lot of alarmist messages on the web, scaring people into compliance with the directive’s requirements immediately. What is it really like? We explain why it makes sense to wait for national regulations instead of acting under the pressure of marketing messages.
Why is it crucial for national laws to implement NIS2?
EU directives, such as NIS2, are not directly applicable. Unlike EU regulations, they must be implemented by national legislation, which will adapt the regulations to the specifics of the country. In Poland, the key document in this regard is the amendment to the Law on the National Cyber Security System (KSC).
National regulations set specific requirements
- Only the revised KSC Law will indicate which sectors will be regulated, what the incident reporting obligations will be, and what safeguards should be implemented. Without this, there are no definitive solutions as to the scope of measures required of companies. The current KSC legislation implemented the NIS Directive, which is no longer in effect.
Minimize risks and costs
- Adapting to the requirements of NIS2 without knowledge of the final regulations may result in unnecessary expenses. Note that the directive itself is technology-neutral.
The legislative process is dynamic
- Work on the law is ongoing, and at each stage of the legislative process many comments are made and changes are made to the draft. Taking action too early may prove misguided or ineffective, but it is also possible to prepare sensibly for changes.
Why is there so much scaremongering around NIS2?
Lack of knowledge or understanding of the legislative process
- Many people do not realize that EU directives must be implemented by national laws and only these are binding on businesses. This causes confusion and a misconception that businesses must immediately comply with the provisions of the directive in its original form.
Market and marketing pressures:
- Consulting firms, IT and cyber security service providers often use moments of legislative change as an opportunity to promote their services. Scaring businesses about the “catastrophic consequences” of not complying with NIS2 requirements is sometimes a marketing tool.
- Alarmist messages attract attention, which is beneficial for companies offering training, audits and security system implementations.
Fear of penalties:
- The NIS2 directive stipulates heavy penalties for non-compliance. While final regulations will depend on national legislation, the very existence of such provisions creates pressure for swift action, especially among key players.
How to prepare sensibly for regulatory changes?
Instead of acting under the pressure of alarmist messages, it is worth approaching the topic strategically:
- Follow the progress of the KSC law:
Stay up to date with the legislative process(UC32) to know what changes will affect you. - Invest in cyber security:
Even without specific regulations, it makes sense to implement proven practices that enhance the security of your IT infrastructure. It’s not the regulations that will protect your company, only sensible and effective actions i.e: - Consult experts:
Choose professionals who offer rational recommendations based on actual regulations, rather than basing their services on fear and exaggerated warnings.
Summary
The NIS2 Directive is an important step towards strengthening cyber security in the European Union, but its implementation takes time and precise national regulations. Until the Polish amendment to the NSC Act is enacted, businesses should remain calm and focus on measures that will actually improve the security of their organizations. Let’s avoid panic and act sensibly – NIS2 implementation is a process and let’s be aware of it.
