NIS2 in Poland: who it applies to, what obligations it creates and how to prepare your company

NIS2 in Poland is no longer a future compliance issue. For many businesses, it is now an active legal and operational topic. In Poland, the amendment implementing the NIS2 Directive through the Act on the National Cybersecurity System (KSC Act) was published on 2 March 2026 and entered into force on 3 April 2026, which means adjustment deadlines are already running for entities covered by the new rules.

From a business perspective, NIS2 is worth treating as more than just another regulation. It creates a framework for managing an organisation’s digital resilience. For some companies, this will be a direct statutory obligation. For others, NIS2 will become an indirect requirement imposed by customers, group entities, business partners, insurers or supply-chain relationships. In practice, this means that even a company that is not formally in scope may still be asked to demonstrate specific security controls, documented procedures or audit readiness.

---

What is NIS2

The NIS2 Directive, formally Directive (EU) 2022/2555, replaced the earlier NIS1 framework and raised the level of cybersecurity requirements across the European Union. Its purpose is to harmonise the protection of network and information systems across Member States, expand the list of sectors covered, and strengthen rules on risk management, incident reporting, supervision and enforcement.

This matters for businesses because NIS2 is not limited to reacting to incidents. It also regulates how cybersecurity should be organised within a company. The framework covers areas such as risk analysis, incident handling, business continuity, crisis management, supply chain security, cryptography, access control and staff training. In other words, the focus shifts from buying security tools to building a structured governance and process model.

---

Who does NIS2 apply to

As a rule, NIS2 applies mainly to medium-sized and large entities operating in sectors considered critical or highly important for the functioning of the state and the economy. The directive uses two core categories: essential entities and important entities. It also allows Member States to include some smaller organisations where their risk profile or systemic importance justifies it.

Essential entities

Sectors with a high criticality level include, among others:

• energy,
• transport,
• banking,
• financial market infrastructure,
• healthcare,
• drinking water,
• wastewater,
• digital infrastructure,
• ICT service management,
• public administration,
• the space sector.

Important entities

Other critical sectors include, among others:

• postal and courier services,
• waste management,
• the chemical industry,
• food production,
• selected manufacturing sectors,
• digital services,
• research organisations.

It is important to stress that the industry label alone does not decide whether a company is covered. Size, the nature of the services provided, the entity’s role in the wider ecosystem, and the specific statutory criteria all matter. In international groups, an additional jurisdictional analysis is often needed, because the place of establishment and cross-border service structure may affect how local rules apply in Poland and elsewhere.

---

What this means for companies outside the direct scope of the Act

In practice, many companies will encounter NIS2 even if they are not formally classified as an essential or important entity. The reason is straightforward: NIS2 places strong emphasis on supply chain security. Entities in scope are expected to manage risks linked to their direct suppliers and service providers. This translates into more security questionnaires, contractual requirements, audit clauses and detailed questions about procedures, backups, access controls and incident response.

For business owners, this is an important signal. Even if a company does not currently see a direct legal obligation under NIS2 in Poland, it may still be asked by a key customer, investor or group company to prove its cybersecurity maturity. From a sales and contract-retention perspective, organisational readiness is increasingly becoming a competitive advantage.

In practice, a sensible first step is often an NIS2 compliance audit, which helps determine whether the organisation is actually subject to the new rules and which gaps should be addressed first.

---

NIS2 in Poland: current legal status and key deadlines

In Poland, NIS2 was implemented through the amendment to the Act on the National Cybersecurity System (KSC Act). The amending act was published on 2 March 2026 and, under its final provisions, entered into force one month later, on 3 April 2026. From that date, the statutory adjustment periods started to run.

The key dates for businesses in Poland are as follows:

• 13 April 2026 – launch of the register of essential and important entities,
• 7 May to 3 October 2026 – self-registration period for entities not entered ex officio,
• 12 June 2026 – new entities can start using the S46 system, including for incident reporting and communication with competent authorities,
• by 3 April 2027 – entities that already met the statutory criteria when the amendment entered into force must implement the new obligations,
• by 3 April 2028 – the first mandatory cybersecurity audit must be completed by essential entities that met the statutory criteria on the entry-into-force date and were not previously subject to the audit requirement as operators of essential services,
• from 3 April 2028 – financial penalties may start to be imposed for the first time.

Poland’s implementation schedule also provides for a two-year delay before financial penalties can first be imposed. That should not, however, be read as a reason to postpone action. Management accountability and supervisory expectations arise earlier, and a lack of preparation may create operational, contractual and reputational problems long before any formal sanction is issued.

---

What obligations does NIS2 impose

One of the biggest mistakes in interpreting NIS2 is reducing it to a requirement to deploy security tools. The directive and the Polish implementation go much further. They expect an organisation to build a coherent cybersecurity management system rather than simply buy technical solutions.

1. Board and senior management accountability

NIS2 clearly shifts responsibility to the management level. Management bodies must approve cybersecurity risk-management measures, oversee their implementation, and may be held liable for infringements. Member States must also require members of management bodies to follow training, and similar training should be offered regularly to employees. In practice, this means cybersecurity becomes a board-level governance issue rather than a matter left only to IT or security teams.

2. Cybersecurity risk-management measures

The minimum catalogue of measures under NIS2 covers at least:

• policies on risk analysis and information system security,
• incident handling,
• business continuity, backups and disaster recovery,
• crisis management,
• supply chain security,
• security in acquisition, development and maintenance of systems,
• assessment of the effectiveness of security measures,
• basic cyber hygiene and training,
• policies on cryptography and, where appropriate, encryption,
• human resources security, access control and asset management,
• where appropriate, multi-factor or continuous authentication and secure communications.

This list shows the scale of the change. NIS2 is not only about infrastructure protection. It also covers documentation, roles and responsibilities, procurement, supplier relationships, asset classification, control testing and regular staff awareness-building.

3. Incident reporting

NIS2 also tightens reporting requirements. As a rule, an entity must submit an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, and a final report no later than one month after the notification. In Poland, reporting is to be handled through the S46 system.

For businesses, this means practical readiness is essential. It is not enough to mention incident reporting in a policy. The organisation needs clear roles, decision paths, contact points, templates and tested escalation scenarios.

Why NIS2 also matters to management, finance and operations
NIS2 is often viewed as a technical topic, but its consequences are business-driven. A cybersecurity incident may mean halted production, service disruption, data loss, recovery costs, disputes with counterparties and reputational damage. From a board perspective, that places cyber risk alongside tax, regulatory and operational risk.

That is why well-prepared organisations should integrate NIS2 into their broader corporate governance framework. In practice, this means regular reporting to senior management, risk reviews, policy approval, alignment with business continuity planning and verification that critical services are protected by adequate controls and fallback scenarios.

---

How to prepare your company for NIS2 compliance

In most organisations, the best starting point is not a technology purchase, but a structured assessment of the current state. This makes it possible to determine whether the company is actually in scope, where the main gaps are, which areas are critical and which actions will deliver the fastest effect.

A good starting point is an NIS2 compliance audit, which helps assess whether the organisation is ready to meet the requirements of the NIS2 Directive and the Polish Act on the National Cybersecurity System (KSC Act), and then define a realistic remediation roadmap.

---

A practical preparation path for organisations

1. Determine whether the organisation is in scope

At the outset, three key questions should be answered:

• which sector the company operates in,
• whether it meets the size thresholds or other statutory criteria,
• which services, systems and processes are business-critical.

This is the stage at which many organisations make their first mistake: either they conclude too quickly that the regulation does not apply, or they launch a broad implementation programme without first confirming the actual scope of obligations.

2. Review documentation and processes

The next step is to assess the current state of:

• policies and procedures,
• registers and inventories,
• access rules,
• business continuity plans,
• supplier contracts,
• incident management processes,
• backups,
• monitoring,
• asset inventories,
• training practices.

3. Perform a gap analysis

At this stage, the current state is compared with the requirements of NIS2 and the Polish KSC Act. The purpose is not only to identify missing elements, but also to assess their regulatory and business significance. Not every gap has the same weight. Some require immediate intervention, while others can be scheduled over a longer timeframe.

4. Build a remediation plan

The final stage is a structured implementation roadmap. It should cover both formal and technical actions, including task owners, deadlines, dependencies, priorities and the way progress will be reported to management.

---

What an NIS2 compliance audit should cover

An NIS2 compliance audit should be practical rather than purely formal. Its purpose is not just to produce a list of deficiencies, but to assess whether the organisation is genuinely ready to operate under the new regulatory framework in Poland.

A well-designed audit will usually include four stages:

Audit planning

• defining scope and assessment criteria,
• identifying audited areas,
• preparing the work plan.

Audit execution

• reviewing documents and procedures,
• interviewing key personnel,
• analysing operational practices,
• sample-checking selected configurations and security mechanisms,
• collecting audit evidence.

Compliance assessment

• comparing the current state with NIS2 and KSC requirements,
• identifying gaps,
• assessing the materiality of non-compliance.

Reporting

• presenting findings,
• recommending corrective actions,
• outlining an implementation timetable,
• reporting results to management.

This model is especially valuable for businesses that want to move quickly from general awareness of NIS2 to concrete organisational and budgeting decisions.

---

The most common mistakes companies make with NIS2

In practice, the following issues appear most often:

Treating NIS2 as an IT-only project
If implementation is handled only by the IT department and management does not play a real oversight role, the organisation will usually fail to meet the substance of the regulation.

No map of critical services and assets
Without understanding which services, processes and systems are genuinely critical, it is difficult to design a sound risk analysis, business continuity plan or response process.

Underestimating the supply chain
Providers of IT services, hosting, support, software development, integration and infrastructure operations are becoming a material part of risk assessment. Ignoring this area is quickly exposed during an audit or a contractual review.

Procedures that exist only on paper
Having a document does not by itself mean compliance. Procedures need to work in practice, be understandable, remain up to date and be known to the people responsible for applying them.

No real readiness for incident reporting
The reporting deadlines are short. If the organisation does not know who classifies an incident, who approves a notification and who communicates with the competent authority or CSIRT, even good technology will not ensure compliance.

Sanctions and business risks
NIS2 strengthens the supervisory and enforcement framework. At EU level, Member States must provide for maximum administrative fines of at least EUR 10 million or 2% of total worldwide annual turnover for essential entities, and at least EUR 7 million or 1.4% of total worldwide annual turnover for important entities, whichever is higher. Essential entities are also subject to a stricter supervisory regime, while important entities are generally supervised under a lighter regime.

In Poland, the implementation timetable postpones the first imposition of financial penalties for two years, but from a business perspective the earlier risks are often more immediate: loss of client trust, friction with counterparties, limited access to tenders, higher cyber insurance costs and difficulty demonstrating proper managerial diligence.

---

NIS2 and international companies operating in Poland

For subsidiaries, branches and corporate groups operating in Poland, NIS2 has particular importance. These organisations often rely on central security policies and group-wide standards, but that will not always be enough to satisfy local obligations. A separate analysis is needed to determine whether the Polish entity itself is in scope, what registration and reporting duties apply, and how group standards should be aligned with Polish law.

This matters especially when services are provided cross-border and infrastructure, suppliers and security processes are spread across several jurisdictions. In such cases, clear allocation of responsibility, reporting channels and risk ownership becomes critical.

---

Summary

NIS2 changes the way companies should think about cybersecurity. The issue is no longer limited to protecting systems. It is about the organisation’s ability to manage risk, respond to incidents, maintain business continuity and demonstrate that management exercises real oversight over this area.

For businesses operating in Poland, the three most important questions today are: whether the organisation is in scope, what its actual level of readiness is, and which actions should be implemented first. That is why a structured current-state assessment and a business-priority-based implementation plan are usually the most sensible starting point.

If a company wants to approach this process in a practical way, an NIS2 compliance audit is often the right first move, because it translates legal requirements into concrete organisational and technical actions.

---

If you have any further questions or require additional information, please contact your business relationship person or use the enquiry form on the HLB Poland website.

Contact us »

***