NIS 2 Directive: how to prepare and why is it worth having a safe for data media?

The directive is a response to the growing threat of cyberattacks at the international level and aims to establish a legal framework conducive to improving cybersecurity. The introduction of the NIS 2 Directive is part of the EU's cybersecurity strategy, which aims to ensure a high common level of cybersecurity within the European Union.

● The NIS 2 Directive introduces new cybersecurity requirements in the EU to protect critical infrastructure and increase the transparency of entities' activities. Ensuring compliance with the new EU regulations is essential to avoid potential penalties.

● Entities covered by the directive are divided into key and important entities, with different requirements for risk management and security incident reporting.

● Risk management under NIS 2 requires regular audits, the use of advanced protection measures, and cybersecurity training for employees.

The NIS 2 Directive is a new legal regulation on network and information security, which was adopted by the European Union in 2022 to increase the level of cybersecurity in Member States. The NIS 2 Directive is an amendment to the first European law on cybersecurity. The main objectives of the NIS 2 Directive are to increase cybersecurity in the EU and to introduce measures to protect critical infrastructure. The need for these regulations stems from the growing sophistication of cybersecurity threats, which require more advanced and effective protection measures.

The NIS 2 Directive introduces a number of new requirements and measures aimed at increasing the capacity to respond to computer security incidents. Under the directive, Member States are required to establish national cybersecurity strategies and to cooperate at EU level to counter cyber threats effectively. Through these measures, the directive aims to create a safer and more resilient environment against digital threats across the European Union.

Compared to the previous NIS Directive of 2016, NIS 2 introduces a number of updates and adjustments to adapt better to changing conditions and threats. The new regulations include strengthening cybersecurity, introducing new risk management measures and greater transparency of the activities of entities covered by the directive. NIS 2 came into force on 16 January 2023, and Member States had until 18 October 2024 to adapt their national legislation. In Poland, the directive is to be implemented into national law in 2025.

The changes introduced by the NIS 2 Directive are aimed not only at increasing the security of computer networks and systems, but also at strengthening the ability to respond to incidents and manage risk in the field of cybersecurity. Effective enforcement of the provisions of the Directive is expected to contribute to the creation of a more cyber-resilient infrastructure throughout the European Union.

The NIS2 Directive aims to strengthen the level of cybersecurity in EU countries by introducing new obligations for 18 sectors of the economy. It covers both private and public sector entities, depending on their size and importance for security. The protection of digital infrastructure is a key element for the security and functioning of the economy, which highlights the need to conduct security audits and implement operational continuity plans.

Highly critical sectors such as: energy, transport, healthcare and finance are particularly covered by the directive's regulations, which aim to protect these key areas of infrastructure.

Entities covered by the NIS 2 Directive are divided into critical and important entities. Critical entities are mainly large companies, but in some cases they can also be smaller companies, which is crucial. Important entities, on the other hand, are enterprises which, although they may be micro or small companies, must meet all the requirements of the NIS 2 Directive.

Key entities under NIS 2 are mainly large companies that have a significant impact on critical infrastructure. These may include:

    – banking service operators,
    – essential service operators,
    – public administration,
    – digital service providers,
    – energy,
    – healthcare.

The Ministry of Digitalisation has the power to decide whether to extend the obligations under the NIS 2 Directive to small and micro-enterprises.

In the event of incidents, such entities are required to use multi-factor authentication and report computer security incidents.

All these measures are aimed at ensuring a high common level of cybersecurity and the security of computer networks and systems, as well as protection against serious incidents that could harm the economy and society. Key entities must regularly conduct security audits in the areas of network security and protective measures to monitor and evaluate the effectiveness of the protective measures implemented, including network security and secure voice connections.

Important entities (e.g. digital services, IT equipment manufacturing, waste management) are companies which, although they may be micro or small businesses and are subject to lighter supervisory mechanisms, must still comply with all the requirements of the NIS 2 Directive. They differ from key entities mainly in the scope and intensity of their impact on critical infrastructure and the level of cybersecurity requirements.

Important entities must comply with NIS 2 requirements regardless of their size, which includes, among other things, risk management and reporting of security incidents. These companies also have to update their security strategies regularly to adapt to changing threats and ensure compliance with regulations to conduct business. In the context of implementing the NIS 2 Directive, supply chain security is particularly important, requiring companies to meet certain obligations in order to maintain cooperation with entities covered by the Directive.

Entities encompassed by the NIS2 Directive, including critical and important entities, are required to implement a number of measures and procedures related to cybersecurity risk management. The most important obligations include:

● implementing a cybersecurity risk management system,
● establishing procedures for dealing with computer security incidents,
● establishing a system for monitoring and responding to computer security incidents,
● establishing procedures for dealing with personal data breaches.

These entities are also required to provide regular training for persons or bodies responsible for management within the company and to report cybersecurity incidents.

The implementation of a cybersecurity risk management system includes the identification, assessment and management of risks related to the security of networks and information systems. Key and important entities must also develop and implement business continuity plans and disaster recovery plans to ensure that the impact of incidents on their operations is minimised. Regular training for employees is essential to ensure that everyone is aware of the risks and knows how to respond to them.

The aim of the NIS 2 Directive is to create more resilient IT systems in the EU, which is crucial in the face of growing cyber threats. The most important role in this process is played by digital infrastructure, which is the foundation of a modern society based on information management. The amended regulations in the NIS2 Directive increase the responsibility of entities by requiring them to be more transparent and to apply advanced protection measures.

Key and important entities should apply access control and asset management policies to secure their information resources. The application of the ISO/IEC 27001 standard in the field of information security management allows for the standardisation of data protection procedures. Under ISO/IEC 27001, security audits are crucial for assessing the effectiveness of the data protection measures implemented.

Information security management according to ISO 27001 requires continuous assessment of the risks associated with the physical storage of data and taking appropriate measures to neutralise them. Those responsible for cybersecurity risk management in companies must undergo regular training in current practices and procedures.

The NIS 2 Directive requires organisations to conduct their own risk assessment and select and implement appropriate measures to manage risk. Risk management measures should be based on the identification of various threats, such as theft, DDoS attacks and technical failures. A key role is played by the “clean desk” and “clean screen” policy, which aims to restrict access to sensitive information.

Physical security of backups includes controlling access to the server room, securing backups stored outside the server room or company premises, and protecting equipment from theft. Controlling access to rooms and controlling safes for data storage media where backups are housed is essential to minimise the risk of theft, damage or loss of this data, e.g. as a result of fire. Regular security audits are crucial for assessing the effectiveness of physical data storage protection measures.

The ISO/IEC 27001 standard contains detailed controls for physical and environmental security that should be implemented to ensure the protection of backups. Recognised international standards, such as ISO/IEC 27001, provide detailed guidelines and best practices for physical security and backups.

Entities covered by the Directive should conduct or update risk analyses regarding the physical security of backups. In a work environment based on distributed cloud solutions, it is worth considering a policy for creating and storing data backups to enable recovery in the event of theft, destruction or encryption as a result of a hacker attack. In such situations, physical control over backups stored on LTO tapes can be a key element of data security management and recovery strategies.

Read also:   Securing your server room – how to do it?

Data media safes. An unnecessary expense?

The obligations under NIS 2 include risk management and the obligation to report significant incidents within 24 hours. Organisations must have a procedure in place for the rapid reporting of incidents to the relevant authorities, with a reporting deadline of no more than 24 hours from the detection of the incident, and the ability to respond to such incidents.

Incident reporting should include details of the impact on operations and possible cross-border consequences, especially for incidents affecting at least two member states and for serious incidents. All companies must develop an incident management plan that specifies procedures for detecting, reporting and responding to incidents.

The supervisory authorities responsible for cybersecurity have extensive powers to monitor and enforce the provisions of the NIS 2 Directive. They have the right to carry out audits of operators of essential services and digital service providers to assess their compliance with the provisions of the NIS 2 Directive.

In the event of a breach, the authorities may impose administrative penalties on non-compliant entities. The authorities also have the right to request information and documentation relating to cybersecurity from entities under their supervision. They also have the power to issue orders regarding compliance with the requirements of NIS 2.

Organisations may incur financial penalties for non-compliance with the requirements of the NIS 2 Directive. These penalties are significant and can reach up to €10 million or 2% of total annual turnover (for key entities). In addition, company management (board of directors or owners) may be held personally liable for any negligence.

In addition, other administrative sanctions, such as corrective orders or orders to cease operations until the infringements are remedied, may be imposed on entities that do not meet the requirements. These measures are intended to ensure that all operators providing critical services and digital service providers comply with the provisions of the NIS 2 Directive.

You may be interested in:  Regulatory storage of weapons and dangerous substances

NIS 2 requires member states to establish national cybersecurity authorities and to cooperate at the European Union level. A central element of this cooperation is the establishment of a Computer Security Incident Response Team (CSIRT) in each member state. The CSIRT will be responsible for handling computer security incidents and cooperating with other Member States to ensure a high level of cybersecurity in the European Union.

International cooperation is crucial in ensuring effective protection against cyber threats and in the event of incidents that may affect public safety. Thanks to cooperation between Member States, it is possible to respond to threats quickly and effectively, as well as to exchange information and best practices in the field of cybersecurity. The NIS 2 Directive aims to create an integrated protection system that will be able to counter cyber threats effectively at the international level.

Poland is working on amending the law on the national cybersecurity system in the context of the NIS 2 Directive. The duties imposed on companies as a result of the NIS 2 Directive will come into force in accordance with the law adapting national regulations. The deadline for implementing the directive into national law in Poland expired on 18th October 2024 so Poland did not manage to meet it. However, the final draft of the bill is ready and was submitted for its first reading in the Sejm on 17 November 2025. The new regulations may therefore come into force soon.

NIS 2 lays an obligation on EU Member States to establish an appropriate legal framework for cybersecurity. The Act on the National Cybersecurity System in Poland requires the adaptation of regulations to the provisions of the Directive, which is crucial to avoid sanctions.

Entities should monitor the progress of work on finalizing the Polish Act on the National Cybersecurity System.

Companies should adapt their procedures to the requirements of the NIS 2 Directive, which involves conducting an IT security audit and identifying key systems. As part of their preparations, companies must conduct a risk analysis to identify potential threats and vulnerabilities in their security.

Adapting cryptography procedures to NIS 2 requirements includes:

1. Conducting an IT security audit
2. Identifying critical systems
3. Conducting a risk analysis to identify potential threats and security vulnerabilities

NIS 2 demands include risk analysis policy, incident management, and business continuity, including disaster recovery processes. It is recommended to implement protective measures such as IDS/IPS and SIEM systems and network segmentation to increase the level of security. It is also important for employees to participate in security trainings in order to understand threats and ways to minimise them better.

A safe for data storage media, as part of the risk management process, is an important measure to protect against theft and destruction in the event of a fire. These safes can also help to secure off-site backups, which is crucial for ensuring business continuity.

Securing backups in safes for magnetic data media (LTO tapes) is in line with the policy of physical control over data, in accordance with the maxim that the cloud does not exist. It is just a computer belonging to someone else. The choice of specific physical security measures for backups must be based on a risk analysis carried out by the entity concerned.

This means in practice that organisations need to assess potential threats like fire, flooding, theft, mechanical damage, or demagnetisation carefully, as these could affect the integrity and availability of backup data. Data storage safes should meet the relevant safety standards and be resistant to fire – S 60 DIS or S 120 DIS according to EN 1047-1, water or fire-fighting foam. Apart from theft or damage, it is the risk of fire that poses the greatest threat to the integrity of backups – LTO tapes are very sensitive to temperature increases and have a low auto-ignition temperature. That is why safes for magnetic data carriers are large, heavy, have very thick walls and relatively little space inside. They are subjected to gruelling tests lasting over 24 hours at temperatures exceeding 1024 degrees Celsius.

In addition, it is important to manage access to the safe properly, limiting it to designated persons, and all backup operations should be recorded and monitored. A data storage vault should be equipped with special shelves for storing LTO tapes, anti-theft security systems, including a secure electronic lock with opening control, and, if necessary, be connected to an alarm system. Implementing such practices minimises the risk of unauthorised access and data loss.

In the context of the NIS 2 Directive, the physical security of backups is one of many requirements for digital infrastructure risk management that regulated entities must meet throughout the European Union. Including elements of passive protection – i.e. data storage safes, among others – in a comprehensive security strategy allows a better defence against various threats and helps to avoid serious cyber security incidents, as well as facilitates compliance with business continuity and disaster recovery requirements.

In summary, data storage safes are not only an element of physical protection, but also an important component of the risk management process, which should be integrally linked to IT security policies and procedures within the organisation in accordance with the NIS 2 Directive.

The NIS 2 Directive introduces significant changes in the field of cybersecurity, aimed at increasing the protection of critical infrastructure in the EU. It is a directive amending the regulation, which updates previous cybersecurity legislation. Requirements for risk management, incident reporting and physical security of backups are essential for ensuring the security of networks and computer systems.

Companies must be aware of the new regulations and prepare for them accordingly. Regular audits, risk analysis and the application of recognised international standards, such as ISO/IEC 27001, are crucial for effective information security management. The implementation of the NIS 2 Directive in Poland and other EU Member States is a step towards a more secure and digitally resilient business environment.

Compliance with the NIS 2 Directive in terms of the physical security of backups (including those stored in data safes on magnetic media) is not limited to the implementation of a single, specific technical solution. The key is to implement and maintain a documented risk management process that includes identifying physical and environmental threats, assessing their likelihood and impact, and then selecting, implementing and regularly evaluating the effectiveness of appropriate countermeasures.

The NIS 2 Directive raises the bar very high in terms of cybersecurity, integrating physical aspects such as backup protection into its framework. While it does not impose specific technologies, it requires organisations to have a mature and documented approach to risk management.

The NIS 2 Directive is an amendment to European cybersecurity law that aims to strengthen the protection of critical infrastructure in the European Union. Its introduction is intended to raise security standards among Member States.

The NIS 2 Directive covers key entities, i.e. large companies, and important entities, i.e. smaller companies that have a significant impact on critical infrastructure. Entities can be classified as “important” or “key” based on their role in society and the service sector, which entails different legal obligations in terms of cybersecurity and registration requirements.

The requirements for cybersecurity risk management under NIS 2 include conducting a risk analysis, implementing appropriate protective measures, and regular security audits in accordance with ISO/IEC 27001. The NIS 2 Directive establishes general standards for cybersecurity to ensure a high common level of protection. Compliance with these rules is essential to minimise cybersecurity risks.

Non-compliance with NIS 2 may result in financial penalties and other administrative sanctions, including corrective orders or suspension of activities until the violations are remedied.

Poland is implementing the NIS 2 Directive by amending the Act on the National Cybersecurity System, which was to be completed by the 18th October 2024. This is a key step in strengthening the national system of protection against cyber threats. The draft Act on the National Cybersecurity System was submitted to the Sejm on 17th November 2025 for its first reading.