The new NIS2 directive and the planned amendment to the National Cyber Security System (NSC) law significantly change the approach to cyber risk management. Organizations that are classified as critical entities will be required to implement strictly defined technical and organizational measures. One of the most important tools supporting the implementation of these obligations is the SOC (Security Operations Center), a specialized security operations center that combines technology, procedures, and expert knowledge.
NIS2 and KSC – a new accountability framework
The NIS2 Directive (EU 2022/2555) came into force on January 16, 2023, and requires member states to transpose it by October 17, 2024. Poland is implementing this obligation through an amendment to the National Cyber Security System Act. The new regulations significantly expand the catalog of regulated entities. In addition to critical infrastructure, they take into account the health, finance, transport, administration, and digital services sectors, among others.
The requirements do not end with compliance statements. NIS2 imposes obligations in areas such as risk management, incident response, business continuity, and supply chain security monitoring. Their implementation requires an integrated approach, including both technological solutions and defined operational processes.
Key regulatory responsibilities and the role of the SOC
One of the most important pillars of NIS2 compliance is risk management. Article 21 of the directive points to ten minimum security measures that an organization must follow. These include access management, network segmentation, backup, vulnerability management, and training. The SOC supports the implementation of these measures by monitoring IT infrastructure, analyzing telemetry data, and detecting threats in real time.
Equally important are incident reporting responsibilities. NIS2 precisely defines the timeline for action – an organization should report a major incident to the relevant CSIRT within 24 hours of detection. A detailed report should be submitted within 72 hours, and a follow-up final report within a month. The implementation of these responsibilities requires the full availability of monitoring teams, precise incident classification procedures, and tools for automatic report generation.
Logging and data storage also remain important areas. Article 21.2(i) mentions the need to provide logs for incident detection. The directive does not specify a uniform retention period – the length of log retention will be determined at the national or sectoral level. Currently, it is assumed that the period can range from 6 to 18 months, depending on the type of activity and risk. However, the logs must be stored securely, in a way that ensures their integrity and availability for audit purposes.
The directive also draws attention to supply chain security. Organizations should be able to monitor communications with service providers, API integrations, or VPN connections. The ability to detect unusual activity in data exchange channels is also becoming important. Ahead of all these potential attempts to compromise externally supplied software.
How to organize a SOC that complies with NIS2 and KSC requirements
The implementation of a regulatory-compliant SOC should be preceded by a gap analysis. Tools such as the ENISA SOC Maturity Assessment Toolkit compare current operational capabilities with regulatory expectations.
Next, it is necessary to develop a technological architecture. A modern SOC should include components such as a SIEM system, a SOAR automation platform, EDR/XDR solutions for endpoint protection, and a secure log storage system that meets retention requirements.
It is also important to develop operational scenarios and playbooks that allow the SOC team to respond quickly to incidents. Examples include a playbook that classifies a “major incident” according to the NIS2 definition or a scenario for responding to a vendor compromise. Implementing cyclic testing, such as tabletop exercises related to ransomware, complements good operational practice.
In the area of reporting, it is useful to develop internal metrics and KPI dashboards that support risk management and management oversight. Although NIS2 does not impose a specific schedule for internal reporting, many experts recommend monthly operational reports for CISOs and periodic management reports every quarter.
Integration with CSIRT and S46 system
The draft amendment to the KSC law envisages strengthening the role of sectoral and state CSIRTs, as well as establishing a central system for sharing incident information – the S46 system. Organizations will be required to report major incidents to the relevant CSIRT. Integration with these entities can take place at the technical or process level, depending on the requirements of the sector. The S46 system is currently in the development phase, and the specific technical mechanisms for data exchange will be determined once the regulations come into force.
Benefits of implementing an NIS2-compliant operational model
Meeting the requirements of the NIS2 Directive and the KSC Law is not just a regulatory issue. It’s also an opportunity to make organizations more resilient to cyber threats in real terms. Organizations that implement an effective SOC operating model reduce the risk of major incidents. They also reduce response times and gain a more complete view of their IT environment. What’s more, they can effectively reduce the risk of administrative penalties. According to NIS2, these can be as high as €10 million or 2% of annual turnover. The organization’s image as a responsible and mature business partner is also improved.
SOC from Softinet – ready for NIS2 and KSC challenges
All the requirements described above can be met with a properly organized SOC. Softinet offers a Security Operations Center service that has been designed by NIS2 guidelines and the planned amendment to the KSC law. It provides full support for incident monitoring, log analysis, reporting to CSIRT, and 24/7 protection of the IT environment, a solution that allows organizations to go through the process of adapting to the new regulations efficiently, securely, and with full control over risks.