The NIS2 Directive represents a new chapter in EU cybersecurity law, superseding the 2016 NIS Directive. The changes are significant – the range of companies covered by the regulation has been expanded, security requirements have been defined more precisely, and stricter penalties are imposed for non-compliance. For those responsible for security and compliance in medium and large enterprises in Poland, this means that they will need to review their current approach to cybersecurity. Is your organisation ready for NIS2? Below, we explain in an accessible way what this directive changes in practical terms and what you need to pay attention to.
More sectors and entities covered by NIS2
The first significant change is a substantial expansion of the directive’s scope. NIS2 will cover many new sectors and services that were not previously subject to NIS regulations. The list of protected sectors now includes, among others, wastewater management, the space sector, public administration, ICT management services (B2B), postal and courier services, and waste management. In total, the directive lists approximately 18 sectors considered ‘essential’ or ‘important’ for cybersecurity, whereas previously there were only seven protected sectors. This means that tens of thousands of entities across the EU will be subject to new obligations for the first time, including many medium-sized companies that have not had to meet such stringent requirements until now.
Furthermore, NIS2 introduces a distinction between ‘essential’ and ‘important’ entities. The ‘essential’ category includes large organisations providing critical services, e.g. in the energy, transport, banking, healthcare or central administration sectors – these entities are subject to the most restrictive requirements and supervision. The ‘important’ category, on the other hand, includes companies whose services are important but not as critical to the functioning of society. These include companies in sectors such as waste management, space, food production, postal and courier services, local government, selected digital services (e.g. social media platforms, cloud service providers, data centres) and manufacturing in certain industries. NIS2 will, in principle, cover medium-sized and large enterprises operating in these sectors. Micro and small businesses remain excluded as a rule, unless they provide critical services (e.g. they are the only provider of a given type of service in the country, a domain registry, etc.). In practice, therefore, many companies that have not had to worry about the NIS Directive so far will now have to include cybersecurity in their list of management priorities.
More sectors and entities covered by NIS2
The first significant change is a substantial expansion of the directive’s scope. NIS2 will cover many new sectors and services that were not previously subject to NIS regulations. The list of protected sectors now includes, among others, wastewater management, the space sector, public administration, ICT management services (B2B), postal and courier services, and waste management. In total, the directive lists approximately 18 sectors considered ‘essential’ or ‘important’ for cybersecurity, whereas previously there were only seven protected sectors. This means that tens of thousands of entities across the EU will be subject to new obligations for the first time, including many medium-sized companies that have not had to meet such stringent requirements until now.
Furthermore, NIS2 introduces a distinction between ‘essential’ and ‘important’ entities. The ‘essential’ category includes large organisations providing critical services, e.g. in the energy, transport, banking, healthcare or central administration sectors – these entities are subject to the most restrictive requirements and supervision. The ‘important’ category, on the other hand, includes companies whose services are important but not as critical to the functioning of society. These include companies in sectors such as waste management, space, food production, postal and courier services, local government, selected digital services (e.g. social media platforms, cloud service providers, data centres) and manufacturing in certain industries. NIS2 will, in principle, cover medium-sized and large enterprises operating in these sectors. Micro and small businesses remain excluded as a rule, unless they provide critical services (e.g. they are the only provider of a given type of service in the country, a domain registry, etc.). In practice, therefore, many companies that have not had to worry about the NIS Directive so far will now have to include cybersecurity in their list of management priorities.
Clearly defined NIS2 cybersecurity obligations.
The second significant change is the clarification of security requirements. The previous NIS Directive imposed fairly general obligations (e.g. the use of appropriate security measures), leaving Member States considerable discretion in determining specific requirements. This resulted in discrepancies – expectations towards companies varied from country to country, and many organisations struggled to understand exactly what was required of them. NIS2 addresses this problem by clearly indicating the minimum measures that each affected company must implement. The Directive lists 10 categories of measures and policies that together constitute comprehensive cybersecurity risk management:
1. Information security policy and risk analysis – companies must have formalised information system security policies and conduct periodic risk analyses. The aim is to adopt a consistent cybersecurity strategy and assess which threats are most relevant to the business.
2. Incident response procedures – it is mandatory to have an incident response plan in place to effectively detect, analyse and respond to security incidents. The organisation should define in advance the roles and actions to be taken in the event of an attack or failure (e.g. notification procedures, threat isolation, system restoration).
3. Business continuity – NIS2 requires preparation for major disruptions through business continuity plans, including backups, contingency plans and disaster recovery. Companies must ensure that an incident does not interrupt critical services – e.g. by regularly performing backups and testing emergency procedures.
4. Supply chain security – a new feature is the strong emphasis on the security of suppliers and partners. Companies must assess and ensure that their ICT service providers and key component suppliers also meet security standards. Relationships with suppliers should be managed concerning risks (e.g. through security requirements in contracts, supplier verification, alternative planning).
5. Security in the acquisition and development of systems – NIS2 introduces the obligation to take cybersecurity into account at the stage of acquiring, developing and maintaining IT systems. This includes vulnerability management – companies must have a process for detecting and removing security vulnerabilities and, if necessary, reporting them (which refers to the EU-promoted practice of coordinated vulnerability disclosure).
6. Assessment of the effectiveness of security measures (tests and audits) – the directive requires organisations to regularly assess and test their security mechanisms. There should be procedures for internal security audits, penetration tests or other forms of verification that the measures in place are actually working and meeting the requirements.
7. Cybersecurity training and hygiene – raising employee awareness is a mandatory element. Companies must provide basic cybersecurity training and promote good cyber hygiene practices (e.g. using strong passwords, caution with suspicious emails, etc.). This applies to both IT staff and all employees, as appropriate to their role.
8. Access and identity management, resource and data security – NIS2 requires the implementation of policies for resource management and control of access to systems. This includes, among other things, maintaining an IT asset register, assigning permissions according to role (so-called ‘need-to-know’), monitoring access, securing sensitive data, as well as personal security elements (e.g. verification of employees in sensitive positions).
9. Cryptography and encryption – where appropriate, organisations must use appropriate cryptographic mechanisms to protect information. NIS2 emphasises, for example, the use of encryption to secure data at rest and in transit, and the use of trusted services and certified products (in accordance with the EU Cybersecurity Certification Act, implemented by the Polish Act on the National Cybersecurity Certification System, which entered into force on 28 August 2025) to increase the level of information protection.
10. Multi-factor authentication and secure communication – the directive emphasises strong user authentication (e.g. two-factor or multi-factor authentication, known as 2FA and MFA) and the security of communication systems, especially those used in emergencies. Companies should implement MFA measures and ensure the confidentiality and availability of communication channels (e.g. emergency telephone lines, notification systems) so that in the event of an incident, they can communicate efficiently within the organisation and with external authorities.
The above requirements constitute a basic standard – a kind of ‘cybersecurity code’ for companies. For many companies in Poland, some of them may not be new (especially if they already apply standards such as ISO/IEC 27001 or good market/industry practices). However, NIS2 makes them a legal obligation rather than just a voluntary recommendation. Importantly, these requirements will be harmonised across the EU – the European Commission has ensured consistency by issuing an implementing regulation in October 2024, establishing uniform technical and methodological requirements for these security measures. Following this, ENISA (the European Union Agency for Cybersecurity) has prepared a comprehensive technical guide with practical guidance on how to implement the individual measures in Article 21 (2) of NIS2, including examples of evidence of compliance and mapping to industry standards. This enables companies to better understand how to translate regulatory obligations into specific technical and organisational measures.
Faster and more accurate NIS2 incident reporting
Another important new feature of NIS2 is stricter rules for reporting security incidents. Previously, companies had a fairly general obligation to report ‘significant incidents’ without undue delay – but there was no clear definition of what was ‘significant’ and no specific deadline for reporting. Now, the directive clearly defines the criteria for a serious incident and introduces a strict reporting schedule. According to NIS2, an incident is considered significant if, among other things, it has caused or is likely to cause serious financial and operational losses to the company or has significantly affected other recipients (causing material or immaterial damage). When such an incident occurs, the company must take the following steps:
– Early warning – within 24 hours of the company discovering the incident (i.e. realising that a serious incident has occurred), the relevant CSIRT or national authority must be notified of the basic facts. This initial alert is intended to inform about the incident and, for example, make a preliminary assessment of whether it could have been caused by an attacker (human factor) or whether it was, for example, a failure.
– Full incident report – within a maximum of 72 hours of detecting the incident, a more complete incident report must be submitted to the relevant authorities. This report should include an update of the information from the initial report, the results of the preliminary analysis of the incident, an assessment of its scale and impact, any vulnerabilities or attack vectors detected, and a description of the remedial measures taken. In other words, within 2-3 days of the incident, the company must provide the authorities with specific information on the severity of the incident and what it is doing to contain it.
– Final report – a final report with a detailed summary must be submitted within one month of the incident being reported. It should include a full description of the incident, its cause, course, and consequences, as well as corrective actions and a plan to prevent similar incidents in the future. The final report is, in fact, a post-mortem of the incident – documentation that will allow the authorities and the company to conclude.
It is worth emphasising that these deadlines are strict – i.e. 24 hours, 72 hours and one month, respectively. This means that companies must be able to respond and report very quickly. It will therefore be necessary to establish internal procedures for monitoring events, escalating problems and preparing reports almost immediately. By comparison, many entities previously reported incidents weeks after the fact – now, a delay of more than three days will be a violation of the law. This change is intended to ensure that state authorities are aware of the current situation and to enable faster support and warning of others about ongoing threats.
Standardisation of the reporting process across the EU also means that, over time, there will be uniform forms and reporting channels. The directive itself mentions that reports are to be directed either to CSIRT or to the competent authority, with Member States to designate specific channels. In addition, an incident information exchange network (EU-CyCLONe – European Cyber Crisis Liaison Network) is being set up at the EU level to coordinate major cross-border incidents between countries. For companies, however, the most important thing is to prepare internally, i.e. do we have the competence to assess an incident within 24 hours and notify the authorities? If not, this is an area that needs to be strengthened before NIS2 comes into force.
Responsibility and role of management according to NIS2
NIS2 also places significant emphasis on the involvement of company boards and management in cybersecurity issues. In the previous directive, this role was not clearly defined – security was often treated as the domain of the IT department, and the board only took an interest in it after a major failure. The new regulations aim to change this by introducing obligations at the level of the company’s management bodies.
Firstly, members of senior management (the board) will have to formally approve the implementation of cybersecurity risk management measures in the company. In other words, the management board can no longer shirk its responsibility – it should consciously adopt the security policy and key procedures required by NIS2. This is to ensure that information security becomes a topic discussed at management board meetings, rather than just a technical detail left to IT specialists.
Secondly, and very importantly, NIS2 provides for personal liability of management for breaches of duty. It is explicitly stated that members of management bodies may be held liable for breaches if their company fails to approve and implement the required security measures. In other words, if, for example, the management board ignores the obligation to implement a risk management policy and an incident or audit occurs, the members of the management board may face consequences. This is a significant cultural change – cybersecurity is no longer just a matter for the IT department, but has become an element of compliance, for which heads may roll just as they would for violating data protection or accounting regulations.
In practice, Member States are to introduce appropriate sanctions for managers – these may include financial penalties, temporary bans on holding managerial positions, and orders to publicly disclose information about the breach and those responsible. Of course, detailed regulations will be laid down in national law, but the message is clear: management must take cybersecurity seriously. The directive also requires managers to have adequate knowledge of cybersecurity. Article 20 of the directive stipulates the obligation to provide training for members of management bodies on cybersecurity risks and their impact on the company’s operations. Managers should understand the threats facing the organisation, the consequences of incidents and the measures taken to prevent them. This is no longer just good practice – it is a legal requirement designed to improve the competence of decision-makers.
For many Polish companies, this may mean a change in approach on the supervisory board and management board. It is worth ensuring now that at least one person from the management team is responsible for security issues (e.g. a designated CISO – Chief Information Security Officer reporting to the management board, or another sponsor at the management board level). Training for the management board on the basics of cyber threats will also become standard. In short, responsibility moves up the organisational structure to the very top.
Stricter penalties for NIS2 non-compliance
NIS2 also places significant emphasis on the involvement of company boards and management in cybersecurity issues. In the previous directive, this role was not clearly defined – security was often treated as the domain of the IT department, and the board only took an interest in it after a major failure. The new regulations aim to change this by introducing obligations at the level of the company’s management bodies.
Firstly, members of senior management (the board) will have to formally approve the implementation of cybersecurity risk management measures in the company. In other words, the management board can no longer shirk its responsibility – it should consciously adopt the security policy and key procedures required by NIS2. This is to ensure that information security becomes a topic discussed at management board meetings, rather than just a technical detail left to IT specialists.
Secondly, and very importantly, NIS2 provides for personal liability of management for breaches of duty. It is explicitly stated that members of management bodies may be held liable for breaches if their company fails to approve and implement the required security measures. In other words, if, for example, the management board ignores the obligation to implement a risk management policy and an incident or audit occurs, the members of the management board may face consequences. This is a significant cultural change – cybersecurity is no longer just a matter for the IT department, but has become an element of compliance, for which heads may roll just as they would for violating data protection or accounting regulations.
In practice, Member States are to introduce appropriate sanctions for managers – these may include financial penalties, temporary bans on holding managerial positions, and orders to publicly disclose information about the breach and those responsible. Of course, detailed regulations will be laid down in national law, but the message is clear: management must take cybersecurity seriously. The directive also requires managers to have adequate knowledge of cybersecurity. Article 20 of the directive stipulates the obligation to provide training for members of management bodies on cybersecurity risks and their impact on the company’s operations. Managers should understand the threats facing the organisation, the consequences of incidents and the measures taken to prevent them. This is no longer just good practice – it is a legal requirement designed to improve the competence of decision-makers.
For many Polish companies, this may mean a change in approach on the supervisory board and management board. It is worth ensuring now that at least one person from the management team is responsible for security issues (e.g. a designated CISO – Chief Information Security Officer reporting to the management board, or another sponsor at the management board level). Training for the management board on the basics of cyber threats will also become standard. In short, responsibility moves up the organisational structure to the very top.
How to prepare for NIS2?
The NIS2 Directive should have been formally implemented into national law by 17 October 2024, but the amendment to the Act on the National Cybersecurity System, which is to implement NIS2 in Poland, is still in preparation (the government’s draft bill was submitted to the Legislative Office for review on 12 November 2025). Once the Act enters into force, companies will have only 30-60 days to register and six months to fully comply with the requirements. There is not much time left, so it is worth taking preparatory steps now. Here are some key steps and tips to help you prepare your organisation – without going into a detailed checklist (we will develop such checklists in future articles):
1. Determine whether and to what extent your company is subject to NIS2
Analyse whether you operate in a sector covered by the directive and whether you meet the criteria for a medium or large enterprise. If so, determine whether you will be classified as a key or important entity – this is important for the level of requirements and possible penalties. If in doubt, it is worth seeking information from your national regulator or consultant. Remember that many companies that were not previously regulated will now fall under the NIS2 regime – e.g. large companies in the IT/B2B, transport, manufacturing and other previously non-obvious sectors.
2. Ensure support and awareness at the board level
Without active management support, the effective implementation of NIS2 will be difficult. Present the most important changes to the board (you can use this article as a starting point) and explain the risks associated with non-compliance – both financial and legal/reputational. Emphasise the personal responsibility that rests with senior management. It would be a good move to appoint a member of the board to oversee the implementation of NIS2 and provide them (and the entire board) with cybersecurity training so that they can make informed decisions.
3. Conduct a gap analysis against the new requirements
Examine the current state of security and procedures in your company in relation to the 10 areas listed in the directive. Check which of the required policies and plans you already have (e.g. business continuity plan, information security policy) and what is missing. Also assess how effective your current measures are – e.g. whether you have an efficient incident detection system and whether you can report incidents within 24 hours. This analysis will help you identify priorities for improvement. Many organisations may lack not so much technology as formal procedures and documentation – NIS2 requires them, so it is worth filling in any gaps.
4. Develop a plan to implement the required measures
Based on the gap assessment, create an action plan for adjustments. This may include, for example, implementing missing policies and processes, updating existing procedures for NIS2 compliance, investing in new security solutions (if necessary, e.g. monitoring systems, access management or encryption tools). Ensure that the plan also includes staff training – both general awareness training (cyber hygiene) and specialist training for administrators, the IT team and management. The Directive places great emphasis on the human factor, so prepare a programme to build competence within the company.
5. Secure the necessary resources and skills
Many companies find that in order to comply with NIS2, they need to strengthen their cybersecurity teams – according to an ENISA report, as many as 89% of organisations anticipate the need to hire additional cybersecurity personnel to comply with NIS2. Assess whether you have a sufficient team and whether it has the right skills. You may need to create a CISO position, hire new specialists, or outsource areas that you cannot cover with your own resources. The EU promotes a competency-based approach here – e.g. the European Cybersecurity Competence Framework (ECSF) – which helps identify what roles and skills are needed to fulfil specific responsibilities. ENISA has even prepared a guide mapping specific NIS2 responsibilities to ECSF role profiles, which can help you plan your team. In other words, make sure you have the people to do the tasks required by the directive.
6. Follow legislative progress and use available guidelines
Monitor the work on the Polish law implementing NIS2 – find out exactly what regulations will apply in Poland (e.g. whether there will be additional sectoral guidelines, who will act as the supervisory authority, how to report incidents, etc.). Also, make use of materials published by authorities and experts. The European Commission and ENISA issue guidelines, reports and FAQs (frequently asked questions and answers) to help interpret the requirements. For example, ENISA’s technical guidelines on security measures and good practices for mapping roles are already available. It is worth using them so as not to reinvent the wheel – EU experts also suggest many solutions.
Summary
The NIS2 Directive represents a significant qualitative change in the approach to cybersecurity at the enterprise level. For medium and large companies in Poland, this means raising the bar – from expanding the scope of measures applied, through faster response to incidents, to involving management and facing severe penalties for negligence. Although the new obligations may seem demanding, it is worth remembering that their purpose is essentially positive, i.e. to raise the overall level of digital resilience in our increasingly computerised society.
Instead of treating NIS2 as just another regulatory burden, it is worth seeing it as an opportunity to strengthen your own organisation. A practical approach to implementing the directive – with a focus on real security improvements rather than just ‘ticking the box’ – will bring long-term benefits to your company in the form of reduced risk of serious incidents, greater trust from customers and regulators, and a better competitive position.
Finally, I encourage you to reflect on whether we are ready for NIS2. Would our company survive the rigorous compliance and security test that this directive de facto represents? If you have doubts, it is a sign that action should be taken today – before the regulator or, worse, a cybercriminal does it for us. In the next articles in this series, we will discuss the various aspects of NIS2 in detail and suggest how to achieve compliance with the new regulations step by step, without losing sight of the overarching goal – the effective protection of our digital world.