NIS2 / KSC - deadlines, obligations, sectors
The amended Polish Act on the National Cybersecurity System implements the NIS2 directive. Obligations and deadlines apply by operation of law - including for entities that have received no notification.
Key deadlines
Risk-management measures (Art. 21)
The Act requires the implementation and documentation of measures including:
// Vulnerability scans and penetration tests directly address the obligations to identify vulnerabilities and assess the effectiveness of measures.
Sectors in scope
Organisations operating in the listed sectors and exceeding the size thresholds defined in the Act (as a rule, from 50 employees) are likely to fall within the scope of NIS2.
// Scope status can be verified during an initial consultation.
Gap analysis against Art. 21
The organisation's current state mapped against the required measures, with a roadmap to compliance - ahead of the first audit.
Book a consultation