By October 2024, the National Cyber Security System Law is scheduled to be amended by the requirements of the European Union’s NIS2 directive. The changes will impose new obligations on companies and organizations operating in 20 key sectors. The new legislation aims to raise the level of cybersecurity in European Union countries, in response to growing threats in this area.
Key changes in the law
The amendment specifies cyber security management requirements that organizations in selected sectors, including energy, transportation, health, banking, and telecommunications, among others, will have to meet. The law also introduces an expanded oversight system and enforcement mechanisms that will be applied by the relevant cyber security regulators, who will have expanded powers to monitor and control compliance.
High penalties for violations
Entities that fail to comply with the new requirements may face severe sanctions. For the most serious violations, the penalty for a company can be up to PLN 100 million. In addition, for minor violations, key entities can be fined up to €10 million or 2% of annual revenues, and important entities up to €7 million or 1.4% of revenues. In extreme cases, it will also be possible to suspend, limit, or revoke a license or remove it from the register of regulated activities.
Liability of board members
In addition to financial penalties for organizations, the amendment also stipulates the personal responsibility of board members to implement appropriate cybersecurity policies and ensure that employees comply with them. Board members who neglect these responsibilities can be fined up to 600% of their monthly salary. In addition, supervisors will have the option to petition the court to prohibit board members from serving as directors.
In the case of multi-member boards, sanctions will be imposed on all members, unless responsibility for cyber security issues is formally assigned to one person on the board. It will also not be possible to transfer responsibility to lower levels, such as the head of the IT department.
Recommended action: audit and implement security policies
In light of the new regulations, companies, and organizations should conduct a comprehensive cybersecurity audit to identify any gaps in existing procedures and technologies. This audit should cover 14 key areas, including risk management, approval of security policies, and monitoring compliance. The audit report will provide recommendations for corrective actions that will allow organizations to not only meet the requirements of the law but also minimize the risk of cyberattacks.
The amended law on the National Cyber Security System introduces strict rules to protect critical infrastructure and raise the level of security at companies and institutions. Company boards need to properly prepare for the new regulations to avoid penalties and ensure compliance while protecting organizations from cyber threats.
NIS2 Operational Audit with Winged IT
If you want to comprehensively prepare your organization for NIS2 compliance, Winged IT is the ideal partner. Our team of specialists will help you identify areas of risk, plan the necessary corrective actions, and implement modern solutions to guarantee compliance with the Directive. With our services, you will gain confidence that your company will be ready for the new cybersecurity challenges.
Photo Source: Shutterstock.com