11. How to prepare for the new legislation

The new Act on Cyber Security is expected to come into force in the second half of 2024. The law will provide a one-year transition period to adapt to the new requirements and start complying with certain obligations. Certain requirements of the Act (e.g. the obligation to comply with NUKIB countermeasures or to report contact details and their changes) will need to be complied with in the second half of 2024 and the remaining in the second half of 2025. Regardless of this relatively long period of time, the organisations that will be obliged to comply with the new regulation should not ignore the pending legislation and wait until its final adoption.

For organisations that will be subject to the new regulation, NUKIB recommends that they start preparatory work as soon as possible to adapt their internal environment to the new requirements. Establishing a functional cybersecurity management process in an organization can take months or even years. Especially for those organizations that will fall under the so called higher obligations regime and that have not yet systematically addressed cybersecurity in their organization, it is necessary to take into account that implementing an information security management system and meeting the requirements of the Act and its implementing regulations will be a long-term, resource-intensive process. It is therefore advisable to be aware of all the information systems used by the organisation and the state of the organisation in terms of its cybersecurity.

The basic obligation common to both obligation regimes is the implementation of security measures. When determining the level of security and selecting specific security measures, it will be necessary to take into account the specifics of the organisation and the importance of individual systems and services in accordance with the law and decrees (there is no point in introducing meaningless and costly solutions where it does not make sense for the organisation). If your organization has not systematically addressed cybersecurity up to this point, the following can be recommended as a starting point:

  • mapping the current state of the organization (i.e., auditing the current state of cybersecurity and potential vulnerabilities) and

  • preparation of a business impact analysis (in particular, what would be the impact of a disruption of the proper functioning of individual systems on your organisation; this is not only about the unavailability of the information systems in use, but also about a breach of confidentiality or integrity of the collected data).

Already at this stage it is a good idea to focus on training relevant people in the organisation. We recommend basic training for all users, specialized training for people who are/will be dealing with cybersecurity in the organization and not forgetting the top management (management must be aware of the importance of cybersecurity management in the organization).

In terms of technical measures, it is generally recommended to implement firewalls (especially perimeter firewalls), antivirus SW (especially the more sophisticated EDR) and backup solutions. Together with the implementation of updates (where possible), these are things that should have been a normal part of any organisation's operation for a long time.

We do not recommend buying services like "we will assess your organisation's compliance with NIS2" or "we will implement NIS2 in your organisation". Don't be fooled by "know-it-all" turnkey NIS2 implementers. The NIS2 directive does not stipulate any specific requirements, everything will be covered in the new Act on Cyber Security, which is still being drafted.

On the other hand, we recommend entities to inquire in advance about how the performance of the obligations will be approached in the organisation (whether in-house or with the help of external suppliers) and, where appropriate, to map the market for the services to be outsourced.

As many more entities will now be subject to cyber security regulation, we can expect an increased demand for the services of external companies, especially at the time when the new law comes into force.

Another topic is the financial aspects and costs associated with the NIS2 Directive and the new Act on Cyber Security.

Continue by clicking on the blue arrow on the right side or select one of the other topics in the index below.

Topic index
  1. General information about the future national regulation
  2. Who is affected by the new obligations
  3. Differentiation of regulated entities
  4. Obligation to implement security measures
  5. Incidents and how to report them
  6. Registration and communication with NUKIB
  7. Methods of ensuring compliance
  8. Sanctions and enforcement measures
  9. National and international cooperation
  10. Other national regulation specifics
  11. How to prepare for the new legislation
  12. Financial aspects of the new Act on Cyber Security