Despite the fact that the process of preparing regulations implementing the NIS2 Directive in Poland has not yet concluded, ensuring an adequate level of cybersecurity is important from a practical standpoint. Furthermore, some obligations arising from EU regulations are suitable for application as they are already written. Therefore, in the event of a cybersecurity incident resulting from the failure to fulfill obligations specified in the NIS2 Directive, it will be possible to hold management board members liable. Where should one begin?
How to check the NIS2 status of a key or important entity?
The NIS2 Directive specifies the types of entities that are subject to the obligations outlined within it. However, it leaves a margin of discretion for member states, which can modify certain rules defined in it. How can one go through the subsequent steps related to checking their status?
The following should be verified, in order:
- whether the conducted activity is on the list – that means, whether it falls within the types of activities listed in Annex I or II to the NIS2 Directive, and ultimately also within the provisions of the Act on the NCS adapted to these regulations (according to the draft of February 7, 2025, placed in Annexes 1 and 2 to this act),
- what is the size of the enterprise being checked, in accordance with the same regulations that apply to applications for grants or other public funds, i.e., Recommendation 2003/361/EC) – whether one is a micro, small, medium, or large enterprise, because a significant portion of the obligations has been defined for medium and large entities.
- whether the Act on the NCS (National Cybersecurity System) provides for specific regulations for the conducted activity (e.g., for public authorities or entities providing specific ICT services).
Until the amendments to the Act on the NCS come into force, any changes in status due to the size of the enterprise need to be checked on an ongoing basis. Ultimately, this will be an action carried out once a year – at the time of preparing the financial statement (drafted Article 5 paragraph 5 of the Act on the NCS).
What changes for entities operating within a capital group?
The fact that within a group of related enterprises one has the status of a key or important entity according to NIS2 does not mean that the remaining enterprises are also subject to cybersecurity requirements. Each entity (natural or legal person) must verify its own status. How does it do that? According to the same steps mentioned above. This means that the mere fact of belonging to a capital group of energy or telecommunications companies will not cause a company to be subject to the requirements arising from cybersecurity regulations. This must be verified individually each time.
The Polish draft regulations implementing the NIS2 Directive introduce additional rules that may cause a micro or small entity to be classified in the same way as a medium or large one. In the context of NIS2, this means the status of an important or key entity. When does this happen? If the company being assessed conducts business jointly with other entities in a capital group or uses information systems jointly with them. In that case, its size for the purpose of status assessment is determined based on the data for the capital group (that part of it that operates jointly with such a company).
Shared Services Center (so-called SSC) – why does such a company usually have the status?
Usually, within the structures of a capital group, especially in infrastructure or industrial entities, one entity is chosen to act as a service company. This means it provides technical (IT) and administrative (accounting, equipment supply, support for specific supporting processes) back-office functions. In the case of the Act on the NCS, the status of an SSC-type company is determined precisely by providing services related to server management, help desk support, workstation leasing, or license management for systems for other companies within the capital group. This activity falls under the definition of a managed service provider.
Realizacja usług zarządzanych czy usług zarządzanych w zakresie cyberbezpieczeństwa w ramach grupy kapitałowej oznacza kumulację danych do określenia wielkości podmiotu. Co oznacza, że jeżeli obsługiwane firmy przekraczają próg dla średniego przedsiębiorcy, CUW wchodzi do krajowego systemy cyberbezpieczeństwa z własnym statusem. W przypadku realizacji usług SOC dla grupy kapitałowej – wystarczy osiągnąć pułap dla małego przedsiębiorcy, żeby być podmiotem kluczowym (projektowany art. 6 ust. 6 Ustawy o KSC).
Publication prepared on the basis of the following regulations:
- Act on the NCS – draft of February 7, 2025, published on the RCL (Government Legislation Centre) website in the draft UC32 dated February 13, 2025.
- Dyrektywy NIS2 – Dyrektywy Parlamentu Europejskiego i Rady (UE) 2022/2555 z dnia 14 grudnia 2022 r. w sprawie środków na rzecz wysokiego wspólnego poziomu cyberbezpieczeństwa na terytorium Unii, zmieniająca rozporządzenie (UE) nr 910/2014 i dyrektywę (UE) 2018/1972 oraz uchylająca dyrektywę (UE) 2016/1148 (dyrektywa NIS 2) (Dz.Urz. UE L 333, s. 80 z dnia 27.12.2022).
