1. What is NIS2?
NIS2 is EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union. It replaces the original NIS Directive (2016/1148) and entered into force on 16 January 2023. Member states had until 17 October 2024 to transpose it into national law — though several, including Poland, implemented with some delay.
The directive represents a fundamental shift in EU cybersecurity policy: instead of individual member states deciding which companies are covered (as in NIS1), NIS2 sets sector and size thresholds directly in the directive text. This means organisations must self-identify whether they are in scope — they cannot wait for a government authority to designate them.
Two categories of entities
NIS2 distinguishes two tiers, with different supervisory regimes and penalty levels:
- Essential entities — higher-criticality sectors (Annex I), subject to proactive ex-ante supervision, higher fines
- Important entities — sectors important to the economy (Annex II), subject to reactive ex-post supervision, lower fines
Minimum threshold: ≥ 50 employees OR ≥ €10 million annual turnover.
Small companies (<50 employees and <€10M turnover) are generally excluded — with specific exceptions for DNS providers, TLD registries, trust service providers, and certain critical infrastructure operators regardless of size.
2. Essential vs Important Entities
Essential Entities — Annex I
| Sector | Examples |
|---|---|
| Energy | Electricity grid operators, gas suppliers, oil pipelines, district heating, hydrogen, EV charging networks |
| Transport | Airlines, airports, rail operators, maritime ports, inland waterways, road infrastructure managers |
| Banking & financial markets | Credit institutions, financial market infrastructure operators (stock exchanges, CCPs) |
| Health | Hospitals, diagnostic laboratories, pharmaceutical manufacturers, medical device manufacturers |
| Drinking water & wastewater | Water utilities supplying ≥50,000 persons; wastewater treatment operators |
| Digital infrastructure | IXPs, DNS resolvers, TLD registries, cloud providers, CDN operators, data centres, electronic communications networks |
| ICT service management (B2B) | Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs) |
| Public administration | Central government bodies; regional/local authorities (member state discretion) |
| Space | Ground-based space infrastructure operators |
Important Entities — Annex II
| Sector | Examples |
|---|---|
| Postal & courier services | National postal operators, DHL, DPD, FedEx |
| Waste management | Companies collecting, processing and disposing of waste at scale |
| Chemicals | Manufacturers and distributors of hazardous chemical substances |
| Food | Large-scale food manufacturers and distributors |
| Manufacturing | Manufacturers of: medical devices, electronics, motor vehicles, machinery, computers |
| Digital providers | Online marketplaces, search engines, social networking platforms |
| Research | Research organisations (subject to national transposition) |
3. 10 Security Obligations (Art. 21)
Article 21 of NIS2 requires all in-scope entities to implement appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. These are not optional guidelines — they are legal requirements. The ten obligation groups are:
- Information security policies and risk analysis Documented information security policies covering risk assessment, objectives and governance — approved by management
- Incident handling Procedures for detecting, classifying, responding to and reporting security incidents; tested incident response plans
- Business continuity and disaster recovery (BCP/DR) Business continuity plans, backup management (tested 3-2-1 policy), disaster recovery plans with defined RTO/RPO
- Supply chain security Risk assessment of ICT suppliers and sub-processors; security requirements in contracts; right-to-audit clauses
- Network and information systems security Network segmentation, vulnerability management (patch management), access controls, encryption of data in transit and at rest
- Assessment of security measure effectiveness Regular audits, penetration testing, policy reviews — documented verification cycle; evidence of active management
- Cyber hygiene and training Basic hygiene policies (software updates, password management, secure configuration), annual employee cybersecurity training
- Cryptography and encryption policies Policies on the use of cryptography and encryption, including key management procedures
- HR security, access control and asset management Least-privilege principle, identity and access management (IAM), privileged access controls, joiners/leavers processes
- Multi-factor authentication (MFA) MFA or continuous authentication solutions for all critical systems and administrative access
Management accountability
NIS2 introduces personal accountability for governing bodies. Management must approve cybersecurity policies, undergo cybersecurity training, and actively oversee implementation. This is not delegable to IT alone. Management bodies can be held personally liable — including temporary prohibition from management functions — in cases of repeated serious breaches.
4. Incident Reporting Timeline
NIS2 introduces one of the most demanding incident reporting regimes in EU law. The timelines are tight — organisations that lack a pre-built incident response procedure will struggle to comply.
| Stage | Deadline | Content required |
|---|---|---|
| Early warning | 24 hours after detection | Notification that a significant incident has occurred; whether it is suspected to be caused by unlawful or malicious acts; initial impact assessment |
| Incident notification | 72 hours after detection | Updated severity assessment, initial indicators of compromise (IoCs), affected services and systems, actions taken so far |
| Intermediate report | On request from CSIRT / authority | Status update on incident handling and containment progress |
| Final report | 1 month after incident notification | Full description of the incident, root cause analysis, remediation measures implemented, lessons learned, cross-border impact assessment |
Where to report — Poland (KSC)
In Poland, reports go to the competent CSIRT based on the entity's sector:
- CSIRT NASK (cert.pl) — private sector entities not assigned to the government or defence sectors; reporting via incydent.cert.pl
- CSIRT GOV — government administration and critical infrastructure under government supervision
- CSIRT MON — defence sector entities
5. Fines and Sanctions
NIS2 harmonises minimum administrative fine levels across the EU. The maximums are comparable to GDPR and represent a significant increase over NIS1 penalties.
| Entity category | Maximum administrative fine |
|---|---|
| Essential entities | €10,000,000 or 2% of total worldwide annual turnover — whichever is higher |
| Important entities | €7,000,000 or 1.4% of total worldwide annual turnover — whichever is higher |
Beyond financial penalties, supervisory authorities can impose:
- Binding instructions requiring specific security measures to be implemented
- Suspension of activities or temporary withdrawal of certifications and authorisations
- Public disclosure of the breach (naming and shaming)
- Temporary prohibition on individuals from holding management positions
- Mandatory security audit at the entity's own cost
6. Deadline: 3 October 2026
The 3 October 2026 deadline is not the deadline to have everything implemented — it is the deadline to have identified yourself as in-scope and registered. Implementing all 10 security obligations, training management, auditing suppliers and producing required documentation typically takes 3 to 6 months for a medium-sized organisation. That window is closing fast.
Why "not knowing" is not an exemption
Unlike NIS1 — where companies waited to be designated — NIS2 places the burden of self-identification on the organisation itself. Supervisory authorities have explicitly stated that ignorance of the obligation is not a mitigating factor. If you operate in a listed sector and meet the size threshold, you are in scope from the date of national transposition, regardless of any government notification.
| Date | Milestone |
|---|---|
| 16 Jan 2023 | NIS2 Directive (2022/2555) entered into force across the EU |
| 17 Oct 2024 | Member state transposition deadline (Poland implementing via KSC amendment, with delay) |
| 2025–2026 | KSC amendment enacted and entered into force in Poland |
| 3 Oct 2026 | Self-identification & registration deadline — in-scope entities must register with the competent authority |
| Q4 2026 onwards | Active supervisory enforcement; administrative fines for non-compliance |
7. How to Get Started — 6-Step Action Plan
The following six steps represent the minimum viable path from "we haven't started" to "we are registered and have a defensible compliance posture" before the October 2026 deadline.
Self-identify: are you in scope?
Check your sector against Annex I and Annex II, then verify your headcount and annual turnover against the size thresholds (≥50 employees or ≥€10M). Use the free questionnaire at nis2.saaslab.pl — it walks you through the classification in under 10 minutes and outputs your entity category.
Register with the competent authority — by 3 Oct 2026
Identify your sectoral authority (UKE for telecoms, KNF for finance, URE for energy, UODO for data — or the Minister of Digitalisation for unassigned sectors). Submit the registration form. This step is mandatory regardless of how far along you are with technical implementation.
Conduct an ICT asset inventory and risk assessment
Produce a complete register of systems, networks, software and data assets. Against each asset, identify threats, vulnerabilities, likelihood and potential business impact. The risk register is the foundation of your information security policy and the evidence base for all subsequent decisions.
Approve an information security policy
Draft and have management formally approve an information security policy covering: scope, risk approach, roles and responsibilities, review cycle. Management approval is not optional — Art. 20 NIS2 explicitly requires governing bodies to approve and oversee cybersecurity risk management measures.
Implement priority technical measures
Based on your risk assessment, prioritise: MFA on all critical systems, network segmentation, patch management process, tested backups (3-2-1), and an incident response playbook with defined 24h/72h reporting roles. Document every measure — undocumented controls do not exist for auditors.
Train management and audit suppliers
Schedule mandatory cybersecurity training for all governing body members and record attendance. Send security questionnaires to your top 10 ICT suppliers and update contracts to include incident notification obligations and right-to-audit clauses. Both are explicitly required under Art. 20 and Art. 21(2)(d) NIS2.
8. Tools: nis2.saaslab.pl
nis2.saaslab.pl is a web-based NIS2 compliance tool designed for in-scope businesses that need to move quickly and efficiently without hiring a dedicated compliance team.
- Self-identification questionnaire — 10-minute sector and size classification; outputs entity category (essential / important / out of scope) with legal references
- Compliance checklist — the 10 Art. 21 obligation groups broken into actionable sub-tasks; track progress, assign owners, set deadlines
- Document templates — information security policy, risk register, incident response playbook, supplier assessment questionnaire — ready to customise
- Registration reminder — automatic alert before the 3 October 2026 deadline
Check your NIS2 status — free
Self-identification questionnaire, compliance checklist and document templates. Find out in 10 minutes whether NIS2 applies to your organisation and what you need to do.
Check your NIS2 status — free →No credit card required. Basic access is free.