Digitization and processing large amounts of data have both increased the importance for organizations to implement adequate internal cybersecurity systems. Criminals and unfair competitors are permanently located in cyberspace. Both the frequency and sophistication of cyber-attacks have increased in recent years. Conversely, organizations’ activities are largely based on digital processes and infrastructures. With office-based work becoming less common, employees often use their own electronic devices for business purposes. Cybersecurity breaches can negatively affect an organization’s reputation and result in it losing control of important confidential information.
Additionally, the regulatory environment in which businesses operate is increasingly complicated, with a greater amount of legislation and regulatory guidelines devoted to cybersecurity, either directly or indirectly. Katarzyna Szczudlik and Jakub Kubalski, the partners who head SSW’s cybersecurity practice, combine an in-depth knowledge of cybersecurity law with practical experience of implementing suitable internal policies and procedures within organizations from various sectors, including energy, telecommunications and finance. SSW’s cybersecurity practice also cooperates with IT advisors, especially as regards pen-tests and the implementation of technical solutions.
EU regulation tightening risk assessment and reporting requirements in the financial sector – Regulation on operational digital resilience in the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (“DORA”). This Regulation comes into effect 24 months after its entry into force, i.e. from 17 January 2025.
To whom will DORA apply?
The precise definitions of such entities are contained in DORA and the related legal acts referenced in DORA, i.e. MICA.
Failure to comply with the obligations may result in preventive measures (prohibition of activities, public announcement of sanctions) and administrative fines being imposed by supervisory authorities. As DORA is an EU regulation, it will be directly applicable in all EU countries.
On 27 December 2022, the Directive on measures for a high common level of cybersecurity within the Union, repealing Directive (EU) 2016/1148 ("NIS2"), was published in the Official Journal of the European Union. From the entry into force of the Directive, Member States will have 21 months to implement it into their national laws – the deadline is 16 October 2024.
The governing bodies of NIS2 Entities must comply with the following new obligations:
NIS2 Entities must report material incidents to the competent authorities within 24 hours of becoming aware of such incidents.
Any NIS2 Entities which infringe their NIS2 obligations may be fined up to €10,000,000 or 2% of the company's total annual worldwide turnover. As a directive, NIS2 leaves national authorities free to choose the form and means of its implementation into the national legal system (it is not directly applicable).
To ensure compliance with the newly adopted legislation once it enters into force, entities that will be affected by DORA and NIS2 should:
1. prepare appropriate policies and procedures to meet the requirements under the new legislation;
2. enforce compliance with them;
3. implement appropriate training programmes for employees and others.
If you know that your organisation's activities will be affected by this legislation, or wish to assess whether that will be the case, we encourage you to contact us.
The act implements into Polish law the EU’s Directive 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. This legislation imposes numerous obligations on a range of entities: key service operators (energy, transport, banking and financial markets infrastructure, health care, drinking water or digital infrastructure providers and distributors) and digital service providers (online trading platforms, cloud computing services, search engines).