BLOG

NIS2 signed by the President — What’s Changing?

null
4Prime IT Security
20/02/2026
Ustawa NIS2 czeka na podpis Prezydenta – co się zmienia?

Tl;DR: The amendment to the KSC Act implementing the NIS2 Directive has finally been signed by the President, introducing significant changes to the cybersecurity approach. The new regulations increase management liability, introduce strict incident reporting deadlines, expand supervision over essential and important entities, and impose supply chain risk management obligations. Although organizations will have time to adapt (12 months to implement measures and a 2-year transitional period before sanctions), the scale of requirements means real preparations must begin immediately.

On February 19, 2026, President Karol Nawrocki signed the KSC Act implementing the NIS2 Directive, while simultaneously referring it for subsequent review by the Constitutional Tribunal. This means the regulations will enter into force as planned (one month after publication), but may be repealed if the Tribunal finds them unconstitutional.

What exactly is changing and what should organizations prepare for now?

Key changes in requirements

The final version of the law implementing the NIS2 Directive introduces a number of significant changes compared to the original draft. The most important include:

Management accountability

One of the most important changes introduced by the new regulations is the significant increase in management responsibility for cybersecurity. Organizational leadership, including board members, bears direct responsibility for implementing and maintaining adequate technical and organizational measures to protect IT systems. This means cybersecurity is no longer solely an IT function but becomes a strategic responsibility at the executive level.

Incident reporting requirements

The amendment also introduces new, precisely defined incident reporting obligations with clearly defined deadlines. Organizations covered by the regulation are required to:

  1. submit an early warning about a serious incident within 24 hours of detection,

  2. submit a formal incident notification within 72 hours,

  3. prepare a final report within one month.

Reports must include detailed information about the circumstances, course, and duration of the incident, its potential impact on business operations, and mitigation measures taken. In practice, this requires structured incident response processes and proper documentation and reporting capabilities.

More time for risk analysis

From the moment the law enters into force, entities will have up to 12 months to implement appropriate technical and organizational risk management measures. This aims to enable a more realistic and strategic approach to building cyber resilience.

More time for registration

The deadline for registering in the list of essential and important entities has also been extended. Organizations will have up to 6 months, facilitating identification of obligations and preparation for new formal requirements.

New incident reporting rules

The law introduces improvements to incident reporting through the S46 system. This will allow security incident information to be transmitted directly to the relevant CSIRT teams, improving communication efficiency and accelerating incident response.

Sanctions and transitional period

The new regulations also introduce a transitional period to allow organizations to adapt to NIS2 requirements. Financial penalties for non-compliance may only be imposed after two years from the law’s entry into force. In practice, this provides time to implement necessary changes, although organizations should begin preparations as soon as possible given the scope of required actions.

Essential and important entities – key differences in requirements

Essential entities

Essential entities are typically large organizations operating in sectors of critical importance, such as banking, transport, digital infrastructure, or water management. This category mainly includes companies employing more than 250 employees or generating annual revenue exceeding €50 million.

Essential entities subject to NIS2 regulations face stricter requirements and more intensive supervision than other organizations. They fall under a preventive supervision model, including regular security audits, vulnerability scanning, and on-site inspections by competent authorities — often even without a prior security incident. The aim is early detection of gaps and prevention of threats before actual breaches occur.

The regulations also provide for accountability in cases of negligence. Financial penalties may reach up to €10 million or 2% of annual turnover.

Important entities

Important entities typically include medium-sized enterprises and organizations operating in other significant sectors, such as food production, postal services, waste management, or the chemical industry. Qualification thresholds usually include more than 50 employees or annual revenue exceeding €10 million.

Important entities are subject to a less intensive supervisory model, known as ex-post supervision. This means regulatory oversight actions are generally triggered by a security incident, reported violations, or other indicators of potential non-compliance, rather than regular preventive audits. Despite lighter supervision, these organizations must still meet defined cybersecurity and risk management requirements.

In case of violations, financial penalties may reach up to €7 million or 1.4% of annual turnover.

NOTE: Additionally, NIS2 allows for personal liability penalties for management, which may reach up to 600% of remuneration.

Supply chain security as part of risk management

One of the key areas emphasized by the NIS2 Directive is supply chain security. The new regulations require essential and important entities to actively manage risk not only internally but also across relationships with suppliers, technology partners, and service providers. In practice, this means assessing the cybersecurity posture of third parties and incorporating those assessments into the organization’s information security management system.

For organizations operating within supplier ecosystems, this means demonstrating cybersecurity maturity through documented procedures, security policies, and the ability to respond to audit requirements from customers. Lack of readiness may lead not only to regulatory risk but also to loss of contracts, as organizations covered by NIS2 must minimize risks arising from cooperation with insufficiently secured partners.

NIS2 in practice – time for real preparation

The regulations implementing the NIS2 Directive significantly change the approach to cybersecurity. For many organizations, this will mark a period of accelerated transformation — from meeting minimal formal requirements to building real cyber resilience.

If you want to learn which processes and technologies you need to implement to meet NIS2 requirements, contact us.

Text autor:
null
4Prime IT Security

The attack on your company could have started a month ago.

Check how you can secure your organization today.