The NIS2 Directive entered into force in Poland as an amendment to the Act on the National Cybersecurity System (UKSC), significantly expanding the scope of organizations subject to mandatory cybersecurity requirements. An estimated 6,000 Polish entities are now covered — compared to approximately 100 under NIS1. For most organizations, this means entirely new obligations around security management, incident reporting, and board liability. In 2026, CERT Polska and relevant supervisory authorities are actively auditing, and the window for preparation is closing.
NIS2 in Poland: Status in 2026
The NIS2 Directive (2022/2555/EU) required EU member states to transpose its provisions into national law by 17 October 2024. Poland implemented the directive through an amendment to the Act on the National Cybersecurity System. The new regulations radically expand the scope of obligations: instead of a narrow list of essential service operators from NIS1, NIS2 covers entities from 18 sectors critical to the economy and society.
The expanded scope introduces two new categories: essential entities and important entities. For many Polish companies — including firms in manufacturing, transport, food production, waste management, and digital service providers — NIS2 represents the first formal cybersecurity requirements arising from law.
Supervisory authorities are active: CERT Polska coordinates incident handling and conducts technical audits, while sector-specific regulators (UKE for telecommunications, KNF for finance, Civil Aviation Authority for aviation, and others) supervise entities in their sectors. Penalties for non-compliance are significant and include personal liability for board members.
Does Your Organization Fall Under NIS2
An essential entity is an organization operating in one of 11 high-criticality sectors (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) with more than 250 employees OR annual turnover above €50 million. Essential entities face the strictest requirements and highest penalties.
An important entity is an organization in those same 11 sectors or 7 additional sectors (postal and courier services, waste management, manufacturing, chemicals, food, digital services, research) with more than 50 employees OR annual turnover above €10 million. Requirements are similar to essential entities, though penalties are somewhat lower.
Managed service providers (MSPs) and cloud service providers fall under NIS2 regardless of size — even small companies providing managed services to essential or important entities may be covered as ICT service providers. If your company provides IT, security, or cloud services to large enterprise clients, carefully verify whether you are subject to NIS2.
Uncertainty about scope is one of the most commonly reported challenges. If you are unsure whether your organization falls under NIS2, consult a lawyer specializing in cybersecurity law or contact the relevant sector authority. The cost of unnecessary preparation is incomparably lower than a penalty for non-compliance.
Key NIS2 Requirements to Implement
Governance: the directive requires board approval of the cybersecurity policy, annual risk assessment, designation of a person responsible for cybersecurity (not necessarily a CISO — an external adviser is acceptable), and regular training for board members and senior management. The board cannot delegate responsibility to the IT department — NIS2 explicitly places accountability on the management body.
Technical controls include a number of specific requirements: multi-factor authentication for all remote access and access to critical systems, encryption of data in transit and at rest for sensitive data, vulnerability management and regular system updates, network segmentation isolating critical systems from the rest of the infrastructure, and backups tested for recoverability in a ransomware scenario.
Supply chain security is one of NIS2's key focus areas: organizations must assess the cybersecurity risk of their critical ICT suppliers and include security requirements in contracts. This means developing supplier security questionnaires and regularly auditing responses.
Incident reporting requires: an early warning within 24 hours of detecting a significant incident, a full notification within 72 hours including incident assessment and remediation measures, and a final report within one month with full root cause analysis, scope, and lessons learned. A "significant incident" is one that has affected or could affect service continuity or caused significant material or non-material harm.
Step-by-Step NIS2 Implementation Plan
Step 1: Determine your scope. Identify whether your organization is an essential or important entity, and which sector authority has jurisdiction. This determines the exact scope of requirements and timelines.
Step 2: Conduct a gap analysis. Map existing security controls against NIS2 requirements using, for example, the ENISA NIS2 implementation guide. Identify areas requiring work: most commonly MFA, network segmentation, backups, supplier management, and incident reporting procedures.
Step 3: Build the governance framework. Develop and obtain board approval for an information security policy, risk management plan, and incident response plan. Designate a person responsible for cybersecurity. Organize board training on NIS2 requirements and liability.
Step 4: Implement technical controls. Priorities: MFA deployment for all remote access, network segmentation isolating critical systems, backup hardening (offline copies, restoration testing), encryption of sensitive data, and vulnerability management. For more advanced organizations: implementing Zero Trust as a framework tying all technical controls together.
Step 5: Secure the supply chain. Develop a security questionnaire for critical ICT suppliers. Include security requirements in supplier contracts or renegotiate existing agreements. Identify high-risk suppliers and conduct audits.
Step 6: Register with the appropriate authority. NIS2 requires self-registration of entities — notification to CERT Polska or the relevant sector authority. Failure to register is itself a violation.
Step 7: Train your staff. Cybersecurity awareness training for all employees (phishing awareness, device use policies), technical training for IT staff, and specialized training for the board on NIS2 liability.
Penalties and Board Liability
Financial penalties for NIS2 non-compliance are significant. Essential entities can be fined up to €10 million or 2% of global annual turnover (whichever is higher). Important entities can be fined up to €7 million or 1.4% of global annual turnover. For large corporations, these figures can represent tens of millions of euros.
A key innovation of NIS2 is personal liability for board members. Managing directors, supervisory board members, and other decision-makers can face personal liability for violations resulting from negligence in cybersecurity oversight. Supervisory authorities can impose temporary bans on holding management positions. This is a fundamental change from NIS1, where liability was limited to the organizational level.
An important distinction: penalties are not imposed for the mere fact of a security incident, but for the absence of appropriate security measures, for delayed or absent incident reporting, and for non-compliance with supervisory orders and decisions. An organization that implemented proper controls, fell victim to an attack, and correctly reported the incident is in a significantly better position than one that ignored security requirements.
How ExColo Can Help
ExColo supports Polish organizations at every stage of NIS2 implementation: from scope determination and gap analysis, through technical control deployment, to preparation of documentation and procedures required by the directive. We specialize in the areas most commonly requiring work: identity security (MFA, privileged access management), network segmentation, and Zero Trust.
We offer NIS2 board workshops explaining the scope of liability, technical assessment mapped to NIS2 requirements, implementation of priority technical controls, and preparation of policy and procedure documentation. Contact us to discuss an NIS2 implementation plan for your organization: ExColo contact form.
