NIS2: A new era of cybersecurity in the European Union

26 July 2024 | Knowledge, News, The Right Focus

NIS2, the Directive on measures for a high common level of cybersecurity across the Union, is a response to increasingly serious digital threats and strengthens the protection of critical sectors of the economy against cybercrime and covers all Member States.

Key changes include:

Extending the range of covered entities
Defining minimum security requirements
Strengthening requirements and penalties for incidents
Imposing supply chain security obligations

Member States have until 17 October 2024 to bring their national legislation into line with NIS2. The new regulations will come into force one day later, on 18 October. The Ministry of Digital Affairs plans to adopt the relevant act in the third quarter of 2024.

How to prepare for NIS2 obligations

The NIS2 brings with it a number of obligations to ensure cybersecurity, risk management and incident reporting.

However, the first step should be to assess internally whether the company concerned is subject to the obligations imposed by NIS2, based on the relevant criteria.

The NIS2 will cover medium-sized or large enterprises (with at least 50 employees and an annual turnover and/or annual balance sheet total of more than EUR 10 million) that operate in the following sectors:

Sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space
Other critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers, research

In addition, the NIS2 regulations may cover small enterprises and microenterprises if they play a key role for society, the economy or for specific sectors or types of services.

NIS2 responsibilities, procedures and standards

If the above criteria are met, certain requirements must be met in terms of:

Risk management: Entities must implement appropriate technical and organisational measures to protect their networks and systems from cyber threats
Incident reporting: There is an obligation to promptly report significant incidents to the competent authorities and to inform customers of potential threats
Threat analysis: Regular risk assessments are required to identify and respond to emerging threats
Cooperation with authorities: Entities must actively participate in the exchange of information on threats
Training: Employees and managers should receive regular cybersecurity awareness training

Importantly, NIS2 also sets out the responsibilities of management boards. Indeed, the management bodies of essential and important entities should approve cybersecurity risk-management measures and oversee their implementation.

Their members, meanwhile, will be required to undergo regular training to acquire the knowledge and skills to identify risks and assess cyber threat management practices and their impact on the services the organisation provides. They will also have to offer similar training to their staff.

Powers of supervisory authorities and associated penalties

The NIS2 gives supervisory authorities a range of powers to monitor implementation and enforce the new rules.

These include carrying out audits, requiring entities to provide necessary information, recommending or ordering entities to ensure compliance with the Directive, ordering them to cease a particular conduct or to implement audit recommendations. In the case of essential entities, if the above measures are ineffective the authorities may temporarily suspend a certification or authorisation for services or activities, or temporarily prohibit the exercise of managerial functions in the entity concerned.

Financial penalties for non-compliance will also be increased:

For essential entities, up to EUR 10 million or 2 % of total annual turnover
For important entities, up to EUR 7 million or 1.4 % of total annual turnover

The NIS2 Directive represents a major change in the approach to cybersecurity in the European Union.

It is fair to say that it will substantially change the level of awareness in many sectors. For some organisations, implementing its requirements may prove to be quite a challenge and in line with this, we encourage you to contact us now – we will be happy to help you through the process.

Any questions? Contact us

Maciej Kuranc

Mikołaj Kuterek

Latest Knowledge

Those who have data have power. The Data Act redistributes this power

The EU Data Act, which came into force in September 2025, represents a breakthrough in the regulation of data access and use. Data generated by devices, ranging from agricultural tractors and industrial machinery to solar panels and transport fleets, is no longer the sole property of manufacturers. Other market participants now have the opportunity to access and use this data to develop new, innovative products and services. The Data Act marks a departure from business models based on data monopolisation, to one requiring data to be shared in accordance with its rules. We are therefore entering a completely new reality.

KSeF and transfer pricing: a new era of transparency and operational challenges

The introduction of the National e-Invoice System (KSeF) represents one of the most significant challenges for group companies in recent years. Although the KSeF is intended to simplify the invoicing process and reduce tax abuse, it also has a significant impact on transfer pricing, particularly with regard to the documentation and settlement of TP adjustments.

Contributing assets to a family foundation – what to keep in mind

A family foundation is a legal entity whose purpose is to manage wealth effectively and ensure its succession without the risk of dispersing assets accumulated over generations. Therefore, a key issue related to the activities of such an organisation is the contribution of this wealth to the foundation in the form of various types of assets that will work for the beneficiaries. Let’s take a look at what this process involves in practice.

Cloud migration after the Data Act: new rights, lower costs and greater freedom

The Data Act requires a significant change in approach to cloud services. Companies should review their contracts and start planning updates immediately. It is crucial to introduce appropriate switching provisions and remove or renegotiate exit fees. Companies must also prepare their infrastructure, both technically and organisationally, for interoperability and migration in accordance with the new regulations.

A decade of sustainable development

Ten years ago, the international community adopted the 2030 Agenda for Sustainable Development with 17 Sustainable Development Goals (SDGs). As a signatory, Poland committed itself to implementing measures in the areas of economy, society and the environment. A decade on, and it is a good time to summarise our achievements and the key ESG regulations that have shaped the legal landscape in Poland and throughout the European Union.

Banking sector overview | Banking today and tomorrow | October 2025

According to estimates by the Polish Bank Association (ZBP), the last four months of 2025 may bring banks operating in Poland another PLN 10 billion in profits. This would set a new record, probably marking the last such good year. Forecasts for 2026 suggest that bank profits will decline to PLN 35 billion.

The Polish energy sector. It’s time to build an ecosystem, not put out fires

Poland’s energy transition represents a historic opportunity, with investments totalling hundreds of billions of zlotys. However, a fundamental change in mindset is required for this process to be successful: a shift from a reactive and chaotic approach to a strategic and integrated one.

New tax limits for company cars

From 1 January 2026, new limits will come into force regarding the inclusion of depreciation charges and lease payments for passenger cars in tax-deductible costs.

The Data Act brings new opportunities and models for business

Providing access to data for independent websites, integrators, and application providers enables the development of competitive services and new business models, boosting innovation.

Foreign investments in companies from strategic sectors under state protection

On 24 July 2025, amendments to the Act on the control of certain investments came into force, including the removal of the time limitation of the provisions relating to the control of certain investments prior to foreign acquisition. These regulations were introduced during the COVID-19 pandemic and were valid for a specific period.