Why cybersecurity matters
Digitization and processing large amounts of data have both increased the importance for organizations to implement adequate internal cybersecurity systems. Criminals and unfair competitors are permanently located in cyberspace. Both the frequency and sophistication of cyber-attacks have increased in recent years. Conversely, organizations’ activities are largely based on digital processes and infrastructures. With office-based work becoming less common, employees often use their own electronic devices for business purposes. Cybersecurity breaches can negatively affect an organization’s reputation and result in it losing control of important confidential information.
Additionally, the regulatory environment in which businesses operate is increasingly complicated, with a greater amount of legislation and regulatory guidelines devoted to cybersecurity, either directly or indirectly. Katarzyna Szczudlik and Jakub Kubalski, the partners who head SSW’s cybersecurity practice, combine an in-depth knowledge of cybersecurity law with practical experience of implementing suitable internal policies and procedures within organizations from various sectors, including energy, telecommunications and finance. SSW’s cybersecurity practice also cooperates with IT advisors, especially as regards pen-tests and the implementation of technical solutions.
DORA – applies to financial institutions
EU regulation tightening risk assessment and reporting requirements in the financial sector – Regulation on operational digital resilience in the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (“DORA”). This Regulation comes into effect 24 months after its entry into force, i.e. from 17 January 2025.
To whom will DORA apply?
- Financial institutions, including but not limited to:
- credit and payment institutions;
- account information service providers;
- electronic money institutions;
- cryptoasset service providers authorised under the Cryptoasset Markets Regulation;
- issuers of asset-linked tokens.
- Alternative investment fund managers;
- Management companies;
- Third-party providers of information and communication technologies ("ICT").
The precise definitions of such entities are contained in DORA and the related legal acts referenced in DORA, i.e. MICA.
According to DORA, the above mentioned entities should:
- put in place an ICT risk management framework;
- use and maintain updated ICT systems;
- create and implement policies and procedures related to ICT security.
- create and implement procedures to manage ICT-related incidents;
- report major ICT incidents to the appropriate authorities in a time-dependent manner;
- carry out regular tests of operational digital resilience.
Failure to comply with the obligations may result in preventive measures (prohibition of activities, public announcement of sanctions) and administrative fines being imposed by supervisory authorities. As DORA is an EU regulation, it will be directly applicable in all EU countries.
NIS2 – extending cybersecurity regulation to new sectors of the economy
On 27 December 2022, the Directive on measures for a high common level of cybersecurity within the Union, repealing Directive (EU) 2016/1148 ("NIS2"), was published in the Official Journal of the European Union. From the entry into force of the Directive, Member States will have 21 months to implement it into their national laws – the deadline is 16 October 2024.
To whom will NIS2 apply (NIS2 Entities)?
Key entities from the following sectors:
- energy;
- transport;
- banking;
- financial markets infrastructure;
- healthcare;
- drinking water;
- waste water;
- digital infrastructure;
- ICT service management;
- public administration;
- space.
Relevant actors from the following sectors:
- postal and courier services;
- waste management;
- production, manufacture and distribution of chemicals;
- production, processing and distribution of food;
- manufacturing;
- digital services;
- research.
Key provisions of NIS2:
The governing bodies of NIS2 Entities must comply with the following new obligations:
- approving cyber security risk management measures;
- overseeing the implementation of risk management measures;
- participating in regular training on understanding and assessing cyber security risks;
- accountability for non-compliance;
NIS2 Entities must put in place the following cyber risk management measures:
- a risk analysis and information systems security policy;
- incident handling procedure (incident prevention, detection and response);
- business continuity and crisis management;
- supply chain security, including security of the relationship between the NIS2 Entity and its direct suppliers or service providers;
- security in the acquisition, development and maintenance of networks and information systems, including the handling and identification of vulnerabilities;
- policies and procedures to assess the effectiveness of cyber security risk management measures;
- basic cyber hygiene practices and cyber security training;
- policies and procedures for the use of cryptography and, where applicable, encryption;
- human resources security, access control policies and asset management;
- where applicable, the use of multi-factor or continuous authentication, secure voice, text and video communications, and secure communications systems within the entity in emergency situations;
NIS2 Entities must report material incidents to the competent authorities within 24 hours of becoming aware of such incidents.
Any NIS2 Entities which infringe their NIS2 obligations may be fined up to €10,000,000 or 2% of the company's total annual worldwide turnover. As a directive, NIS2 leaves national authorities free to choose the form and means of its implementation into the national legal system (it is not directly applicable).
To ensure compliance with the newly adopted legislation once it enters into force, entities that will be affected by DORA and NIS2 should:
1. prepare appropriate policies and procedures to meet the requirements under the new legislation;
2. enforce compliance with them;
3. implement appropriate training programmes for employees and others.
If you know that your organisation's activities will be affected by this legislation, or wish to assess whether that will be the case, we encourage you to contact us.
The National Cyber-Security System Act entered into force on 28th August 2018.
The act implements into Polish law the EU’s Directive 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. This legislation imposes numerous obligations on a range of entities: key service operators (energy, transport, banking and financial markets infrastructure, health care, drinking water or digital infrastructure providers and distributors) and digital service providers (online trading platforms, cloud computing services, search engines).
How can we help?
- Cybersecurity assessments
- Support with mapping and risk assessment
- Designing cybersecurity strategies for entities that use cloud computing
- Preparing BYOD policies
- Preparing and implementing IT security procedures and policies
- Advising on the creation of computer security incident response teams (CSIRTs) and defining team responsibilities
- Ongoing advice on how to respond to security incidents (hot-desk – 24/7) and how to interact with law enforcement authorities, public administration, and suppliers of IT goods and services
- Developing practical checklists for dealing with cyber attacks, based on your existing internal policies and procedures
- Conducting cybersecurity training for staff and management
Contact us
Katarzyna Szczudlik, FIP, LLM, CIPP/E, CIPM
Partner
