The National Assembly adopted the long-awaited amendments to the Cybersecurity Act ("CA"), which transpose the requirements of Directive (EU) 2022/2555 (NIS2). These amendments significantly expand the scope of entities subject to the CA and introduce much stricter requirements for risk management in cyber environment. The new regulatory framework also changes the intensity of supervision for compliance with the new regulatory requirements, as well as the state sanction policy, with cybersecurity now being treated as an element of national security and economic stability of the country and not just as a technical function of IT departments.

NIS2 introduces new, significantly higher standards for risk management and information system protection. The cyber incidents that have accumulated in recent years have shown that security is no longer a secondary technical issue, but a key element of strategic management and the sustainability of organizations in both the private and public sectors.

Firstly, the law significantly expands its scope, with the sectors it covers divided into two categories: "highly critical sectors" and "other critical sectors." In addition to the areas already regulated – energy, transport, financial services, healthcare, drinking water supply and distribution, and digital infrastructure – a number of new areas are also included. These include public administration, the space sector, postal and courier services, waste and wastewater management, as well as the manufacture of critical products (such as medical devices, and chemicals) and food production, processing, and distribution activities.

The new regulation outlines the scope of entities subject to the CA through a combination of two main indicators: the economic activity they perform (taking into account the above sectors) and the size of the enterprise, assessed according to the number of employees and financial results. As a rule, all medium-sized and large enterprises in the above-mentioned critical sectors are automatically covered by the law. In certain cases, the requirements will also apply to other enterprises (including small) when they perform key functions or operate in specially regulated areas.

The CA introduces a two-tier classification of the affected obliged entities – operators of greater importance to society and infrastructure are defined as "essential," while "important" covers the remaining participants in strategic areas.

In this sense, the initial and key question for any organization is to conduct an in-depth analysis of whether it falls into the category of "essential" or "important" entity within the meaning of the new regulatory framework. This assessment should be based on the nature of the activity carried out, the size and scope of operations, and the importance of the company for the performance of critical public or economic functions (taking into account the sectors described).

A mandatory minimum set of measures is envisaged, which should be implemented by all covered organizations – both "essential" and "important" entities. The aim is to build an integrated cyber risk management model that covers the entire protection cycle – incident prevention, effective response to attacks, and timely recovery of operations, etc. In this context, the new regime requires the implementation of comprehensive risk management measures, including (but not limited to):

– threat analysis and assessment;

– information system security policies;

– incident response procedures;

– business continuity and disaster recovery plans;

– control over the security of suppliers and supply chains;

– internal rules, training, etc.

Particular emphasis is placed on the responsibility of management bodies. Members of the management and supervisory bodies of entities subject to the CA are responsible for approving and supervising cybersecurity measures, as the law provides for also the possibility of personal liability in the event of systematic non-compliance. Cybersecurity is elevated to the level of corporate governance and requires integration into the company's strategic planning.

Strict deadlines are introduced for reporting incidents with a significant impact. Affected entities are required to submit an early warning, followed by detailed information within regulatory deadlines. Failure to comply with these obligations is subject to administrative penalties, with sanctions reaching significant amounts linked to the company's turnover.

The penalty regime for non-compliance with the new requirements is much more severe than the current one and includes penalties of up to:

- for essential entities: up to EUR 10,000,000 or 2% of global annual turnover for international companies, but not less than EUR 25,000;

- for important entities: up to EUR 7,000,000 or 1.4% of global turnover, but not less than EUR 12,500.

The supervisory mechanism is also strengthened, including powers to carry out inspections, request information, issue binding instructions, and impose coercive administrative measures. Organizations covered by the law are required to inform the national competent authorities of any cyber incident that significantly affects the services they provide. The regime provides for extremely short deadlines – when an incident with a significant impact is detected, an initial notification must be sent immediately, but no later than 24 hours, followed by a detailed notification within 72 hours of detection.

The new regulation transforms cybersecurity from an operational to a regulatory and management priority. A systematic review of contractual relationships with suppliers, internal information protection rules, incident response procedures, and staff training is necessary. Companies should assess their compliance not only with technological standards but also with regulatory requirements for documentation, reporting, and proof of measures taken.

In summary, the amendments to the CA outline a stricter, more structured and sanction-backed regime that requires proactive legal and organizational restructuring. Timely assessment of the scope and obligations is key to limiting regulatory risk and ensuring resilience in the face of growing cyber threats.

This article has been prepared for and is part of the Legal Digest issued by Penkov, Markov & Partners. The publications therein do not constitute legal advice and are not binding. Penkov, Markov & Partners reserves all rights to this material, and any distribution thereof is subject to the prior written consent of the law firm.