NIS2 compliance audit

What is NIS2?

Who does it apply to?

Entities that achieve a certain scale of activity (in principle: medium and large enterprises — 50 employees or €10 million in turnover/balance sheet for the previous year) and provide services whose disruption would have a significant impact on security, health, the economy or public order.

Supply chain

NIS2 also applies to entities that supply services or products to key or important entities. The main criterion for coverage is significance for the continuity of critical services or being part of the supply chain.

When does it take effect in Poland?

NIS2 is included in the Act on the National Cybersecurity System (KSC). The act has been signed by the President (as of February 2026). Vacatio legis: 14 days from the date of publication in the Journal of Laws. Start of provisions: expected in March 2026.

Adjustment periods

Parliament has extended the adjustment periods: 6 months for registration, 12 months for implementation, and introduced a 2-year moratorium on penalties.

Key and important entities

The sector and role in the economy matter more than the legal form. Polish branches of corporations in regulated industries must comply with the Polish KSC/NIS2 Act.

Key entities — Critical areas

Energy

Transport

Banking

Financial Market Infrastructure

Healthcare

Drinking Water

Wastewater

Digital Infrastructure

ICT Service Management

Public Administration

Outer Space

Important entities

Postal & Courier Services

Waste Management

Chemical Industry

Food Production

Manufacturing & Technology

Digital Services

Scientific Research

Board responsibility and sanctions

Obligations and responsibility rest with the management / board of the entity — including financial responsibility.

Board responsibility

Direct oversight: The board is responsible for implementing and ensuring the effectiveness of cybersecurity measures.

Formal obligations: Approval of IT policies, risk analysis and mandatory training for management.

Personal risk: Possibility of imposing financial penalties directly on managers for gross negligence.

Sanctions

Financial penalties: Up to €10 million or 2% of global turnover (for key entities).

Authority powers: Ability to impose orders, prohibitions and conduct ad-hoc audits.

Business consequences: Civil liability towards contractors and risk of reputational damage and supply chain contract loss.

Risk management measures

The NIS2 Directive requires the implementation of comprehensive cybersecurity risk management measures.

IT security policy and risk analysis

Development and implementation of an IT security policy and methods, procedures and tools for assessing and managing cyber risk, e.g. in accordance with ISO/IEC 27005.

IT incident handling

A set of actions and procedures for responding to security incidents — from detection to reporting and remediation. Reporting incidents to CSIRT within 24 hours.

Business continuity and crisis management

Business Continuity Plan (BCP) and IT Disaster Recovery Plan (DRP). Daily backups, test restore from backup.

Supply chain security

Managing risk arising from the use of subcontractor and IT supplier services. Supplier security audits, certificates (e.g. ISO 27001).

Network and IT systems security

Security throughout the entire lifecycle of IT systems — procurement, development, updating, maintenance, decommissioning. “Security by Design”.

Assessment of risk management effectiveness

Internal and external audits, penetration tests, benchmarking against standards (ISO 27001, CIS Benchmark). Reporting to management.

Cyber hygiene and training

Strong passwords and MFA, cybersecurity training, phishing simulations, principle of least privilege, awareness campaigns.

Cryptography and encryption

Encryption of data at rest (BitLocker) and in transit (TLS 1.3, VPN). Cryptographic key management (KMS). Digital signatures and PKI.

Human resources security, access control and asset management

Multi-factor authentication (MFA), RBAC, IT asset inventory, data classification, asset lifecycle monitoring, DLP.