$ cd ~/securember/nis2

NIS2 / KSC - deadlines, obligations, sectors

The amended Polish Act on the National Cybersecurity System implements the NIS2 directive. Obligations and deadlines apply by operation of law - including for entities that have received no notification.

// deadlines

Key deadlines

// 01 - registration
3.10.2026
Entry in the register of essential and important entities.
// 02 - implementation
3.04.2027
Risk-management measures in place (Art. 21) - including vulnerability management.
// 03 - audit
3.04.2028
First mandatory security audit; from this date the supervisory authority may apply statutory sanctions.
// obligations

Risk-management measures (Art. 21)

The Act requires the implementation and documentation of measures including:

[x]Risk analysis and information system security policies
[x]Incident handling
[x]Business continuity and backup management
[x]Supply chain security
[x]Security in system acquisition and maintenance - including vulnerability handling and disclosure
[x]Procedures to assess the effectiveness of measures
[x]Cyber hygiene and training
[x]Cryptography and encryption
[x]Human resources security and access control
[x]Multi-factor authentication and secured communications

// Vulnerability scans and penetration tests directly address the obligations to identify vulnerabilities and assess the effectiveness of measures.

// sectors

Sectors in scope

Organisations operating in the listed sectors and exceeding the size thresholds defined in the Act (as a rule, from 50 employees) are likely to fall within the scope of NIS2.

Energy Transport Banking Financial markets Healthcare Water & wastewater Digital infrastructure ICT service management Public administration Space Postal & courier services Waste management Chemicals Food Manufacturing (incl. medical devices, electronics, machinery) Digital service providers Research Critical infrastructure

// Scope status can be verified during an initial consultation.

Gap analysis against Art. 21

The organisation's current state mapped against the required measures, with a roadmap to compliance - ahead of the first audit.

Book a consultation