Updated: 13 min read

What Is the NIS2 Directive? New Cybersecurity Requirements and Obligations

What is the NIS2 Directive and who does it apply to in 2026? Learn the new requirements, board obligations, incident reporting rules, and penalties for non-compliance.

Klaudia Janecka Author: Klaudia Janecka

In today’s deeply interconnected economy, a cyberattack on a single company can trigger a domino effect, paralysing entire sectors and threatening the functioning of society. Aware of this risk, the European Union has taken decisive steps to strengthen the digital resilience of the entire market. The result of these actions is the NIS2 Directive — a breakthrough regulation that fundamentally changes the rules of the game in cybersecurity for thousands of companies, including many in Poland.

For you, as a director or manager, NIS2 is much more than just another regulatory update. It is a strategic shift that moves responsibility for cybersecurity from the server room directly into the boardroom. Ignoring the new obligations is not only a risk of operational paralysis, but also the threat of severe financial penalties and, for the first time on such a scale, personal liability of senior management. In this article, we will guide you through the world of the NIS2 Directive from a business perspective, explaining who the new provisions apply to, what specific requirements they introduce, and how to strategically prepare your organisation for this new reality.

Quick navigation

What is the NIS2 Directive?

The NIS2 Directive (The Network and Information Systems Directive 2) is a European Union legal act that establishes a broad, harmonised framework for cybersecurity across the entire EU. Its overarching goal is to raise the overall level of digital resilience in key sectors of the economy. In practice, NIS2 imposes on a wide range of companies and organisations the obligation to implement appropriate cybersecurity risk management measures and to report significant incidents to the competent national authorities.

The NIS2 Directive in a Nutshell: From law to defensive strategy

The table below synthesises the key pillars of the NIS2 Directive, focusing on their strategic significance for business and on the actions and competencies necessary to ensure compliance.

Key NIS2 Directive RequirementStrategic Significance for Your CompanyNecessary Actions and Competencies
Risk ManagementEnforcement of a proactive, rather than reactive, approach to cybersecurity; protection of key business processes.Ability to conduct regular risk assessments, development and implementation of security policies, allocation of an adequate budget.
Personal Liability of the Management BoardCybersecurity becomes a priority at the highest level; managers must actively oversee and approve protection measures.Mandatory cybersecurity training for senior management; ability to assess and accept risk.
Incident ReportingStreamlining the flow of threat information at national and EU level; ability to respond more quickly to new attack vectors.Implementation of internal incident identification and reporting procedures; competencies in crisis management.
Supply Chain SecurityExtension of cybersecurity responsibility to key suppliers and partners; protection against attacks on the weakest link.Ability to audit and verify security standards at suppliers; competencies in negotiating contracts with cybersecurity clauses.

What is the origin of the NIS2 Directive?

NIS2 is not an entirely new concept, but rather an evolution and significant expansion of its predecessor — the first NIS Directive from 2016. The original directive was the first ever EU law on cybersecurity and represented an important step forward. However, its implementation revealed certain weaknesses. Above all, Member States had too much discretion in its interpretation, which led to market fragmentation and an uneven level of protection. Moreover, its scope was too narrow and did not cover many sectors that had in the meantime become key to the economy. The rapid increase in the number and scale of cyberattacks in recent years has made updating and tightening the regulations an absolute necessity.

What are the main objectives of the NIS2 Directive?

The NIS2 Directive pursues three main, strategic objectives. First, raising and harmonising the level of cybersecurity in entities that play a key role in the economy and society. Second, raising the level of preparedness and ability to respond to incidents at the level of individual Member States. Third, improving cooperation and information sharing on threats and incidents between EU states, which aims to create a mechanism for early warning and joint defence against large-scale attacks.

How does NIS2 differ from the previous NIS Directive?

NIS2 introduces a number of fundamental changes compared to its predecessor. The most important of these is the significant expansion of scope — the directive now covers many more sectors and types of entities. The division into Operators of Essential Services and Digital Service Providers has been abandoned in favour of a new, two-tier system of essential and important entities. The new provisions introduce more rigorous and specific security requirements that must be implemented. Incident reporting obligations have also been tightened, introducing precise, short deadlines. However, from a business perspective, the most important novelty is the introduction of direct liability and personal obligations for the management bodies of the company.

Who is subject to the NIS2 Directive?

The NIS2 Directive applies a general rule whereby it covers medium and large enterprises (employing 50 or more workers or with annual turnover/balance sheet exceeding EUR 10 million) operating in specified sectors. However, importantly, the provisions will apply to certain entities regardless of their size if they are deemed essential to the functioning of the state, e.g. they are the sole provider of a critical service in a given country. The final, detailed list of entities covered by the regulation will be determined in the Polish act implementing the directive.

Which sectors does the NIS2 Directive cover?

The sectoral scope of the directive has been significantly broadened and divided into two categories. Sectors of high criticality (subject to more rigorous supervision) include, among others, energy, transport (air, rail, water, road), the banking sector and financial market infrastructure, healthcare, water and wastewater, digital infrastructure (e.g. data centres, cloud service providers) and public administration. Other critical sectors include, among others, postal and courier services, waste management, manufacture and distribution of chemicals, food production, manufacture of key products (e.g. pharmaceuticals, medical, electronics) and digital service providers (online marketplaces, search engines, social networking platforms).

What are the categories of entities in NIS2?

The directive introduces a new, two-tier division into:

  • Essential Entities: Typically larger entities from sectors of the highest criticality. They will be subject to the full scope of obligations and proactive supervision by national authorities, which means regular audits and inspections.
  • Important Entities: Other entities covered by the directive. They will have the same obligations regarding risk management and incident reporting, but will be subject to reactive (ex-post) supervision, which means that inspections will be carried out mainly in cases where the supervisory authority receives evidence or information about a potential breach.

What new cybersecurity requirements does the NIS2 Directive introduce?

NIS2 no longer leaves companies much room for interpretation. It imposes on them the obligation to implement at least ten specific, minimum security measures. They must have policies on risk analysis and information system security, incident handling procedures, business continuity and crisis management plans (including backup and disaster recovery), and ensure supply chain security. The directive also places a strong emphasis on security in the process of acquiring, developing and maintaining systems, policies for assessing the effectiveness of risk management measures, as well as the use of cryptography and encryption. Crucially for companies like EITT, NIS2 explicitly mentions the obligation to conduct regular cybersecurity training for employees.

How to manage risk in accordance with NIS2?

The directive requires companies to adopt a so-called risk-based approach. This means that the security measures implemented must be adequate and proportionate to the identified risk. Organisations must conduct regular risk assessments, taking into account all potential threats (including human error, technical failures and malicious actions) and the likelihood of their occurrence and potential impact on operations. The risk management process must be documented, and its effectiveness regularly verified.

What obligations does NIS2 impose on company management boards?

This is one of the most revolutionary changes. In accordance with Article 20 of the directive, management bodies of essential and important entities must approve cybersecurity risk management measures and oversee their implementation. Moreover, members of the management board are personally liable for negligence in this area and may be held to account. To ensure that they have the appropriate competencies to perform this role, NIS2 imposes on them the obligation to undergo specialised cybersecurity training, so that they can identify risks and assess the effectiveness of the protection strategies implemented.

How to report cybersecurity incidents under NIS2?

NIS2 significantly tightens and clarifies the obligations associated with incident reporting. A multi-stage reporting process has been introduced for every “significant” incident (i.e. one that causes or may cause serious disruptions to the operation of a service or financial losses):

  • Early warning: Must be submitted to the national CSIRT team (in Poland — NASK) within 24 hours of becoming aware of the incident.
  • Incident notification: A more detailed report, including an assessment of the severity and consequences of the incident, must be submitted within 72 hours.
  • Final report: The final, detailed incident analysis report must be submitted no later than one month after the notification.

What are the supply chain requirements in NIS2?

A novelty in NIS2 is a strong emphasis on the security of the entire ecosystem, including the supply chain. Companies covered by the directive are now responsible not only for their own security, but also for assessing and managing the risk associated with their direct suppliers and service providers. This means the need to conduct security audits at their key partners, include rigorous cybersecurity clauses in contracts, and monitor their compliance with the requirements. An attack on a supplier can be just as damaging as a direct attack on the company.

What sanctions are imposed for non-compliance with NIS2?

The directive introduces very high, harmonised financial penalties intended to serve as a deterrent. Their level is inspired by the sanctions known from the GDPR.

  • For essential entities, the maximum penalty is at least EUR 10 million or 2% of total annual worldwide turnover from the previous financial year (whichever is higher).
  • For important entities, the maximum penalty is at least EUR 7 million or 1.4% of total annual worldwide turnover. In addition to financial penalties, supervisory authorities will have a range of other powers, including the ability to issue binding orders, as well as to hold members of the management board personally liable.

When does the NIS2 Directive enter into force?

The NIS2 Directive formally entered into force in the European Union in January 2023. Member States, including Poland, had until 17 October 2024 to transpose its provisions into their national law. This means that from 18 October 2024 the new, tightened provisions became binding law, and the entities covered must ensure full compliance. As we write these words in August 2025, we already find ourselves fully in the new regulatory reality, and supervisory authorities have begun to enforce the new obligations.

How to prepare an organisation for NIS2 implementation?

If your company is subject to NIS2, ensuring compliance is a process that requires a strategic approach. The key steps are: conducting a gap analysis to assess the current state of security in relation to the requirements of the directive; obtaining unequivocal support and budget from the management board; developing and implementing a comprehensive risk management strategy; and also reviewing and securing the supply chain. However, the absolutely most important and legally required element is investment in training — both for the management board, which must understand its new role and responsibility, and for all employees, whose awareness is the first line of defence against attacks.

The NIS2 Directive is not just another bureaucratic burden. It is a necessary response to the growing threats in cyberspace and a guidepost for companies on how to build digital resilience. In the new legal reality, cybersecurity becomes an integral part of business management and a personal responsibility of leaders. Investment in knowledge and competencies in this area is no longer a choice, but a necessity.

If you want to be sure that your senior management and employees are fully prepared for the challenges and obligations arising from the NIS2 Directive, contact us. Our specialist cybersecurity training programmes for managers and employees will help your organisation build a solid foundation of compliance and security.

See also

Frequently asked questions

How does NIS2 differ from the first NIS Directive?

NIS2 significantly expands the scope of sectors and entities covered by the regulation, introduces more rigorous and specific security requirements, and tightens incident reporting obligations with precise deadlines. The most important novelty is the introduction of direct personal liability of management board members for cybersecurity, including the obligation to undergo specialised training.

What minimum security measures does NIS2 require?

The directive imposes the obligation to implement at least ten measures, including: risk analysis policies, incident handling procedures, business continuity plans, supply chain security, the use of cryptography and encryption, and regular cybersecurity training. These measures must be adequate and proportionate to the identified risk of the organisation.

Are small companies also subject to the NIS2 Directive?

As a rule, NIS2 applies to medium and large enterprises (50+ employees or turnover above EUR 10 million) operating in specified sectors. Small and micro-enterprises are excluded, unless they fulfil a key role — e.g. they are the sole provider of a critical service in a given country. It is worth remembering, however, that the supply chain requirements may indirectly affect smaller companies that are suppliers of entities covered by NIS2.

How does NIS2 affect supply chain management?

Companies covered by the directive are responsible not only for their own cybersecurity, but also for assessing and managing the risk associated with direct suppliers and service providers. This means the need to conduct security audits at partners, include cybersecurity clauses in contracts, and monitor the compliance of suppliers with the requirements.

Develop your competencies

Want to deepen your knowledge in this area? Check out our training led by experienced EITT trainers.

➡️ The NIS2 Directive in practice: preparing the organisation — EITT training

Related Trainings

NIS2/KSC for executives: legal liability, risk management and cyber security strategy

2 days Intermediate
View training →

Cyber security for employees in the context of NIS2 and KSC

1 day Intermediate
View training →

The NIS2 directive in practice: preparing your organization

2 days Intermediate
View training →

Related Articles

The NIS2 Directive: what do companies need to know and how to prepare?

The main objective of the NIS2 Directive is to raise the overall level of cyber security of key economic sectors and public services across the European Union. The directive significantly expand

Read more

Cyber security in the company: the NIS2 directive, DORA and building resilience

## Cyber security at the heart of the modern organization: definition, threat evolution and strategic necessity in the digital age

Read more

NIS2 Training - What Your IT Team Needs to Know

The NIS2 Directive requires new competencies from IT teams. Learn about training obligations, key knowledge areas and how to prepare your organisation for...

Read more

Useful trainings and concepts

security

NIS2/KSC for executives: legal liability, risk management and cyber security strategy

The training is designed to prepare executives for their new legal responsibilities under the NIS2 Directive and amendme...

Read moresecurity

Cyber security for employees in the context of NIS2 and KSC

The training aims to build cyber security awareness among all employees, as required by the NIS2 Directive and the KSC L...

Read moresecurity

The NIS2 directive in practice: preparing your organization

Szkolenie przedstawia praktyczne aspekty wdrażania wymogów dyrektywy NIS2 w organizacjach. Program obejmuje szczegółową ...

Read moreglossary

Debate

A debate is a formalized exchange of arguments between sides defending opposing positions, conducted under set rules of ...

Read moreglossary

Experiential Learning

Experiential Learning — an educational process in which knowledge and skills are acquired through direct engagement in p...

Read more
Klaudia Janecka
Klaudia Janecka Opiekun szkolenia
+48 539 064 686 klaudia.janecka@eitt.pl

Request a quote

Develop Your Competencies

Check out our training and workshop offerings.

Training Catalog More Articles
Request Training
Call us +48 22 487 84 90