A new obligation for companies. Half of them have no idea of ​​its existence

NIS 2 is an extension of the NIS directive, in force since 2016, created to standardize cybersecurity rules in the European Union. In addition to new responsibilities, which include, among others: securing supply chains, the updated act also increases the group of entities that are to be subject to it. While the NIS directive focused on operators of essential services, NIS 2 also covers medium and large companies in various industries, such as energy, digital infrastructure and healthcare. This means that some entities covered by the extended version of the directive were not subject to its first variant.

Companies in Poland do not know that they are entities covered by NIS 2

The study of awareness of enterprises in Poland regarding the NIS 2 directive was conducted on behalf of Fortinet by the Biostat research and development center. It was conducted on a group of 150 medium and large entities from the manufacturing, energy, digital infrastructure, health care, food production and transport sectors.

Although many respondents (almost 75%) had heard about the NIS 2 directive coming into force in October, more than half of the respondents (51%) could not say whether their companies would be covered by the new regulations, and 12% believed that the new regulations would not be concerned them.

– The fact that so many companies do not realize that they are subject to the NIS 2 directive is alarming. The survey participants also included respondents who believed that the upcoming changes did not apply to them. They explained this answer by citing erroneous arguments, such as the fact that they do not provide services to state structures. However, this issue does not exempt the entity from complying with the guidelines contained in NIS 2 – notes Jolanta Malak, director of Fortinet in Poland.

When asked to indicate the factors that constitute the greatest challenges in achieving compliance with the NIS 2 directive, respondents indicated:

• obligation to introduce a risk and security policy for IT systems,

• a condition for ensuring the continuity of processes in the face of a cyber attack,

• the need to introduce standards that would help assess the effectiveness of risk management measures.

Additionally, enterprise representatives pointed out the insufficient clarity of the regulations contained in NIS 2. The content of the directive is understandable only to 46%. respondents, and 43 percent was unable to provide a clear answer to this question. The rest found the provisions of NIS 2 incomprehensible to them – this applies to companies that had heard about the directive and did not deny that they would be covered by it.

Time is running out – what do companies say about it?

Enterprises cannot ignore the requirements imposed on them by the EU directive, as they respond to the evolving cyber threat landscape. The issue of financial penalties for failure to comply with the new rules is also important. Companies and institutions that do not implement the required changes must face a fine of up to EUR 10 million or 2%. their global turnover. Therefore, it is alarming that in the group of companies that had heard about the directive and did not deny that they would be covered by it, 27 percent respondents are not aware of the potential consequences resulting from failure to comply with EU requirements.

Respondents who answered that their companies would be covered by NIS 2, as well as those who were unable to clearly state their dependence on the directive, were asked about their plans for the upcoming regulations. 38 percent respondents in this group declare that they intend to be supported by international standards when implementing the required changes. The dominant one among them (56%) is ISO 27001 – recommended in the process of implementing solutions resulting from NIS 2. However, at the same time, 31% respondents were unable to clearly name the standard they intended to use because they were not properly familiar with it.

– Some companies already use or plan to use the services of advisory and consulting entities. The second popular option is to create internal teams responsible for checking the compliance of the company’s activities with the regulations set out in NIS 2, explains Jolanta Malak.

According to Fortinet’s research, many companies will have no chance of achieving compliance with the EU directive because they believe it does not apply to them. It is also worth noting that for a significant number of entities, NIS 2 is not an update of the provisions of the 2016 NIS Directive, but a set of completely new requirements. This issue was also reflected in the study results. Over 60 percent respondents who did not deny that they would be covered by NIS 2 were unable to determine which elements of the new directive are complementary to NIS, which may also indicate ignorance of this original act. Therefore, there is a risk that introducing the required changes will not be a simple process for companies. The Fortinet survey results signal the need to take urgent steps to educate companies about NIS 2.