NIS2, implemented in Poland via the amended KSC Act from 2026, applies to essential and important entities as well as companies in their supply chain. It requires real cyber-risk management: monitoring systems, responding to incidents and reporting them (24h / 72h / 1 month), audits, and securing access, data, and business continuity. Penalties are severe—up to EUR 10M or 2% of turnover, and for management even up to 600% of remuneration.

According to a KPMG report, 45% of organizations believe they are well prepared for changing regulations. Nevertheless, in 2023, 66% of companies reported at least one incident—an increase compared to the previous year.

Poland’s implementation of the NIS2 Directive is entering a decisive phase. The amendment to the National Cybersecurity System Act (KSC) has already been signed by the President. This means that after publication in the Journal of Laws and a one-month vacatio legis, the new regulations will take effect as early as March, significantly changing how organizations approach cybersecurity.

In the article below, we outline practical steps you should take to meet the requirements of the new KSC Act and avoid administrative penalties.

What is NIS2?

The NIS2 Directive is a new European Union regulation that was implemented in Poland at the beginning of 2026. Its goal is to increase the cyber resilience of essential and important entities.

The amendment to the National Cybersecurity System Act (KSC) includes the requirements stemming from NIS2. It introduces significant updates addressing previously identified shortcomings: low levels of cyber resilience, inconsistent resilience across Member States, and the lack of a common crisis response.

Who does NIS2 and the amended KSC Act apply to?

Under NIS2 and the amended KSC Act, all essential and important entities are required to implement appropriate technical, organizational, and process measures.

Essential entities are those operating in sectors of high criticality and having more than 250 employees or annual revenues exceeding EUR 50 million.

Important entities are those with more than 50 employees or annual revenues exceeding EUR 10 million. The Act also covers organizations that directly provide services or products to essential and important entities (the supply chain).

Sectors covered by the new KSC Act

Essential sectors:

incl.

• Energy

• Transport

• Banking

• Financial market infrastructures

• Healthcare

• Drinking water

• Wastewater

• Digital infrastructure

In addition, essential entities also include: an electronic communications undertaking that at least meets the criteria for a medium-sized enterprise as defined in Regulation 651/2014/EU, and regardless of size:

• a DNS service provider,

• a managed cybersecurity services provider,

• a qualified trust service provider within the meaning of Article 3(20) of Regulation (EU) No 910/2014 (eIDAS)[3],

• a critical entity identified pursuant to Article 6 of Directive (EU) 2022/2557 (CER)[4],

• a public entity,

• an entity identified as essential by the competent cybersecurity authority,

• a top-level domain (TLD) name registry.

Important sectors:

incl.

• ICT service management

• Public administration

• Space

• Postal and courier services

• Waste management

• Food production, processing, and distribution

• Manufacturing (medical devices, in vitro diagnostics)

• Scientific research

• Motor vehicles and other transport equipment

• Digital service providers

• Computer, electronic and optical products, electrical equipment, machinery and equipment

Key KSC Act requirements resulting from NIS2 implementation

• Expanded scope: Under the new directive, all medium and large enterprises in sectors defined as essential and important fall under the regulatory framework, as do entities connected via the supply chain.

• Requirements for responding to, analyzing, and reporting incidents: The regulations impose an obligation to report incidents to the relevant CSIRT (within 24h, 72h, and one month for the final report). Reports must include a range of substantive information specifying the circumstances and course of the incident.

• Strengthened cybersecurity measures: The Act places particular emphasis on building cyber resilience based on advanced IT security technologies.

• Administrative penalties: up to EUR 10M or 2% of the entity’s prior-year revenue for essential sectors, up to EUR 7M or 1.4% of prior-year revenue for important sectors, and up to 600% of remuneration for company management.

• Audit obligation: at least every 2 years for essential sectors.

• Requirement for continuous monitoring of the IT environment.

What do you need to do to prepare your company for NIS2 and avoid penalties? 15 practical tips

The penalty for management for failing to comply with the new KSC Act requirements is up to 600% of remuneration.

To effectively prepare for NIS2 and avoid penalties imposed both on the company and on the person responsible for cybersecurity, you should:

1. Check systems for threat identification (audit, security assessment, pentests).

2. Appoint a person responsible for cybersecurity within the organization.

3. Implement a process for assessing the risk of incidents.

4. Plan security audits at least every three years (as an essential entity).

5 Implement monitoring, incident response and handling processes (SOC/MDR service), including reporting incidents to the relevant CSIRTs.

6. Implement an incident reporting process and incident response reporting (also with support from a SOC):

• within 24 hours for warnings about significant incidents,

• within 72 hours for proper reports of significant incidents,

• within one month for the final report.

7. Invest in modern EDR and NDR solutions—the new KSC Act requires you to provide the incident’s root cause already at the time of reporting. The issue is that many attacks occur months before an incident is discovered. In such cases, antivirus is not enough. Without digital forensics tools (EDR, NDR) that collect telemetry (event history), it is very hard to determine how the attack happened.

8. Implement backup and recovery tools.

9. Implement a vulnerability management process to identify and classify weaknesses.

10. Understand the security practices used by suppliers and business partners (supply chain security).

11. Implement data encryption mechanisms.

12. Use tools for managing cryptographic keys.

13. Protect privileged users and access to critical IT systems with PAM tools.

14. Conduct regular training for board members and other employees on cyber threat awareness and KSC requirements.

15. Establish, implement, and communicate security policies to employees, contractors, and suppliers.

FAQs

The amended KSC Act mentions an obligation for essential and important entities to gather information about cyber threats and vulnerabilities to incidents. How should this be understood?

Organizations covered by the Act should make efforts to maintain up-to-date knowledge of cyber threats and analyze vulnerabilities of information systems.

This can be achieved by:

• regularly tracking new vulnerabilities (e.g., in the CVE database) and reading NASK reports;

• implementing procedures and tools for managing the attack surface (Attack Surface Management);

• proactive risk management through regular penetration tests and red teaming;

• applying Cyber Threat Intelligence tools.

All these actions require expertise, tools, and time. Fortunately, they can be outsourced to experienced SOC analysts, including our SOC360 team.

With the amended KSC Act, essential and important entities must align their access control policies with the new requirements. How can these requirements be met?

To meet the requirements effectively, organizations should:

• implement least privilege—ensure users only have access necessary for their duties;

• segment access based on roles (RBAC);

• monitor and audit access in real time—use IAM and PAM solutions;

• apply multi-factor authentication (MFA).

Identity-based attacks such as phishing are among the most common ways to gain unauthorized access. Proper policies and employee education help meet legal requirements and significantly reduce incident risk.

If a company is neither essential nor important, does it still need to comply with the new KSC Act?

The KSC Act places strong emphasis on supply chain security, which in practice means that any company working with entities covered by the Act should meet certain security standards. It’s not just about avoiding penalties—it’s about building competitive advantage and trust. Essential and important entities will increasingly look for partners whose security they can rely on.

What is supply chain security under the new KSC Act?

Supply chain security is one of the key areas emphasized by the new KSC Act, imposing new obligations on essential and important entities. After the Act takes effect, these entities will be required, among other things, to:

• regularly monitor suppliers and require compliance with security standards;

• implement supply chain risk management policies, including control of suppliers’ access to data and resources;

• prepare contingency and recovery plans to ensure continuity in case of supplier-related incidents.

What do the requirements for continuity measures mean in practice?

The amended KSC Act requires business continuity not only from essential and important entities, but also from companies that form an important part of their supply chain.

Business disruption caused by hardware failure, a cyberattack, or another disaster can lead to massive losses. The Act therefore introduces requirements for mitigation measures, including:

• plans ensuring uninterrupted delivery of key services during outages/incidents—documented, tested, and updated;

• contingency and recovery plans enabling quick resumption of operations (prioritized systems and response timelines);

• tools for backups and recovery.

Failure to implement adequate and proportionate risk management measures may result in financial penalties for members of management bodies.

Continuous monitoring and incident management are additional requirements. How can they be met?

Implement technologies that enable monitoring and full visibility of the IT environment—EDR and NDR are especially valuable for rich telemetry. SIEM can also help, but works best when paired with EDR/NDR and fed with high-value data.

Ensure qualified experts monitor and respond 24/7. If internal resources are insufficient, consider outsourcing to a SOC.

Continuously test and update security systems and incident response processes to keep pace with a changing threat landscape.

How should incident management look for an ICT service provider under the new KSC Act?

The amended KSC Act introduces incident management obligations for essential entities, important entities, and managed service providers. In line with NIS2, organizations should:

1. Systematically manage incidents:

• establish detection, reporting, and resolution processes;

• implement ICT monitoring, logging, and event analysis tools (including regular risk assessment).

2. Report incidents:

• significant incidents impacting service delivery must be reported to the appropriate CSIRT;

• reporting timelines:

  • 24h: early warning

  • 72h: initial analysis (attack vector, timing, duration, scope, cross-border nature)

  • 1 month: full incident report

3. Categorize incidents:

• define what constitutes a critical incident per KSC/NIS2 guidance (e.g., affecting continuity, customer data, or key services).

What is ICT in practice—and what is it not?

ICT (Information and Communication Technology) broadly covers information systems, telecommunications, and tools supporting business operations—systems that process data, enable communication, or support clients’ business operations.

What are the consequences of not registering in the entity register while being subject to the obligations?

• Legal:

  • recognition by supervisory authorities as an entity breaching the law, potentially leading to financial and administrative sanctions;

  • potential criminal consequences for management (management-level penalties).

• Operational:

  • inability to benefit from CSIRT support;

  • higher operational risk during large-scale incidents.

External audit vs internal audit—can an internal lead auditor replace an external audit?

• Internal audit:

  • a competent lead auditor can conduct internal audits, but this may not fully meet NIS2/ISO requirements;

  • internal audits serve self-assessment and gap identification.

• External audit:

  • often required to confirm compliance for certification or legal purposes;

  • may be mandated by KSC/NIS2 depending on entity status.

Who is responsible for classifying an incident as critical?

Under the new regulations, the person responsible is a representative of the management body who appoints a security management team within the organization. This person should be independent from the IT team (to avoid conflicts of interest). In case of doubt, cooperation with the national CSIRT is recommended.

Need help implementing the right technologies and processes in your organization? 4Prime IT Security offers:

• SOC/MDR service, including attack reporting,

• Audits and security assessments,

• Modern cybersecurity technologies (EDR, NDR, PAM, cryptographic key management, backup solutions),

• Penetration testing.

Contact our expert today and prepare your company for NIS2.