NIS2 Compliancy with the help of Kappa Data

Kappa Data assist and advice our partner network with the NIS2 EU directives. Poland is currently preparing the directives and transform them to supplements of an act that soon will be published.

Download NIS2 Ebook
NIS2 Compliance
On this page Kappa Data informs you how the NIS2 directives will look like, with links to other sources of the Cybersecurity Center Belgium (CCB), so that you can prepare your organization with these requirements.

What is NIS2?

NIS2 is a set of minimal measures to protect essential services against significant disruptions. NIS2 is a successor of NIS1 directives, setup in 2016 for Essential sectors like Energy, Banking, Transport, Healthcare and Drinking water. With the current threats in cyberspace the EU decided to expand these measures, as well the number of sectors.

The EU (re-)used the NIST framework and launched the Cyberfundamentals frame like shown below.
Cyberfundamentals Framework NIS2
Identify
Identify your assest and do risk assesments
Protect
Protection assets against cyber risks
Detect
Detect cyber breaches and incidents
Response
Respond to cyber incidents with an incident response team
Recover
Ensure your business continuity with a recovery of disasters

Who is NIS2 for? 

Scope of sectors

Below you can find an overview of the essential sectors that were already covered by NIS1 in black and the new added sections shown in green. Both colours cover the sections that are defined by the EU for NIS2. 
Sectors NIS2 Belgium

What is Essential Business?

Essential business has been considered when the organization offers vital services towards the economy or our community and are considered as high critical. For example the Energy sector: image yourself we have no energy, no power for light, warm water or electicity. We could no longer work and our way of living would be critical. This impact has been considered as an essential service.

What is important business?

Important business offer critical services to our economy or society, but are less critical then essential services. For example Social Media; when we don't have access to Instagram or other social media it's unpleasant, but we will survive the outage.

The EU has implemented an extra classification based on the sizing of the entities, like shown below.

Sizing entities for NIS2

Important Entities NIS2
Essential Entity NIS2

When you must comply to the NIS2-law, the size of the entity is a criteria to consider. Only from middle-size entities on and higher, with sizing figures like shown above, are considered to comply with NIS2. BUT, there are some exceptions:

  • Difference between turnover and balance sheet total: when an organization of 35 employees has 1 million euro (small) turnover but a balance sheet of 50 million euro’s (large), the selection of the lowest amount is important, in this case the turnover. 
  • An enterprise with 80 employees (medium) has an annual turnover of 1 million euro (small) and an annual balance sheet of 70 million euro’s (large). For the financial amounts, it choses to only look at the lowest: its turnover. Because the turnover is small but the staff headcount is medium; it’s a medium-sized enterprise. 
  • Entities that are part of a group: the calculation of the size of an organisation that is part of a group (so-called “partner enterprises” or “linked enterprises”) implies a consolidation of the data of the different components of this group. 
  • Supplier in the supply chain : as an entity that delivers services towards and essential or important business can also be held as important or essential when the service of this entity is being considered critical for the services of the essential and important entities. The government can decide that this entity is essential or important. 

Exceptions NIS2 regardless size

There are a list of exceptions to the size-cap. Certain types of entities fall into the scope of application of the NIS2 law, regardless of their size :  

  • Qualified trust service providers (essential)
  • Non-qualified trust service providers (important if micro, small or medium enterprise and essential if large enterprise)
  • DNS Service providers (essential)
  • TLD name registries (essential)
  • Domaine name registration services (only for the registration obligation) 
  • Providers of publicly available electronic communications networks (essential)
  • Public administration entities depending on the federal State (essential)
Source CCB Belgium

Critical and high critical sectors and sub-sectors

Services are grouped together by sectors. Here is the list of the different sectors and sub-sectors :

High Critical sectors (Annex I)

  1. Energy
    1. Electricity
    2. District heating and cooling
    3. Oil
    4. Gaz
    5. Hydrogen
  2. Transport
    1. Air
    2. Rail
    3. Water
    4. Road
  3. Banking
  4. Financial market infrastructure
  5. Health
  6. Manufacturing
    1. Manufacture of medical devices and in vitro diagnostic medical devices
    2. Manufacture of computer, electronic and optical products
    3. Manufacture of electrical equipment
    4. Manufacture of machinery and equipment n.e.c.
    5. Manufacture of motor vehicles, trailers and semi-trailers
      1. Manufacture of other transport equipment
  7. Drinking water
  8. Waster water
  9. Digital ICT infrastructure
  10. ICT service management (B2B)
  11. Public administration 
  12. Space

Critical sectors (Annex II)

  1. Postal and courier services
  2. Waste management
  3. Production, processing and distribution of food
  4. Digital providers
  5. Research
Most services are defined in reference to definitions found in EU legislative instruments. It is of very high importance to consult these definitions to verify if they correspond to the actual service provided by an organisation.

An organisation analysing whether it falls into the scope of the NIS2 law thus has to make the link between a service it provides and a service mentioned in the annexes of the law. It should be noted that it is possible that an organisation covers multiple services and falls into multiple sectors.

For a better overview of the scope of the law, we invite you to consult our visual summary of the scope:
Source CCB Belgium

NIS2 Act in Poland

The NIS2 Directive, aimed at enhancing cybersecurity across the EU, is being transposed into Polish law by amending the existing National Cybersecurity System Act (NCSSA). This involves updating the existing law to align with the new directive’s requirements and expanding the scope of entities covered. Poland’s approach includes building upon its 2018 law, creating a new chapter (KSC-2) within the existing framework. 

Implementation Timeline and Process

  • Member States were required to transpose NIS2 into national law by October 17, 2024, with the measures taking effect from October 18, 2024. 
  • Poland’s draft implementing act is an amendment to the 2018 Act on the National Cybersecurity System. 
  • The Ministry of Digital Affairs is responsible for implementing NIS2, including entity registration. 

Scope and Affected Entities

  • NIS2 significantly expands the range of sectors and entities covered compared to the original NIS directive. 
  • Sectors considered “essential” or “important” include energy, transport, banking, healthcare, digital infrastructure, public administration, and more. 
  • The directive also includes entities in sectors like postal and courier services, waste management, and manufacturing. 
  • Poland’s approach reclassifies some sectors, like manufacturing, from “important” to “essential”. 
  • The legislation will apply to medium-sized and large organizations within these critical sectors. 

Key Requirements and Obligations

  • Entities are required to implement appropriate cybersecurity risk-management measures. 
  • They must notify relevant authorities of significant incidents that could cause significant disruption or damage. 
  • Poland’s law includes specific deadlines for entities to apply for registration and implement required measures. 
  • Entities will have 3 months to apply for registration and 6 months to implement an information security management system. 
  • There are also requirements for reporting incidents, including early warnings and updates. 

Penalties for Non-Compliance

  • NIS2 includes harmonized penalties for non-compliance, with potential fines reaching millions of euros. 
  • Poland’s law features high sanctions, including a cap of PLN 100 million (~€23 million) for incidents affecting national security. 
  • Individuals with cybersecurity or management roles could also face personal responsibility for non-compliance. 

Polish-Specific Aspects

  • Poland’s approach is unique in building upon the existing 2018 law, rather than creating a completely new one. 
  • The draft law includes provisions for excluding “High Risk Vendors” in certain situations. 
  • Poland has established specific CSIRT teams (CSIRT MON, CSIRT NASK, CSIRT GOV) for incident management and coordination. 
  • A register of essential and important entities will be maintained by the Ministry of Digital Affairs. 

Importance of Compliance

  • Full implementation of NIS2 is crucial for improving cybersecurity resilience and incident response capabilities. 
  • Organizations need to understand their obligations under NIS2 and take necessary steps to comply. 
  • Failure to comply can lead to significant financial penalties and reputational damage. 

Frequently asked questions

Check our FAQ section where you can find the first questions that have been asked to us during the last months.

Contact us

  • What are the NIS2 directives?

    The NIS2 (Network and Information Security) directives are a set of regulations introduced by the European Union to enhance the cybersecurity of critical infrastructure and essential services across member states. The directives aim to ensure a high common level of cybersecurity across the EU by requiring organizations to implement robust security measures and report significant incidents.

  • What future developments can be expected in relation to the NIS2 Directive?

    Future developments include the refinement of national laws to fully comply with the directive, the establishment of more robust cybersecurity frameworks, continuous updates to address emerging threats, and enhanced collaboration at the EU level to ensure a unified and effective cybersecurity posture.

  • How does the NIS2 Directive impact Small and Medium-sized Enterprises (SMEs)?

    While the NIS2 Directive focuses on operators of essential services and digital service providers, SMEs in critical sectors must also comply with the directive’s requirements. However, the directive includes proportionality measures to ensure that obligations are appropriate to the size and resources of the entities.

  • What cooperation mechanisms does the NIS2 Directive establish?

    The NIS2 Directive establishes cooperation groups to facilitate strategic cooperation and exchange of information among member states. It also creates a network of national CSIRTs to ensure effective operational cooperation.

  • How is Poland implementing the NIS2 Directive within its national legal framework?

    As of mid-2025, Poland is in the process of implementing the NIS2 Directive into its national legal framework through a new cybersecurity act, which is expected to replace the current Act on the National Cybersecurity System (KSC Act). This updated legislation will align Poland’s national law with the requirements of the EU’s NIS2 Directive, which mandates enhanced cybersecurity measures for essential and important entities across the EU.

  • What role do Computer Security Incident Response Teams (CSIRTs) play under the NIS2 Directive?

    CSIRTs are responsible for monitoring, detecting, and responding to incidents. They provide early warning, risk assessment, and incident response capabilities to assist operators of essential services and digital service providers.

  • How does the NIS2 Directive enforce compliance, and what penalties can be imposed?

    National authorities are empowered to conduct audits and inspections. Penalties for non-compliance can include fines, administrative sanctions, and reputational damage. The exact penalties are determined by each member state.

  • What are the incident reporting requirements under the NIS2 Directive?

    Entities must report incidents having a significant impact on the provision of their services without undue delay to the relevant national authority. The initial notification should be followed by a final report once the root cause and impact are fully understood.

  • Obligations for Operators

    The NIS2 Directive covers a broad range of sectors including energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, public

  • NIS2 Scope and coverage

    Operators of essential services are required to adopt appropriate and proportionate technical and organizational measures to manage risks posed to the security of network and information systems. This includes incident handling, business continuity, monitoring, auditing, and control.