slug: “the-nis2-directive-what-do-companies-need-to-know-and-how-to-prepare” Digital security has become a key priority for the European Union, and this is reflected in new, stricter regulations. The NIS2 Directive, the successor to the first NIS Directive of 2016, significantly expands the scope of entities covered by cyber security obligations and introduces more stringent requirements. For many Polish companies, understanding whether they fall under the NIS2 Directive Poland and how to ensure NIS2 compliance is an urgent task for 2025, especially with the looming implementation deadlines for national regulations. Acting as a practical checklist, this article explains the key requirements of NIS2, who is affected by the new regulations, and what steps should be taken to effectively prepare your organization for NIS2 implementation and avoid potential penalties. The focus will be on the practical aspects of NIS2 cybersecurity.
Shortcuts
NIS2 in a nutshell: objectives, scope and who is affected in Poland
The main objective of the NIS2 Directive is to raise the overall level of cyber security of key economic sectors and public services across the European Union. The directive significantly expands the scope of regulated sectors and entities compared to its predecessor. It introduces a distinction between essential entities and important entities, operating in sectors deemed critical or vital to the functioning of society and the economy.
Highly critical sectors (key players) included energy, transportation, banking, financial markets infrastructure, health sector, drinking water and wastewater infrastructure, digital infrastructure (including cloud service providers, data centers, content delivery networks), public administration and space, among others.
Other critical sectors (important players) include postal and courier services, waste management, chemical production and distribution, food production and processing, manufacturing (e.g., medical devices, computers, electronics, machinery, vehicles), and digital service providers (online shopping platforms, search engines, social media platforms).
The directive covers medium-sized and large enterprises operating in these sectors. Small and micro-enterprises are in principle excluded, unless they play a key role in a given sector (e.g., they are the only service provider in a member state). Polish companies operating in the aforementioned sectors and meeting the size criteria must prepare for the new obligations.
Key responsibilities for cyber security risk management
NIS2 requires covered entities to implement appropriate and proportionate technical, operational and organizational measures to manage security risks to the networks and information systems they use in their operations or in the provision of services. The directive lists a minimum set of measures that must be included. These include, among others:
-
Risk analysis and information systems security policies.
-
Incident handling (prevention, detection, response procedures).
-
Business continuity (backup management, disaster recovery) and crisis management.
-
Supply chain security (including security aspects of relationships with suppliers and service providers).
-
Security in the acquisition, development and maintenance of networks and information systems (including handling and disclosure of vulnerabilities).
-
Policies and procedures for evaluating the effectiveness of risk management measures.
-
Basic cyber hygiene practices and cyber security training.
-
Policies and procedures for the use of cryptography (including encryption).
-
Human resource security, access control policies and asset management.
-
Use of multi-component or continuous authentication (where appropriate).
Importantly, NIS2 introduces accountability of management (e.g., the board of directors) for the implementation and supervision of cyber security measures. Members of governing bodies will be required to receive training in this area.
Incident reporting requirements: what, when and how to report?
The NIS2 Directive significantly tightens and standardizes reporting obligations for cyber security incidents that have a significant impact on the provision of services. Covered entities will have to report major incidents to a designated national computer security incident response team (CSIRT) and, in some cases, to the relevant national authority. The reporting process will be a multi-step process:
-
Early warning: Within 24 hours of identifying an incident - initial information about a suspected major incident.
-
Incident notification: Within 72 hours of the incident being identified - more detailed information, including a preliminary assessment of the incident, its severity and impact.
-
Final report: Within one month from the submission of the incident notification (or from the completion of incident handling) - a detailed final report. Entities will also be required to inform their customers (service recipients) of incidents that may have a significant impact on them. Implementing effective procedures for detecting, analyzing and reporting incidents will be key to meeting these requirements.
Supply chain security in the context of NIS2
One of the key areas strengthened by NIS2 is supply chain security. Covered entities will have to take into account the risks associated with their direct suppliers and service providers (e.g., providers of data storage, software, managed security services). This means assessing the cyber security practices of their partners and including security aspects in their contracts with them. Companies will need to ensure that their suppliers also have appropriate security measures in place, appropriate to the potential risks they may introduce into the NIS2 entity ecosystem. Supply chain risk management is becoming an integral part of the overall cybersecurity risk management system required by the directive.
Surveillance, penalties and enforcement of NIS2 regulations in Poland
NIS2 provides for strengthening oversight mechanisms for covered entities. Designated national authorities will have the power to conduct audits, inspections and request information to verify compliance. Importantly, the directive also introduces severe financial penalties for non-compliance, which are intended to be effective, proportionate and dissuasive. For key entities, maximum administrative penalties can reach at least €10 million or 2% of the company’s total annual worldwide turnover (whichever is higher). For major entities, the maximum penalties are at least €7 million or 1.4% of total annual worldwide turnover. These high potential penalties underscore the importance the legislature attaches to ensuring compliance with NIS2.
Checklist: preparatory steps for implementing NIS2 in your company
Preparing for NIS2 is a process you should start as soon as possible. Here are the key steps your company should take:
-
Determine your company’s status: Check whether your company operates in a sector covered by NIS2 and meets the size criteria (medium/large enterprise) to determine whether it falls under the responsibilities of a key or major entity.
-
Conduct a risk analysis: Conduct a comprehensive risk assessment for the security of the networks and information systems used in your business.
-
Perform a gap analysis (Gap Analysis): Compare the current state of your company’s security and procedures with the minimum requirements set forth in NIS2 (mentioned earlier in the article). Identify areas for improvement.
-
Develop and implement an action plan: Create a schedule for implementing the missing technical, operational and organizational measures. Assign responsibilities and provide necessary resources.
-
Update policies and procedures: Review and align internal security policies, incident handling procedures, business continuity and supply chain management plans with NIS2 requirements.
-
Train management and employees: Provide appropriate cybersecurity training for management (as required by NIS2) and awareness-building programs for all employees.
-
Implement incident reporting procedures: Ensure that you have mechanisms and procedures in place to detect and report serious incidents in a timely manner in accordance with NIS2 requirements.
-
Verify supplier security: Evaluate the cybersecurity practices of key suppliers and service providers and incorporate appropriate provisions into contracts.
-
Monitor and test: Implement continuous security monitoring mechanisms and regularly test the effectiveness of implemented measures (e.g., through penetration tests, audits).
-
Document activities: Keep accurate records of all risk management and compliance actions taken that may be required during an audit.
Summary: Key lessons for the EITT reader
The NIS2 Directive represents a significant step toward strengthening cyber security in the European Union, imposing new, more stringent obligations on a wider group of entities than before. For Polish companies operating in key and important sectors, ensuring compliance with NIS2 is becoming an urgent priority. This requires a comprehensive approach to risk management, the implementation of appropriate security measures, improved incident handling and supply chain management processes, and management commitment. While preparing for NIS2 can be a challenge, it is also an opportunity to significantly improve an organization’s cyber resilience and better prepare for evolving threats.
Next step with EITT
Not sure if your company falls under NIS2 or how to effectively implement its requirements? Need support in conducting a risk analysis, gap analysis or developing a compliance plan? EITT offers comprehensive compliance audits, consulting, and dedicated training on the NIS2 directive and cybersecurity management. Contact our experts to learn how we can help your organization prepare for NIS2 requirements efficiently and effectively.
Read Also
- NIS2 Training - What Your IT Team Needs to Know
- ‘Cyber security in the company: the NIS2 directive, DORA and building resilience’
- ‘Payroll disclosure and the EU directive: a guide for companies’
Read also
- NIS2 Training - What Your IT Team Needs to Know
- Cyber security in the company: the NIS2 directive, DORA and building resilience
- Payroll disclosure and the EU directive: a guide for companies
Develop your skills
Want to deepen your knowledge in this area? Check out our training led by experienced EITT instructors.
➡️ The NIS2 Directive: what do companies need to know and how to prepare? — EITT training
Frequently Asked Questions
Who is affected by the NIS2 Directive in Poland?
The NIS2 Directive applies to essential and important entities operating in critical sectors such as energy, transport, healthcare, digital infrastructure, and public administration. It significantly broadens the scope compared to the original NIS Directive, now covering medium and large enterprises in over 18 sectors. Even some smaller companies may be affected if they operate in digital infrastructure or provide critical supply chain services.
What are the main penalties for non-compliance with NIS2?
Penalties under NIS2 are substantially higher than under the original directive. Essential entities face fines of up to 10 million EUR or 2% of global annual turnover, whichever is higher. Important entities can be fined up to 7 million EUR or 1.4% of turnover. Additionally, management bodies can be held personally liable for failing to ensure compliance.
When does the NIS2 Directive take effect in Poland?
EU member states were required to transpose the NIS2 Directive into national law by October 17, 2024. Poland has been working on its implementation through amendments to the National Cybersecurity System Act. Organizations should not wait for final national legislation but should begin preparing now, as the requirements are clearly defined in the directive itself.
What are the first steps a company should take to prepare for NIS2?
Start by determining whether your organization falls under the directive’s scope based on sector and size criteria. Then conduct a gap analysis comparing your current cybersecurity measures against NIS2 requirements, focusing on risk management, incident reporting procedures, supply chain security, and business continuity planning. Engaging leadership early is critical since NIS2 places direct responsibility on management bodies.