Key facts about NIS2, the directive changing the rules of cybersecurity

Why are the new regulations (NIS2) essential?

The era of treating cybersecurity solely as an operational cost of IT departments has come to an end.

Rapid digitalization and the escalation of threats (the scale of which is confirmed, for example, by the ENISA 2024 report) have forced legislative change.

The previous directive (NIS1) failed due to the fragmentation of its provisions. Too often, a company deemed essential in one EU country was not subject to regulation in another, which created gaps in the security of the single market.

Which entities are subject to the obligations of the NIS2 Directive and the amendment to the Act on the National Cybersecurity System (KSC)?

Qualifying test: Sector and Size Cap. NIS2 (and the Polish KSC Act that follows it) introduces two types of entities that are directly subject to the directive's obligations.

These are essential entities and important entities.

What makes an entity essential or important under the directive?

Two factors: the sector in which the entity operates; and the size of the entity.

As a general rule, NIS2 covers medium and large entities (those employing more than 50 staff or with turnover/balance sheet total exceeding EUR 10 million).

NIS2 also introduces a very specific catalog of sectors covered by the regulation: Category, Characteristics, Sectors covered by the regulation. Essential Entities (High criticality): Activity fundamental to the economy.

Subject to rigorous proactive supervision. - Energy (electricity, gas, hydrogen) - Transport (air, rail, water) - Banking and financial market infrastructure - Healthcare (including drug manufacturers) - Drinking water and wastewater - Digital infrastructure (cloud, data centers, DNS) - Public administration (central level). Important Entities: Significant activity whose disruption has negative social effects.

Subsequent (reactive) supervision. - Postal and courier services - Waste management - Production and distribution of chemicals and food - Industrial manufacturing (medical devices, computers, machinery) - Digital service providers (online marketplaces, search engines, social media) - Scientific research. Exceptions to the size rule (the "Size Cap"): Certain entities are subject to regulation regardless of their size (this also applies to micro and small enterprises) if they play a critical role in the digital ecosystem.

These include providers of public electronic communications networks, trust service providers, TLD name registries, and DNS service providers.

The obligation to register as an essential or important entity. The NIS2 Directive introduces a fundamental paradigm shift, moving from a reactive model (waiting for an administrative decision) to a model of self-identification.

Company management boards are obliged to independently analyze whether their organization meets the statutory criteria.

Failure to fulfill this obligation, or an incorrect assessment, exposes the company to financial penalties even before any incident occurs.

The draft Polish KSC Act specifies the deadlines for submitting an application for entry in the register of essential and important entities: A deadline set by the Minister of Digital Affairs for entities existing on the date the Act enters into force, which will be indicated in a communication specifying the schedule for essential and important entities. 6 months for entities that acquire obligated status after the Act enters into force.

What cybersecurity risk management measures (Art. 21 NIS2) must an organization implement?

The new cybersecurity obligations force a complete change of philosophy within an organization.

The goal of NIS2 is to move from formal compliance to genuine operational resilience.

Organizations must adopt an all-hazards approach, covering hacking attacks, human error, and technical failures.

An organization must demonstrate that its cybersecurity system actually works, not merely show that it has taken the appropriate steps.

Article 21 of the NIS2 Directive is key in this respect, defining the mandatory catalog of technical, operational, and organizational measures that essential and important entities must implement.

Catalog of minimum security measures (Art. 21): Risk analysis and security policies: A formal methodology for identifying assets and assessing threats.

Incident handling: Procedures for detecting, analyzing, and reporting incidents (including an Incident Response Plan, IRP).

Business continuity (BCP/DRP): Business continuity plans, disaster recovery, and backup management.

Supply chain security: Verification of IT and cloud service providers, audits, and security clauses in contracts.

Systems development security: Secure coding, vulnerability management, and secure network configuration.

Effectiveness assessment: Regular audits, penetration tests, and vulnerability scanning.

Cyber hygiene and training: Security awareness programs for staff.

Cryptography and encryption: Rules for encrypting data at rest and in transit.

HR security: Access control and the principle of least privilege (PoLP).

Multi-factor authentication (MFA): Implementation of strong authentication for critical systems.

Impact on the supply chain (the domino effect). In line with the new cybersecurity philosophy under NIS2, even companies that do not meet the NIS2 criteria may be covered by the requirements indirectly.

Under Art. 21 of NIS2, essential entities are obliged to manage risk within their supply chain.

This means that an essential entity must ensure that its suppliers (for example, software houses or logistics companies) meet the appropriate standards.

If it cannot do so, it must change suppliers.

In this indirect way, entities that are not directly obligated may acquire an obligation to implement standards such as MFA or incident reporting, under the threat of losing their contracts.

What is the personal liability of management board members for failing to comply with NIS2 provisions?

NIS2 puts an end to the model of delegating responsibility for cybersecurity exclusively to IT departments.

In line with the new philosophy, and to ensure a systemic approach to cybersecurity within the organization, responsibility has been assigned directly to top management.

Challenges of the new management responsibility: Oversight and knowledge: Management board members must personally approve risk management measures and oversee their implementation.

Regular cybersecurity training is required in order to have the competence to assess risk.

Personal sanctions: The Polish implementing provisions (the KSC Act) provide for the possibility of imposing financial penalties directly on the heads of entities for failing to fulfill their obligations.

Penal measures: In the case of persistent evasion of the provisions, supervisory authorities may apply for a temporary ban on holding management functions (CEO/board) until the deficiencies are remedied.

Decision-makers who ignore these requirements breach the duty of due diligence, which opens the door to company claims for damages and to administrative penalties.

FAQ: Frequently asked questions about NIS2 in Poland. When does NIS2 take effect in Poland?

The amendment to the KSC Act enters into force on 3 April 2026.

When is the deadline to register an essential entity in the KSC system?

Entities existing on the date the Act enters into force have 6 months to submit an application for entry.

This means they must register by 3 October 2026 (a Saturday).

New entities have 6 months from acquiring their status to register.

By when must an entity be fully aligned with the NIS2 requirements?

Entities have 12 months to align with the new requirements, counted from the date the Act enters into force.

This means that, as of 4 April 2027, an entity must be fully aligned with the new requirements. Are micro-enterprises completely exempt from NIS2?

No.

Micro-enterprises are subject to NIS2 if they provide services essential to the digital ecosystem, for example as providers of DNS services, TLD services, trust services, or public communications networks.

What are the maximum financial penalties for a NIS2 breach for companies?

For essential entities, the penalty may amount to up to EUR 10 million or 2% of global turnover.

For important entities: up to EUR 7 million or 1.4% of turnover.

Does the head of the entity or a management board member bear financial liability?

Yes.

Under the Act, the head of an essential or important entity may also be subject to a financial penalty for failing to fulfill the obligations set out in the Act.

Can the management board effectively delegate responsibility for cybersecurity to the IT director (CISO)?

No.

The provisions explicitly point to the personal liability of the members of the management body.

Delegating technical tasks is permitted, but legal responsibility for overseeing and approving security measures remains with the management board.

In practice, how does supervision of an Essential Entity differ from that of an Important Entity?

Essential Entities are subject to proactive supervision (regular audits without any suspicion of a breach).

Important Entities are subject only to subsequent supervision (an inspection triggered only after an incident occurs or a report of irregularities is received).

What does the all-hazards approach required by the directive mean?

It means the need to secure systems not only against hacking attacks, but also against human error, power failures, physical theft, fire, and flooding.

The risk analysis must be comprehensive.

Protect your company against the cybersecurity revolution brought about by NIS2. The points presented above are merely an introduction to the complex adaptation process facing Polish companies in light of the NIS2 Directive and the amendment to the KSC Act.

Managing this risk tolerates no half-measures. At stake is not only data security, but also the direct, personal liability of management board members for any failures to act.

To navigate this process in an orderly way and avoid decision-making chaos, we have prepared the "CyberSec 2026 Report: The Revolution in CyberSec." The report was created by practitioners from dotlaw in collaboration with the best experts in the industry (including

Pawel Punda and Kamil Cieplicki).

This is not a theoretical legal lecture; it is a strategic roadmap written in business language, free of unnecessary jargon.

In the full study you will find detailed security procedures, ready-to-use checklists for the management board, precise contractual provisions essential for inclusion in agreements with counterparties, and an analysis of liability across the supply chain.

Do not risk basing your strategy on fragmentary information.

Download the full version of the CyberSec 2026 Report and obtain ready-to-use implementation solutions.

From theory to operational resilience: Implementing the standards in practice. Theoretical preparation for the requirements of the NIS2 Directive and the amended Act on the National Cybersecurity System is only the first step.

The real challenge for C-level management in regulated sectors is the operational implementation of these rigorous requirements without paralyzing ongoing business and technological processes.

Instead of building security procedures from scratch, the most optimal and market-proven approach is to rely on international standards.

The risk management requirements (Art. 21 NIS2) map almost directly onto the principles of the ISO 27001 standard.

To examine what such a process looks like in a live business organism, we recommend reviewing our case study "Implementing the highest cybersecurity standards for the global Toggl platform."

The Toggl case proves that rigorous certification does not have to mean bureaucratic chaos.

This process encompassed a comprehensive internal audit, the optimization of existing access policies, and a smooth passage through the certification audit.

As a result, the organization not only achieved documented regulatory compliance and raised the awareness of its IT staff, but also built solid, scalable technical foundations essential for obtaining further attestations, such as SOC 2 Type 2 or ISO 27701.

We invite you to take a look at this project.

Have a question?

Let's talk. A 20-minute conversation.

No briefs, no forms.

We'll answer you directly.

Book a conversation -> See more articles