NIS2
NIS2 (Network and Information Security Directive 2) is an EU directive that requires companies to implement specific measures to manage cyber security risks and report major incidents. In practice, this means that an organization must have documented security policies, incident response plans, IT supply chain management procedures and business continuity mechanisms – and be able to prove it.
The directive came into force on January 16, 2023 at the EU level. Member states had until October 17, 2024 to transpose it into national law. In Poland, work on the Law on the National Cyber Security System (implementing NIS2) was delayed, but it came into force on April 3, 2026 – companies must already comply with NIS2 requirements.
NIS2 covers key and important players in sectors such as energy, transportation, banking, financial markets infrastructure, health care, water supply, digital infrastructure, ICT service management (B2B), public administration, space, postal and courier services, waste management, chemical manufacturing, food manufacturing, medical device manufacturing, computer and electronics manufacturing, as well as digital service providers (search engines, social platforms, data centers, cloud services). In Poland, NIS2 is estimated to cover more than 96,000 companies – including many medium-sized enterprises that have not been subject to cybersecurity regulations to date.
For key entities – up to €10 million or 2% of total annual worldwide turnover (whichever is higher). For major entities – up to €7 million or 1.4% of annual turnover. In addition, the directive provides for personal liability of managers for negligence in the area of cyber security.
Our Regulatory Compliance Report will indicate exactly which articles of the directive apply to your organization, which requirements you already meet, and where there are gaps – with a citation of the specific regulation and estimated financial risk. It’s a ready starting point for a conversation with your board, insurer or law firm. The entire process takes a maximum of 48 hours, and the price starts at $499 net per regulation.
