Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
NIS2 in Poland 2025: 5 Truths That Will Change Everything in Your Company - Complete Guide
Published: 00:00 11/03/2025
Cyberbezpieczeństwo
Introduction: Forget Everything You Thought About Cybersecurity Regulations
Many managers react with weariness at the news of yet another EU directive, seeing it merely as a new wave of red tape. However, the Polish implementation of the NIS2 Directive is something completely different. It is not an evolution of existing regulations, but a fundamental paradigm shift dictated by hard geopolitics. As a "frontline state," Poland is implementing regulations much stricter than the EU minimum, treating cybersecurity as a component of national security. Ignoring these changes is no longer a business option—it is a direct threat to company stability and the personal careers of its board members. This article cuts through the legal jargon to reveal five of the most striking and often surprising truths about the new Act on the National Cybersecurity System (KSC).
Truth #1: It’s No Longer an "IT Problem." It’s the Board’s Personal Liability
The most revolutionary change introduced by NIS2 is the definitive shift of responsibility from technology departments directly onto the shoulders of the Management Board. Cybersecurity ceases to be a technical issue and becomes a key element of corporate governance for which managers are personally liable. This fundamentally redefines cybersecurity as a core fiduciary duty of the board, on par with financial oversight, rather than a delegated technical task.
Under the new regulations, management bodies are required to approve and oversee the implementation of risk management measures. Most importantly, this is personal and non-transferable liability. It cannot be delegated to a Chief Information Security Officer (CISO) or any other employee. It is assigned directly to the function held. The consequences of negligence strike managers directly: the supervisory authority can impose a monetary penalty of up to 600% of their remuneration on a board member, as well as a temporary ban on holding managerial positions.
To ensure liability is not just an abstract provision, the act introduces a specific requirement. Board members have a statutory obligation to undergo regular cybersecurity training. The law, therefore, not only creates a severe penalty but simultaneously imposes a remedy—education. This aims to equip leaders with the knowledge necessary to make informed decisions regarding resource allocation and risk acceptance.
Truth #2: Stop Waiting for a Letter from the Office. You Must Identify Yourself
New regulations introduce a fundamental change in how regulated entities are identified, shifting the entire burden and legal risk onto entrepreneurs. The previous model, known from the NIS1 directive, where a public administration body assigned the status of an "operator of essential services," is becoming a thing of the past.
Now, every company must perform self-identification. This means an obligation to proactively analyze one's own operations, mainly based on the so-called "size-cap rule" (covering at least medium and large enterprises) and belonging to one of the sectors listed in the act. However, relying solely on the employee count is a straight path to disaster. The act provides for a list of critical exceptions—entities covered by the regulation regardless of their size. These include, among others:
- Providers of public electronic communications networks and services,
- Trust service providers,
- Top-level domain (TLD) name registries and DNS service providers.
Furthermore, the analysis must be much broader—one must consider data from linked and partner enterprises within the entire capital group. As a result, even a small subsidiary can be covered by the regulation if it is part of a larger structure. This task requires in-depth legal analysis, and an error in assessment can result in serious consequences for operating as an unregistered essential or important entity.
Truth #3: Your Weakest Vendor Is Now Your Biggest Vulnerability
The NIS2 Directive opens a completely new front of corporate responsibility: supply chain security. Companies can no longer focus solely on their own systems. The new law makes them responsible for the cybersecurity level of their direct suppliers and service providers.
In practice, this means the necessity to implement a comprehensive Third-Party Risk Management process. Entities covered by the act are obliged to:
- Inventory and categorize their ICT suppliers regarding risk.
- Audit their security measures and processes.
- Introduce specific security clauses into contracts and SLA annexes, obliging partners to apply adequate protection measures.
Moreover, the state gains a powerful tool in the form of the "High-Risk Vendor" (HRV) procedure. The Minister of Digital Affairs will be able to designate a given hardware or software supplier as a high-risk entity. For companies, this means not only a ban on purchasing new products from such a supplier but also an obligation to withdraw and replace existing infrastructure within 4 to 7 years. Significantly, the act does not provide for any compensation for the costs of "rip and replace" operations, constituting a huge, uninsurable financial risk.
Truth #4: "Important" Status Doesn't Mean "Fewer Duties." It’s a Trap
Many companies, after self-identification and qualifying as an "Important Entity" (rather than "Essential"), might breathe a sigh of relief, assuming this involves significantly lower requirements. This is a dangerous and—as legal analysis indicates—false thesis.
Basic obligations regarding the implementation of technical and organizational measures, described in Article 8 of the act, are in principle identical for both categories of entities. Both Essential and Important entities must implement a security management system based on risk analysis, covering incident handling, business continuity, supply chain security, and regular testing.
The real difference lies in the supervision regime:
- Essential Entities are subject to ex-ante (proactive) supervision, meaning the authority can conduct an inspection or audit at any time, even without an incident occurring.
- Important Entities are covered by ex-post (reactive) supervision, where inspection usually occurs only after reporting an incident or receiving a signal about irregularities.
The strategic trap is that an "Important" entity has less contact with the regulator before a crisis, but the moment it occurs, it will be evaluated according to the same strict standards. The lack of prior audits can create a false sense of security, which will be brutally verified after the first serious incident.
Truth #5: Poland Tightens the Screw. Penalties Are Much Higher Than EU Requirements
The Polish legislator did not stop at simply copying EU regulations. regarding financial penalties, a decision was made for so-called "gold-plating"—implementing solutions much stricter than the minimum required by Brussels, intended to have a chilling effect.
The NIS2 Directive defines maximum administrative fines at up to 10 million EUR (or 2% of global turnover) for essential entities and 7 million EUR (or 1.4% of turnover) for important ones. Meanwhile, the Polish act introduces an additional, much higher threshold. In the event that a violation leads to a threat to state security, public health, or causes serious property damage, the supervisory authority may impose a penalty of up to 100,000,000 PLN (approx. 23 million EUR).
But that’s not all. The act equips regulators with a tool of continuous pressure. For failure to execute an administrative decision on time (e.g., an order to patch a vulnerability), the authority may impose a periodic penalty of up to 100,000 PLN for each day of delay. This is a powerful disciplinary mechanism that makes ignoring post-control recommendations financially ruinous.
Need Help with NIS2 Compliance?
If you're wondering whether your company is subject to the NIS2 directive, need help with self-identification, or want to implement the required security measures – contact us. We'll help prepare your organization for full regulatory compliance, avoiding severe administrative penalties.
What we offer
- NIS2 compliance assessment - comprehensive audit and identification of security gaps
- Implementation of required measures - 24/7 monitoring systems, incident response procedures
- Management training - preparing executive teams for compliance requirements
- Incident reporting support - procedures for reporting to CSIRT
- Supply chain management - ICT supplier audits and security policy implementation
- Continuous compliance - monitoring compliance with NIS2, GDPR, ISO 27001 requirements
See Also - Related Topics
Cybersecurity and Compliance Articles
- SOCaaS or In-House Team? Detailed Cost Analysis - How much does NIS2 compliance cost in In-House vs SOCaaS models?
- Security Operations Center (SOC): Comprehensive Guide for 2026 - How to build a SOC that meets NIS2 requirements for 24/7 monitoring
- Incident Response Plan - How to Prepare a Company for a Cyberattack? - Practical guide to building procedures required by NIS2
- Managed Security Services Provider (MSSP) - Selection Guide - How to choose a security service provider compliant with NIS2 requirements
- Zero Trust Architecture - New Security Paradigm - Security model recommended by NIS2 and DORA directives
Technologies Supporting Compliance
- SIEM vs XDR - Which Solution to Choose for Your Company? - Analysis of key technologies for incident detection and reporting
- SOAR - Security Operations Automation - How automation helps meet NIS2 rapid response requirements
- Cloud Security - Securing Infrastructure in the Cloud - Best practices for AWS, Azure, GCP environments compliant with NIS2
FAQ - Frequently Asked Questions about NIS2 in Poland
Is my company subject to the NIS2 directive?
Your company is subject to NIS2 if it belongs to one of the 18 essential or important sectors (energy, transport, banking, health, water, ICT, public administration, manufacturing, food, and others) and employs at least 50 people or achieves annual turnover above €10 million. However, there are critical exceptions - some entities (telecommunications network providers, trust service providers, TLD domain registries) are covered regardless of size. Self-identification is required, taking into account the entire capital group.
What are the NIS2 implementation deadlines in Poland?
The NIS2 Directive entered into force on January 16, 2023, and Member States had until October 17, 2024, to transpose it into national law. Poland is implementing NIS2 through an amendment to the Act on the National Cybersecurity System (KSC). After the amendment enters into force, covered entities have a specified time to conduct self-identification and implement the required security measures. It's crucial to start preparations now, as full implementation of monitoring systems and procedures requires months of work.
What penalties are there for non-compliance with NIS2?
Administrative penalties are significantly more severe than under GDPR. For essential entities: up to €10 million or 2% of global turnover (whichever is higher). For important entities: up to €7 million or 1.4% of turnover. Poland additionally introduced "gold-plating" - in case of threat to state security or serious property damage, the penalty can be up to 100 million PLN. Additionally, for failure to execute an administrative decision: periodic penalty up to 100,000 PLN for each day of delay. Board members can receive a personal penalty up to 600% of remuneration and a ban on holding management positions.
How does NIS2 differ from GDPR?
NIS2 and GDPR are separate regulations with different objectives. GDPR protects personal data of EU citizens, requires data breach notification within 72 hours, penalties up to €20 million or 4% of turnover. NIS2 protects critical infrastructure and service continuity, requires early warning of an incident within 24 hours + full notification within 72 hours, penalties up to €10 million or 2% of turnover (or 100 million PLN in Poland). NIS2 imposes personal responsibility on the board, requires 24/7 monitoring and ICT supply chain verification. Organizations often must meet both sets of requirements simultaneously.
What is self-identification and how to conduct it?
Self-identification is each company's obligation to independently determine whether it's subject to NIS2 regulation. The process includes: (1) Checking membership in one of the sectors listed in the Act (18 categories), (2) Verification of company size - "size-cap rule" (minimum 50 employees or €10 million turnover), (3) Checking exceptions - some entities are covered regardless of size (telco, DNS, trust services), (4) Considering the entire capital group - a small subsidiary may be covered if it's part of a larger structure. After positive identification, you must register with the appropriate supervisory authority (NASK, CSIRT GOV, or CSIRT MON). Errors in self-identification may result in penalties for operating as an unregistered entity.
What is the difference between an essential and an important entity?
Essential entities are in sectors: energy, transport, banking, healthcare, drinking water, digital infrastructure. Important entities are: industry, food, chemicals, postal services, waste management, and others. Basic obligations regarding technical measures (Article 8 of the Act) are identical for both categories - risk management, incident handling, business continuity, supply chain security. The difference lies in the supervision regime: essential entities are subject to ex-ante supervision (inspections at any time), important entities - ex-post (inspections after incidents). Penalties: essential up to €10 million/2% turnover, important up to €7 million/1.4% turnover.
What does the incident reporting procedure look like under NIS2?
The reporting procedure is a three-step process: (1) Early Warning - notification to the appropriate CSIRT (NASK/GOV/MON) within 24 hours of detecting the incident, contains basic information (what happened, severity assessment), (2) Incident Notification - update within 72 hours with severity assessment, indicators of compromise (IoC), information on cross-border effects, (3) Final report - within one month after handling the incident, contains detailed analysis of causes, consequences, and remedial measures applied. The 24/72h requirement practically forces 24/7 monitoring - without round-the-clock SOC, it's impossible to meet the deadline if an incident occurs on a weekend.
Does NIS2 require having a SOC (Security Operations Center)?
NIS2 doesn't explicitly require having a SOC, but de facto forces it. The Act imposes obligations to: (1) Continuously monitor infrastructure to detect incidents, (2) Report serious incidents within 24 hours (early warning) and 72 hours (full notification), (3) Quickly respond and contain attacks. In practice, to meet the 24-hour notification requirement when an incident occurs on Friday evening, weekend, or holiday, 24/7/365 monitoring is necessary. This can be an own SOC (in-house), outsourced SOC (Managed SOC/SOCaaS), or a hybrid model. Without round-the-clock analyst coverage, the organization has no chance of compliance.
How does NIS2 affect supply chain management?
NIS2 introduces responsibility for ICT supplier security. Organizations must: (1) Inventory all IT system suppliers, software, cloud services, (2) Categorize suppliers according to risk level for business continuity, (3) Audit supplier security and their processes, (4) Introduce security clauses into contracts and SLAs (technical requirements, incident reporting, audits), (5) Implement policies for accepting new suppliers. Additionally, the Minister of Digital Affairs may designate a supplier as a "High-Risk Vendor" (HRV) - this means a ban on purchasing new products and obligation to replace existing infrastructure within 4-7 years without compensation ("rip and replace" operation).
What are the consequences for board members for non-compliance with NIS2?
NIS2 introduces personal, non-transferable board responsibility. The supervisory authority may impose on a board member: (1) Financial penalty up to 600% of remuneration in case of serious negligence, (2) Temporary suspension from management functions, (3) Ban on holding management functions in NIS2-covered entities. Responsibility concerns: approval and supervision of risk management measures, ensuring cybersecurity training for the board, proper incident reporting. It cannot be delegated to a CISO or other employee. This is a fundamental change - cybersecurity becomes the board's fiduciary duty, on par with financial oversight.
Do small companies have to comply with NIS2?
Generally no, if the company doesn't exceed the threshold of 50 employees and €10 million turnover. However, there are critical exceptions - small companies are subject to NIS2 regardless of size if they are: (1) Providers of public electronic communications networks/services (telecommunications), (2) Trust service providers (electronic signature, certificates), (3) TLD domain registries and DNS providers, (4) Part of a capital group - a small subsidiary may be covered if it's part of a larger structure exceeding thresholds. Additionally, if a small company is a key ICT supplier for a NIS2-covered entity, it may be subject to verification under supply chain management. Self-identification is mandatory for all.
What technical measures does NIS2 require?
Article 8 of the KSC Act requires implementation of risk analysis-based measures in areas: (1) Risk management - continuous assessment and update of risks, (2) System security - vulnerability management, patching, secure configuration, (3) Access control - multi-factor authentication (MFA), privilege management, (4) Cryptography - encryption of data at rest and in transit, key management, (5) Business continuity - Disaster Recovery plans, offline backups, recovery tests, (6) Supply chain security - ICT supplier verification, (7) Incident handling - detection, response, reporting procedures, (8) Monitoring - log collection, anomaly analysis, threat detection, (9) Training - regular awareness raising for employees and management. Documentation of all implemented measures is required.
Who is the supervisory authority for NIS2 in Poland?
Poland has three supervisory authorities depending on the sector: (1) CSIRT NASK (NASK - Research and Academic Computer Network) - main authority for most civilian entities, including: energy, transport, health, water, ICT, industry, (2) CSIRT GOV - for public administration and government entities, (3) CSIRT MON (Ministry of National Defense) - for defense-related entities. Authorities conduct: compliance inspections (ex-ante for essential, ex-post for important), verification of incident notifications, imposition of administrative penalties, ICT product certification. Entities must register with the appropriate CSIRT after conducting self-identification.
How to prepare for NIS2 step by step?
Recommended implementation plan: PHASE 1 - Assessment (2-4 weeks): Conduct self-identification, identify the appropriate supervisory authority (NASK/GOV/MON), perform gap analysis - comparison of current state with Article 8 requirements, conduct risk analysis according to methodology (e.g., ISO 27005). PHASE 2 - Planning (1-2 months): Develop security measures implementation plan, define budget and resources, select technology vendors (SIEM/XDR/SOC) or MSSP, design incident response and reporting procedures. PHASE 3 - Implementation (3-6 months): Implement 24/7 monitoring systems (own SOC or outsourcing), implement MFA, encryption, vulnerability management, develop and test response procedures (tabletop exercises), audit ICT suppliers, implement supply chain management. PHASE 4 - Continuous compliance: Conduct regular board training, update documentation, test procedures, monitor regulatory changes.
What is "gold-plating" in the context of Polish NIS2 implementation?
"Gold-plating" means implementing EU regulations in a way stricter than the minimum required by the directive. Poland, as a frontline state treating cybersecurity as a matter of national security, introduced significantly harsher regulations: (1) Penalties up to 100 million PLN (approx. €23 million) in case of incidents threatening state security, while the EU requires max. €10 million, (2) Periodic penalties of 100,000 PLN for each day of delay in executing administrative decisions - a chilling effect forcing immediate action, (3) Stricter interpretation of supply chain requirements and the High-Risk Vendor procedure. This stems from Poland's geopolitical situation and treating cybersecurity as a matter of national security, not just consumer protection.
Conclusion: Obligation or Investment in Survival?
The new Act on the National Cybersecurity System is much more than just a set of duties to check off a list. It is a new business reality that forces a fundamental change in organizational culture, corporate governance, and partner relationships. The personal liability of the board, the obligation to verify suppliers, and draconian financial penalties create a system where cybersecurity becomes a condition for market survival. The key question remains, which every manager must ask themselves: will you treat the new regulations as an investment in business stability, or just a costly bureaucratic burden?
Aleksander
Sources: Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2) National Cybersecurity System (KSC) - Gov.pl info
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Cyberbezpieczeństwo
Cloud Security 2025: Best Practices for AWS, Azure, and GCP - Zero Trust, IAM, CSPM, and Shared Responsibility Model
IAM misconfiguration is the leading cause of cloud incidents. Discover differences between AWS, Azure, and GCP in Shared Responsibility Model, how to implement Zero Trust, avoid "toxic combinations" of permissions, secure CMK keys, and automate CSPM for NIS2 compliance.
07.11.2025
35 min
Cyberbezpieczeństwo
Incident Response Plan 2025: How to Prepare a Company for a Cyberattack? - NIS2 Requirements, 24/72h Rule, and Tabletop Exercises
In 2025 the question is "when", not "if" an attack will happen. The board bears personal responsibility up to 600% of salary, NIS2 requires 24/72h reporting, and "pulling the plug" can destroy evidence. Practical guide to building IRP - from CSIRT to Tabletop Exercises.
04.11.2025
32 min
![NIS2 2025: Avoid Fines Up to €10M [Complete Implementation Guide]](/_next/image?url=https%3A%2F%2Fimages.unsplash.com%2Fphoto-1608817576203-3c27ed168bd2&w=3840&q=75)
Regulacje
NIS2 2025: Avoid Fines Up to €10M [Complete Implementation Guide]
⚠️ October 18, 2024 - NIS2 implementation deadline passed. If your company is not compliant, you risk fines up to €10 million. Check obligations, critical deadlines, and step-by-step implementation plan. [2025]
11.10.2025
18 min
Comments
Loading comments...