NIS2 Compliancy with the help of Kappa Data 

Kappa Data assist and advice our partner network with the NIS2 EU directives. Poland is currently preparing the directives and transform them to supplements of an act that soon will be published.

Download NIS2 Ebook
NIS2 Compliance
On this page Kappa Data informs you how the NIS2 directives will look like, with links to other sources of the Rządowe Centrum Bezpieczeństwa , so that you can prepare your organization with these requirements.

What is NIS2?

NIS2 is a set of cybersecurity measures designed to protect essential and important services from significant disruptions. It replaces the original NIS Directive from 2016, which covered essential sectors such as energy, banking, transport, healthcare and drinking water. Due to the growing threat landscape, the EU has expanded both the requirements and the number of sectors included in the scope.

To structure the security measures, the EU refers to the five core cybersecurity functions defined by the NIST framework: Identify, Protect, Detect, Respond and Recover.
Cyberfundamentals Framework NIS2
Identify
Identify your assest and do risk assesments
Protect
Protection assets against cyber risks
Detect
Detect cyber breaches and incidents
Response
Respond to cyber incidents with an incident response team
Recover
Ensure your business continuity with a recovery of disasters

Who is NIS2 for? 

Scope of sectors

Below you can find an overview of the essential sectors that were already covered by NIS1 in black and the new added sections shown in green. Both colours cover the sections that are defined by the EU for NIS2. 
Sectors NIS2 Belgium

What is Essential Business?

Essential business has been considered when the organization offers vital services towards the economy or our community and are considered as high critical. For example the Energy sector: image yourself we have no energy, no power for light, warm water or electicity. We could no longer work and our way of living would be critical. This impact has been considered as an essential service.

What is important business?

Important business offer critical services to our economy or society, but are less critical then essential services. For example Social Media; when we don't have access to Instagram or other social media it's unpleasant, but we will survive the outage.

The EU has implemented an extra classification based on the sizing of the entities, like shown below.

Sizing entities for NIS2

Important Entities NIS2
Essential Entity NIS2

When determining whether an organisation must comply with the NIS2 Directive, its size is an important criterion. In general, medium-sized and large entities operating within NIS2-covered sectors fall under the scope of the law. However, there are several exceptions to this rule:

Differences between turnover and balance sheet total

If an organisation has, for example, 35 employees, a turnover of EUR 1 million (small) and a balance sheet total of EUR 50 million (large), the lowest value is used for classification — in this case, the turnover.

Another example: an organisation with 80 employees (medium), a turnover of EUR 1 million (small) and a balance sheet total of EUR 70 million (large) is classified using the lowest financial figure — again, the turnover. Since the turnover is small but the staff headcount is medium, it is considered a medium-sized enterprise.

Entities that are part of a group

For organisations belonging to a group (so-called partner enterprises or linked enterprises), the size classification is calculated based on consolidated data from all relevant entities within the group.

Suppliers in the supply chain

An organisation that provides services to an essential or important entity may itself be classified as essential or important if its services are considered critical to the functioning of that entity.
A competent authority may decide that such a supplier must be included in the scope of NIS2 regardless of its size.

Exceptions NIS2 regardless size

There are several exceptions to the size requirement. Certain types of entities fall within the scope of NIS2 regardless of their size:

  • Qualified trust service providers (essential)

  • Non-qualified trust service providers (important if micro, small or medium-sized; essential if large)

  • DNS service providers (essential)

  • TLD name registries (essential)

  • Domain name registration service providers (for the registration obligation only)

  • Providers of publicly available electronic communications networks (essential)

  • Entities designated as operators of critical infrastructure under the Polish Act on Crisis Management (essential)

  • Public administration entities covered by the National Cybersecurity System Act (essential)

Rządowe  Centrum Bezpieczeństwa 

Critical and high critical sectors and sub-sectors

Services are grouped together by sectors. Here is the list of the different sectors and sub-sectors :

High Critical sectors (Annex I)

  1. Energy
    1. Electricity
    2. District heating and cooling
    3. Oil
    4. Gaz
    5. Hydrogen
  2. Transport
    1. Air
    2. Rail
    3. Water
    4. Road
  3. Banking
  4. Financial market infrastructure
  5. Health
  6. Manufacturing
    1. Manufacture of medical devices and in vitro diagnostic medical devices
    2. Manufacture of computer, electronic and optical products
    3. Manufacture of electrical equipment
    4. Manufacture of machinery and equipment n.e.c.
    5. Manufacture of motor vehicles, trailers and semi-trailers
      1. Manufacture of other transport equipment
  7. Drinking water
  8. Waster water
  9. Digital ICT infrastructure
  10. ICT service management (B2B)
  11. Public administration 
  12. Space

Critical sectors (Annex II)

  1. Postal and courier services
  2. Waste management
  3. Production, processing and distribution of food
  4. Digital providers
  5. Research
Most services are defined with reference to descriptions found in EU legislative acts. It is essential to consult these definitions to verify whether they correspond to the actual services provided by an organisation. An organisation assessing whether it falls within the scope of the NIS2 Directive must therefore map its own services to the services listed in the annexes of the directive. It should also be noted that an organisation may provide multiple services and thus fall under more than one sector. For a clearer understanding of the scope of the law, we invite you to review our visual summary:
Rządowe Centrum Bezpieczeństwa

NIS2 Act in Poland

The NIS2 Directive, aimed at enhancing cybersecurity across the EU, is being transposed into Polish law by amending the existing National Cybersecurity System Act (NCSSA). This involves updating the existing law to align with the new directive’s requirements and expanding the scope of entities covered. Poland’s approach includes building upon its 2018 law, creating a new chapter (KSC-2) within the existing framework. 

Implementation Timeline and Process

  • Member States were required to transpose NIS2 into national law by October 17, 2024, with the measures taking effect from October 18, 2024. 
  • Poland’s draft implementing act is an amendment to the 2018 Act on the National Cybersecurity System. 
  • The Ministry of Digital Affairs is responsible for implementing NIS2, including entity registration. 

Scope and Affected Entities

  • NIS2 significantly expands the range of sectors and entities covered compared to the original NIS directive. 
  • Sectors considered “essential” or “important” include energy, transport, banking, healthcare, digital infrastructure, public administration, and more. 
  • The directive also includes entities in sectors like postal and courier services, waste management, and manufacturing. 
  • Poland’s approach reclassifies some sectors, like manufacturing, from “important” to “essential”. 
  • The legislation will apply to medium-sized and large organizations within these critical sectors. 

Key Requirements and Obligations

  • Entities are required to implement appropriate cybersecurity risk-management measures. 
  • They must notify relevant authorities of significant incidents that could cause significant disruption or damage. 
  • Poland’s law includes specific deadlines for entities to apply for registration and implement required measures. 
  • Entities will have 3 months to apply for registration and 6 months to implement an information security management system. 
  • There are also requirements for reporting incidents, including early warnings and updates. 

Penalties for Non-Compliance

  • NIS2 includes harmonized penalties for non-compliance, with potential fines reaching millions of euros. 
  • Poland’s law features high sanctions, including a cap of PLN 100 million (~€23 million) for incidents affecting national security. 
  • Individuals with cybersecurity or management roles could also face personal responsibility for non-compliance. 

Polish-Specific Aspects

  • Poland’s approach is unique in building upon the existing 2018 law, rather than creating a completely new one. 
  • The draft law includes provisions for excluding “High Risk Vendors” in certain situations. 
  • Poland has established specific CSIRT teams (CSIRT MON, CSIRT NASK, CSIRT GOV) for incident management and coordination. 
  • A register of essential and important entities will be maintained by the Ministry of Digital Affairs. 

Importance of Compliance

  • Full implementation of NIS2 is crucial for improving cybersecurity resilience and incident response capabilities. 
  • Organizations need to understand their obligations under NIS2 and take necessary steps to comply. 
  • Failure to comply can lead to significant financial penalties and reputational damage. 

Frequently asked questions

Check our FAQ section where you can find the first questions that have been asked to us during the last months.

Contact us

  • What are the NIS2 directives?

    The NIS2 (Network and Information Security) directives are a set of regulations introduced by the European Union to enhance the cybersecurity of critical infrastructure and essential services across member states. The directives aim to ensure a high common level of cybersecurity across the EU by requiring organizations to implement robust security measures and report significant incidents.

  • What future developments can be expected in relation to the NIS2 Directive?

    Future developments include the refinement of national laws to fully comply with the directive, the establishment of more robust cybersecurity frameworks, continuous updates to address emerging threats, and enhanced collaboration at the EU level to ensure a unified and effective cybersecurity posture.

  • How does the NIS2 Directive impact Small and Medium-sized Enterprises (SMEs)?

    While the NIS2 Directive focuses on operators of essential services and digital service providers, SMEs in critical sectors must also comply with the directive’s requirements. However, the directive includes proportionality measures to ensure that obligations are appropriate to the size and resources of the entities.

  • What cooperation mechanisms does the NIS2 Directive establish?

    The NIS2 Directive establishes cooperation groups to facilitate strategic cooperation and exchange of information among member states. It also creates a network of national CSIRTs to ensure effective operational cooperation.

  • How is Poland implementing the NIS2 Directive within its national legal framework?

    As of mid-2025, Poland is in the process of implementing the NIS2 Directive into its national legal framework through a new cybersecurity act, which is expected to replace the current Act on the National Cybersecurity System (KSC Act). This updated legislation will align Poland’s national law with the requirements of the EU’s NIS2 Directive, which mandates enhanced cybersecurity measures for essential and important entities across the EU.

  • What role do Computer Security Incident Response Teams (CSIRTs) play under the NIS2 Directive?

    CSIRTs are responsible for monitoring, detecting, and responding to incidents. They provide early warning, risk assessment, and incident response capabilities to assist operators of essential services and digital service providers.

  • How does the NIS2 Directive enforce compliance, and what penalties can be imposed?

    National authorities are empowered to conduct audits and inspections. Penalties for non-compliance can include fines, administrative sanctions, and reputational damage. The exact penalties are determined by each member state.

  • What are the incident reporting requirements under the NIS2 Directive?

    Entities must report incidents having a significant impact on the provision of their services without undue delay to the relevant national authority. The initial notification should be followed by a final report once the root cause and impact are fully understood.

  • Obligations for Operators

    The NIS2 Directive covers a broad range of sectors including energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, public

  • NIS2 Scope and coverage

    Operators of essential services are required to adopt appropriate and proportionate technical and organizational measures to manage risks posed to the security of network and information systems. This includes incident handling, business continuity, monitoring, auditing, and control.