The NIS2 Directive came into force in October 2024 and represents the most significant reform of European cybersecurity law in a decade. In Poland, NIS2 obligations apply to several thousand entities — many times more than the previous NIS1 directive. Organizations that fail to implement the required controls risk fines reaching tens of millions of euros and personal liability for board members.
What Is the NIS2 Directive
NIS2 (Network and Information Security Directive 2) is EU Directive 2022/2555, which replaced the original NIS Directive from 2016. It entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. Member States were required to incorporate NIS2 into national law, dramatically expanding both the scope and the enforcement powers of cybersecurity regulators across the EU.
The critical difference between NIS1 and NIS2 is a dramatically expanded scope. While NIS1 covered approximately 100 critical infrastructure operators in Poland, NIS2 extends this to an estimated 6,000 entities. The classification approach also changed: instead of a single category of operators of essential services, NIS2 introduces a two-tier classification — essential entities (podmioty kluczowe) and important entities (podmioty ważne).
Essential entities operate in: energy, transport, banking, financial market infrastructure, healthcare, drinking water supply and distribution, digital infrastructure (internet exchange points, DNS, TLD, cloud, data centres, CDN), ICT service management (managed service providers — MSPs and MSSPs), and public administration. Important entities include postal and courier services, waste management, chemical production and distribution, food production, manufacturing, and digital providers.
Size thresholds: essential entities employ over 250 staff or generate €50M+ turnover; important entities employ over 50 staff or €10M+ turnover. Exceptions apply where criticality means thresholds do not apply.
Who Must Comply with NIS2
NIS2 covers all medium and large enterprises operating in 18 defined sectors. If your organization provides services in any of the following areas, it very likely falls within NIS2 scope:
- Essential sectors: energy (electricity, gas, heating, oil, hydrogen), transport (air, rail, water, road), banking and financial market infrastructure, healthcare, drinking water supply, wastewater, digital infrastructure, ICT service management (MSPs, MSSPs), public administration.
- Important sectors: postal and courier services, waste management, chemical production and distribution, food production and distribution, manufacturing (medical devices, computers, electronics, machinery, vehicles), digital providers (e-commerce platforms, search engines, social networks).
Even if your organization does not meet the size thresholds, supervisory authorities can designate it as an essential or important entity due to its significance for public safety, public order, or public health. This particularly affects smaller entities providing critical services at a regional level.
Managed service providers (MSPs and MSSPs) are classified as essential entities under NIS2 — a direct response to attacks such as SolarWinds and Kaseya, where compromising a service provider gave attackers simultaneous access to hundreds of customer organizations. If you are an MSP or MSSP serving essential or important entities, your own environment must comply with NIS2.
Key Technical Requirements
NIS2 mandates a comprehensive cybersecurity risk management policy. Key technical and organizational requirements cover the following areas:
- Risk management: A formal, documented cybersecurity risk management policy approved by the board is mandatory. Risk assessments must be conducted at least annually and after any significant change to the environment.
- Incident reporting: Significant incidents must be reported to the national authority (CSIRT/supervisory body) within strictly defined timelines: early warning within 24 hours of detection, full notification within 72 hours, and a final report within one month.
- Supply chain security: Organizations must assess and manage the cybersecurity risks of their suppliers and partners. This requires supplier IT audits, verification of their security policies, and inclusion of NIS2 requirements in supplier contracts.
- Access control and MFA: Multi-factor authentication is required for all privileged accounts. The principle of least privilege must be consistently applied throughout the organization.
- Encryption: Sensitive data must be encrypted both in transit (TLS 1.2 or later) and at rest. Organizations should maintain a data inventory and document the encryption mechanisms applied to sensitive data.
- Business continuity: Business continuity plans (BCP) and disaster recovery plans (DRP) must be documented, regularly tested, and approved by the board. Particular emphasis is placed on the ability to maintain operations after a cyber incident.
NIS2 also requires vulnerability management: regular scanning, prioritization, and timely remediation in critical systems. Organizations must provide cybersecurity training for all staff and governance training for board members.
Penalties for Non-Compliance
NIS2 sanctions are significantly more severe than those under NIS1 and are comparable to GDPR fines. For essential entities, the maximum administrative fine is up to €10 million or 2% of total global annual turnover — whichever is higher. For important entities, the maximum fine is up to €7 million or 1.4% of global turnover.
A key innovation is personal liability for management. NIS2 states that management positions can be held personally liable for cybersecurity violations from negligence or gross negligence. Board members, CEOs, and COOs may face personal financial liability or be barred from holding management positions.
Supervisory authorities gained new powers: conduct audits, demand evidence of compliance, issue binding remediation instructions, and suspend certificates. For essential entities, authorities may apply proactive supervision without demonstrating a violation.
How to Implement NIS2 Step by Step
NIS2 implementation should be treated as a structured project with clearly defined stages, not a one-time initiative. The following practical implementation path covers the key steps:
- Step 1 — Gap Analysis: Compare current security measures against NIS2 requirements. Identify gaps in policies, processes, and technical controls. The gap analysis output should serve as the foundation for a remediation action plan.
- Step 2 — Risk Assessment: Conduct a formal cybersecurity risk assessment covering asset identification, threat modelling, vulnerability analysis, and business impact. The output should be a risk register with prioritized remediation actions.
- Step 3 — Policy Documentation: Develop or update key documents: information security policy, incident response plan, business continuity and disaster recovery plan, and supplier management policy.
- Step 4 — Technical Controls: Implement required controls: identity management and MFA, patch and vulnerability management, network segmentation, backup testing, and data encryption.
- Step 5 — Training: Deliver security awareness training for all staff and dedicated NIS2 governance training for board members. Document training completion for audit purposes.
- Step 6 — Supplier Security: Review contracts with key IT suppliers, conduct security assessments, and include NIS2 requirements in new contracts and amendments.
NIS2 compliance is continuous compliance management. Regular internal audits, incident response plan tests, and annual risk assessment reviews are essential to maintaining compliance. Frameworks such as Zero Trust and ISO 27001 provide a natural foundation for NIS2 — organizations with ISO 27001 certification have an easier path to NIS2 compliance.
How ExColo Can Help
ExColo provides comprehensive support for achieving NIS2 compliance — from initial gap assessment through technical control implementation to preparing documentation required by supervisory authorities.
Our engagement covers: gap analysis against NIS2 requirements, risk assessment and remediation planning, information security policy and incident response plan development, technical control implementation (identity management, MFA, network segmentation), and board and IT staff training. We work with both essential and important entities as defined by NIS2.
Do not wait for the first regulatory inspection or a cyber incident — contact us to plan your NIS2 compliance assessment: ExColo contact form.
