NIS2 Directive and Polish Cybersecurity Regulations – New Protection Standards

Technology, as an inseparable element of the modern world, provides extraordinary opportunities while simultaneously creating a new space for criminal activity. Hacking attacks, online fraud, extortion, and data theft have become so frequent that many people begin to perceive them as an inherent part of contemporary life. Cyberattacks occur more often than one might expect. Studies indicate that one in five Polish employees has fallen victim to a cyberattack at the workplace, one in three has someone in their circle of acquaintances or family who has been affected, and only one in three companies conducts regular IT security tests[1]. Increasing threats—becoming ever more sophisticated and technically advanced—pose new challenges for companies.

Cybersecurity in the EU

The issue of rising threats in the digital space has been recognized by the European Union. In December 2022, the European Parliament and Council adopted Directive (EU) 2022/2555, also known as the NIS2 Directive[2], which aims to “build cybersecurity capabilities across the Union, mitigate risks to networks and information systems used to provide essential services in critical sectors, and ensure the continuity of such services in the event of incidents, thereby contributing to the security of the Union and the smooth functioning of its economy and society”[3]. NIS2 entered into force on 18 October 2024, and with its enactment, the previous NIS1 Directive was repealed.

The new directive expands the scope of the previously applied NIS1 Directive[4] to include, among others, public administration (with certain exceptions), ICT service management, postal and courier services, the food industry, wastewater management, waste management, manufacturing, scientific research, and space activities. It also broadens some previously included NIS1 sectors and classifies businesses in terms of cybersecurity as either “essential” or “important” entities (listed respectively in Annex I and II of the Directive). Consequently, the NIS1 concepts of “operators of essential services” and “digital service providers” are no longer valid. Essential and important entities are subject to numerous cybersecurity obligations, which should be implemented according to the specific nature of the company’s activities.

A significant novelty is the introduction of a so-called self-identification mechanism. It is the responsibility of the enterprise to independently assess whether its size and business activity render it subject to the NIS2 Directive. Following a positive assessment, the enterprise is then obliged to register in the official registry of essential and important entities maintained by the competent authorities.

Additionally, entities covered by the NIS2 Directive face higher requirements regarding cybersecurity than before, particularly in the areas of:

• Risk management and implementation of appropriate technical and organizational measures,

• Development and implementation of information security management policies,

• Ensuring high resilience of IT systems against attacks,

• Reporting security incidents.

Compliance with these obligations may take the form of, among others:

• Handling cybersecurity incidents and cooperating with the relevant Computer Security Incident Response Team (CSIRT),

• Crisis management and restoring normal operations after extraordinary events,

• Ensuring supply chain security,

• Testing the organization’s cybersecurity level,

• Effective use of encryption,

• Conducting cybersecurity training.

It is worth noting that the NIS2 Directive contains provisions that significantly increase incentives to comply, given the threat of financial penalties. The Directive provides for fines for non-compliance as follows:

• Up to EUR 10,000,000 or at least 2% of the total annual worldwide turnover of the enterprise in the previous financial year – for essential entities,

• Up to EUR 7,000,000 or 1.4% of the total annual worldwide turnover – for important entities.

The directive also introduces management accountability for risk management compliance. Any natural person responsible for an essential entity or acting as its legal representative—authorized to represent the entity, make decisions on its behalf, or exercise control over it—may be held liable for failing to ensure compliance with the Directive. In practice, depending on the internal structure of the company, this implies potential liability for boards of directors and senior management.

Cybersecurity Regulations in Poland

Member States had until 17 October 2024 to transpose the NIS2 Directive into their national legal frameworks. In Poland, this will take the form of an amendment to the Act on the National Cybersecurity System[5], the latest draft of which[6], dated 7 October 2025, is currently being processed by the Council of Ministers.

The new law aims to establish a legal framework to better protect strategic sectors from cyberattacks and to strengthen supervision and control mechanisms. Apart from implementing the directive’s provisions, the draft amendment:

• Provides for financial penalties higher than those under the Directive (up to PLN 100 million),

• Contains provisions recognizing certain suppliers, e.g., software providers, as high-risk suppliers (“DWR”), which in practice may require a very costly replacement of IT solutions,

• Expands the scope of persons subject to personal liability for compliance with the new regulations to include unit managers (the Directive refers only to individuals responsible for the entity, i.e., essentially management bodies).

Of particular importance for businesses will be the time allowed to adapt to the new regulations. Entities potentially classified as essential or important will have six months from the entry into force of the law to conduct a self-assessment of applicability and register in the registry. Furthermore, essential entities must carry out the first audit within 24 months of the law’s entry into force, and subsequent audits must be performed every 36 months. Notably, important entities are not subject to this auditing obligation.

Penalties for non-compliance with the new regulations have also been introduced:

• Penalties for essential entities failing to meet obligations may reach up to EUR 10 million or 2% of revenue in the previous year, but not less than PLN 20,000,

• Penalties for important entities may reach up to EUR 7 million or 1.4% of revenue, but not less than PLN 15,000,

• Penalties for managers of essential or important entities of up to 300% of their remuneration, calculated according to rules used for determining monetary equivalents for leave,

• Aggravated penalties of up to PLN 100 million where violations create a direct and serious threat to national defense, state security, public order, life and health, or cause serious property damage or service disruption.

The planned amendment significantly tightens penalties for non-compliance. Current financial sanctions under Article 73 of the still-effective Act on the National Cybersecurity System provide fines of up to PLN 150,000 for failure to systematically assess risks or manage incident-related risks.

Protection That Pays Off

Ensuring online security is no longer only a matter of protecting sensitive data; it has become a key element of any organization’s business strategy, reflecting corporate responsibility and care for clients. Cybersecurity management directly affects a company’s reputation, its industry perception, and consumer trust. In an era of growing public awareness of digital threats, users pay closer attention to whether companies are adequately protected and tend to avoid those that fail to meet security standards. Every cyberattack not only entails financial loss from damage remediation but also results in reputational harm, which may challenge a company’s future viability. While absolute cybersecurity does not exist, a higher level of protection is achievable. From both a security and business perspective, it is far preferable to invest in appropriate safeguards proactively than to face the adverse consequences of an attack later.

[1] The conclusions are based on a survey of over 1,000 employees; “Cyberportrait of Polish Business”, prepared by ESET and Dagma IT Security, https://in.eset.pl/cyberportret-polskiego-biznesu?_gl=1*12zsgl9*_ga*MTEwMTE1MDk2LjE3MzA5Njc2ODc.*_ga_VPQGKXJKZL*MTczMDk2NzY4Ny4xLjEuMTczMDk2ODEwNy4wLjAuMA..*_gcl_au*NjgzNjUyMjIuMTczMDk2ODA5OA

[2] DDirective (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS2 Directive) (OJ L 333, 2022, p. 80).

[3] Recital 1 of the Directive.

[4] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures for a high common level of network and information systems security across the Union (OJ L 194, 2016, p. 1).

[5] Act of 5 July 2018 on the National Cybersecurity System (consolidated text, Journal of Laws of 2024, item 1077).

[6] https://legislacja.gov.pl/projekt/12384504/katalog/13055243#13055243