NIS2: A new era of cybersecurity in the European Union

26 July 2024 | Knowledge, News, The Right Focus

NIS2, the Directive on measures for a high common level of cybersecurity across the Union, is a response to increasingly serious digital threats and strengthens the protection of critical sectors of the economy against cybercrime and covers all Member States.

Key changes include:

Extending the range of covered entities
Defining minimum security requirements
Strengthening requirements and penalties for incidents
Imposing supply chain security obligations

Member States have until 17 October 2024 to bring their national legislation into line with NIS2. The new regulations will come into force one day later, on 18 October. The Ministry of Digital Affairs plans to adopt the relevant act in the third quarter of 2024.

How to prepare for NIS2 obligations

The NIS2 brings with it a number of obligations to ensure cybersecurity, risk management and incident reporting.

However, the first step should be to assess internally whether the company concerned is subject to the obligations imposed by NIS2, based on the relevant criteria.

The NIS2 will cover medium-sized or large enterprises (with at least 50 employees and an annual turnover and/or annual balance sheet total of more than EUR 10 million) that operate in the following sectors:

Sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space
Other critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, research

In addition, the NIS2 regulations may cover small enterprises and microenterprises if they play a key role for society, the economy or for specific sectors or types of services.

NIS2 responsibilities, procedures and standards

If the above criteria are met, certain requirements must be met in terms of:

Risk management: Entities must implement appropriate technical and organisational measures to protect their networks and systems from cyber threats
Incident reporting: There is an obligation to promptly report significant incidents to the competent authorities and to inform customers of potential threats
Threat analysis: Regular risk assessments are required to identify and respond to emerging threats
Cooperation with authorities: Entities must actively participate in the exchange of information on threats
Training: Employees and managers should receive regular cybersecurity awareness training

Importantly, NIS2 also sets out the responsibilities of management boards. Indeed, the management bodies of essential and important entities should approve cybersecurity risk-management measures and oversee their implementation.

Their members, meanwhile, will be required to undergo regular training to acquire the knowledge and skills to identify risks and assess cyber threat management practices and their impact on the services the organisation provides. They will also have to offer similar training to their staff.

Powers of supervisory authorities and associated penalties

The NIS2 gives supervisory authorities a range of powers to monitor implementation and enforce the new rules.

These include carrying out audits, requiring entities to provide necessary information, recommending or ordering entities to ensure compliance with the Directive, ordering them to cease a particular conduct or to implement audit recommendations. In the case of essential entities, if the above measures are ineffective the authorities may temporarily suspend a certification or authorisation for services or activities, or temporarily prohibit the exercise of managerial functions in the entity concerned.

Financial penalties for non-compliance will also be increased:

For essential entities, up to EUR 10 million or 2 % of total annual turnover
For important entities, up to EUR 7 million or 1.4 % of total annual turnover

The NIS2 Directive represents a major change in the approach to cybersecurity in the European Union.

It is fair to say that it will substantially change the level of awareness in many sectors. For some organisations, implementing its requirements may prove to be quite a challenge and in line with this, we encourage you to contact us now – we will be happy to help you through the process.

Any questions? Contact us

Maciej Kuranc

Mikołaj Kuterek

Latest Knowledge

The new National Cybersecurity System

The amendment to the Act on the National Cybersecurity System (UKSC) is one of the most significant regulatory reforms in recent years. Its main objective is to align Polish law with Directive (EU) 2022/2555 of the European Parliament and of the Council. The directive, also known as NIS2, substantially raises digital security requirements across the Union. The Polish Act on the National Cybersecurity System has undergone a thorough overhaul, covering more organisations (with estimates suggesting nearly 40,000 entities), introducing more demanding obligations, statutory personal liability for management board members, and even more stringent rules for imposing financial penalties. In the case of the most serious violations, these penalties can reach 100 million PLN.

‘Made in Europe’ is no longer just a slogan. It is becoming law

Until recently, ‘Made in Europe’ was just a label. While it was useful for marketing purposes, it lacked any hard, normative content. This may soon change. On 4 March, the European Commission published a proposal for the Industrial Accelerator Act, stipulating that, from 2027 onwards, the Union origin of components will be a prerequisite for participating in renewable energy auctions, accessing public funding, and for being eligible to participate in public procurement procedures. The slogan ‘Buy European’ could become a concrete instrument for supporting local production and controlling foreign investment.

Non-obvious cases of transferring an establishment to a new employer

The transfer of all or part of an establishment (zakład pracy) is a special concept in labour law relating to changes in ownership. Put simply, it is the automatic transfer of all the rights and obligations of the employer from one entity to another, without the need for any additional actions or consents from the parties involved. However, this must be preceded by the fulfilment of a range of informing obligations by both the new and former employers. Let’s take a look at what the process should involve.

New right to withdraw from a company – draft amendment to the Commercial Companies Code

The Civil Law Codification Commission has adopted and published a draft amendment to the Commercial Companies Code. The proposed changes include new mechanisms to strengthen shareholder protection in capital companies, enabling shareholders to request to leave their respective companies.

Protecting yourself against tax risks in the deposit-return system

The deposit-return system has been in place since October 2025, raising significant tax concerns from the outset. Although the regulations came into force, it was unclear for a long time how to apply them in practice. Some of the regulations needed clarification, some solutions were missing and the published explanations did not cover all the key issues. Consequently, the market began to develop its own operating standards.

Banking sector overview | Banking today and tomorrow | March 2026

On 12 February 2026, the Court of Justice of the European Union (CJEU) issued a judgment concerning the use of the WIBOR index in loan agreements. The CJEU judges confirmed that, in consumer cases, courts cannot examine the correctness of the WIBOR calculation. The banks had correctly informed their clients about the reference rate in accordance with national and EU law.

The issue of the National Labour Inspectorate reform has resurfaced

A new draft law proposing changes to the way the National Labour Inspectorate operates has been submitted to the Sejm. During its first reading on 25 February, the draft was not rejected and was therefore referred to the Social Policy and Family Committee for further consideration. Despite the concerns and controversies raised so far, including by businesses, the legislature continues to pursue the thorough modernisation of Poland’s employment model, which involves increased supervision of the labour market and curbing the abuse of civil law contracts. In this article, we will take a look at the proposals included in the new draft and explain what they mean for businesses.

Energy Radar 2026: Unlocking connection capacity thanks to connections reform – draft UC84 / Sejm print no. 2150

The Polish power system has reached a turning point. While the energy transition is gaining momentum and technological limitations are no longer an issue, connection capacity has become a problem. The UC84[1] draft law, commonly referred to as the Connections Reform, is the response to this crisis.

Polish AI boom

According to the latest data, nearly 15,000 companies dealing with artificial intelligence were registered in Poland in 2025.[1] This testifies to an undoubted boom in AI, as well as to the dynamic changes related to the development of this technology. However, amid the rush to implement AI, do companies consider the most important issue: securing the outcomes of their work and protecting themselves against competitors? In this article, we explore this issue and suggest ways to avoid costly problems.

Length of service now includes periods of self-employment

The length of service no longer depends solely on work carried out under a contract of employment. The amendment to the Labour Code introduces significant changes, as work carried out under civil law contracts or as part of business activity will now also be included when calculating service, which affects employees’ rights. What will this mean for employees and employers?