Free NIS2 compliance audit

To check whether your company is subject to the Act on the National Cybersecurity System (implementing the NIS2 Directive), you must carry out a self-assessment based primarily on the type of activity (sector) and the size of the enterprise.

Step 1: Check whether your company operates in a sector covered by the regulation You must verify whether your company's business profile is specified in one of the annexes to the Act:

• •Annex 1, which specifies key sectors: energy, transport, banking and financial market infrastructure, healthcare, drinking water supply and distribution, collective wastewater disposal, digital infrastructure, management of ICT services (B2B), space, public entities,
• •Annex 2, which specifies important sectors: postal services, nuclear energy investments, waste management, production, manufacture and distribution of chemicals, production, processing and distribution of food, manufacturing (e.g. medical devices, computers, electronics, machinery, vehicles), digital service providers (marketplaces, search engines, social networks), scientific research, public entities.

Step 2: Verify the size of the enterprise The general rule is that the Act applies to entities that are not micro or small enterprises. Size is assessed as at the date of preparation of the financial statements.

If your company is a medium-sized enterprise (employs from 50 to 249 persons or has the appropriate turnover or balance-sheet total) or a large enterprise – in principle it is subject to the Act, provided it operates in the sectors indicated above.

Step 3: Determine the status (essential entity or important entity)

• •Essential entity – if you are a large enterprise operating in a sector specified in Annex 1 to the Act.
• •Important entity – if you are a medium-sized enterprise listed in Annex 1 to the Act OR a medium or large enterprise listed in Annex 2 to the Act.

Step 4: Check exceptions (independent of company size) Some entities are subject to the Act regardless of size (even as micro and small companies). These include, among others:

• •DNS service providers and TLD domain name registries,
• •trust service providers (qualified are essential, non‑qualified – important),
• •electronic communications operators (providers of public networks or services),
• •entities recognised as critical under the CER directive,
• •managed cybersecurity service providers (if they are not micro‑enterprises).

Step 5: Administrative decision Even if your company does not meet the criteria above, the authority competent for cybersecurity may issue a decision recognizing it as an essential entity or an important entity, e.g. if it is the sole provider of a key service or its disruption would have serious consequences for public security.

What if the company is subject to the Act? If your company meets the criteria, you are obliged to submit an application for entry in the register of essential entities and important entities within 6 months from the date of meeting the statutory conditions. The application is submitted electronically to the minister competent for informatization.

The Act on the National Cybersecurity System (UKSC), which implemented the NIS2 Directive in Poland, imposes a number of obligations on essential entities and important entities, focusing on risk management and incident reporting. Although most obligations are common to both categories, there are differences in supervision and audits.

1. Implementation of an information security management system (SZBI) Entities must implement an information security management system in the information systems used to provide services. As part of this system, technical and organisational measures proportional to the risk must be implemented, including:

• •policies for risk assessment and security of information systems,
• •physical and environmental security and access control,
• •business continuity management (backups, contingency plans, disaster recovery),
• •supply chain security (security of relationships with ICT service and product suppliers),
• •encryption and cryptography,
• •multi-factor authentication (MFA) and secure communications,
• •vulnerability management and remediation,
• •cybersecurity training for personnel (cyber hygiene).

2. Obligation to report incidents Entities have strict obligations to report serious incidents to the relevant CSIRT team (CSIRT NASK, CSIRT GOV or CSIRT MON). The reporting procedure includes:

• •early warning – within 24 hours of incident detection,
• •incident report – within 72 hours of incident detection (update of information, preliminary assessment),
• •final report – within one month of reporting the incident (or after its conclusion).

Additionally, the entity must inform its service recipients about serious threats and remedial measures.

3. Responsibility of management The head of the entity (e.g. the management board) bears personal responsibility for fulfilling cybersecurity obligations.

• •The head is responsible for oversight of the security system and for implementing that system.
• •The head (and the person responsible for cybersecurity) is required to undergo training once a year.

4. Registration in the register Entities must submit an application for entry in the register of essential entities and important entities within 6 months from the date of meeting the statutory conditions. They are also obliged to update data in the register within 14 days of any change.

5. Designation of contact persons At least two persons responsible for maintaining contact with the entities of the national cybersecurity system must be designated (for micro and small enterprises one person is sufficient).

6. Security audit (main difference between the entities)

• •Essential entities are required to conduct a security audit of the system at least once every 3 years at their own expense. The first audit must be carried out within 24 months of recognition as an essential entity.
• •Important entities do not have a statutory obligation to conduct cyclical external audits, unless the competent authority orders an audit by administrative decision (e.g. after an incident or breach of the Act).

7. Documentation Entities must develop, apply and update security documentation (normative and operational) and retain it for at least 2 years after decommissioning.

Failure to fulfil these obligations (e.g. failure to report an incident, failure to conduct an audit, failure to implement security measures) may result in the imposition of significant financial penalties both on the entity and directly on the head of the entity.

The frequency of audits and compliance reviews under the Act on the National Cybersecurity System (which implemented the NIS2 Directive) varies depending on the status of the entity (essential or important) and the type of verification (external audit or internal review).

1. Security audit for essential entities Essential entities have a statutory obligation to undergo external audits regularly.

• •Frequency: at least once every 3 years.
• •First audit: within 24 months from the date of meeting the criteria for recognition as an essential entity (e.g. from the date of entry in the register or issuance of a decision).
• •Cost: at the entity's own expense.
• •Who performs it: an accredited conformity assessment body or at least two auditors meeting specified requirements (e.g. holding certificates or appropriate practical experience).

2. Audit for important entities Important entities do not have a fixed statutory cycle for mandatory external audits (as essential entities do). However, they may be required to carry out an audit in special circumstances.

• •Audit on request: The authority competent for cybersecurity may order an important entity to conduct an external audit in the event of a serious incident or other breach of the Act.
• •Deadline: The authority sets the deadline for submission of the audit report in the administrative decision.

3. Ad hoc audit (by order of the authority) Regardless of scheduled audits, the competent authority may order a security audit:

• •of an essential entity – at any time,
• •of an important entity – in the case of identified breaches or incidents.

Such decisions are subject to immediate enforcement.

4. Internal reviews and monitoring (ENISA recommendations) In addition to statutory audits, both essential and important entities must regularly verify the effectiveness of applied security measures within internal procedures. According to ENISA technical guidelines:

• •the security policy should be reviewed and updated at least once a year and after significant incidents or changes to the infrastructure,
• •the risk analysis should be updated at planned intervals, at least once a year,
• •security testing (e.g. vulnerability scanning, penetration testing) should be carried out at planned intervals (recommended: at least once a year) or after significant changes to systems,
• •an independent review of the security status, which may be performed by a separate internal unit or an external company, should be conducted at planned intervals, e.g. annually.

In summary, essential entities must carry out a full security audit every 3 years, while all entities covered by the Act should perform internal reviews of policies and risk analyses at least once a year.

Yes, the Act on the National Cybersecurity System (UKSC), which implemented the NIS2 Directive, requires the designation of persons responsible for cybersecurity matters. The provisions distinguish several roles depending on the scope of responsibility (contact function or managerial) and the entity's seat.

1. Contact persons (statutory requirement) Every essential entity and important entity is obliged to designate persons responsible for maintaining contacts with the bodies of the national cybersecurity system (e.g. CSIRT teams and supervisory authorities).

• •General rule: at least two persons should be designated.
• •Micro and small entrepreneurs are required to designate at least one person.
• •Public entities (important) are required to designate at least one person.

The data of these persons (first name, surname, telephone, e-mail) must be reported to the register of essential and important entities.

2. Internal structures or outsourcing (operational requirement) The Act imposes on entities the obligation to establish internal structures responsible for cybersecurity or to conclude a contract with an external managed security services provider (MSSP). This means that a company must have a designated team or a designated person (e.g. CISO – Chief Information Security Officer) performing technical and organisational tasks, unless these are outsourced.

According to ENISA technical guidelines, an entity should designate at least one person who reports directly to the governing bodies on matters related to the security of network and information systems. In smaller entities these duties may be assigned to other roles, but they must be clearly defined.

3. Responsibility of the entity's manager Regardless of the obligation to designate substantive employees, the Act indicates that the manager of the entity (the board, director) bears the primary responsibility for cybersecurity.

• •The manager may entrust duties to another person (e.g. IT or security director), but this does not relieve them of responsibility for their execution.
• •The manager (and the person to whom duties were entrusted) must undergo regular training.

4. Representative (for entities outside the EU) A specific requirement applies to entities (e.g. DNS providers, cloud service providers, trading platforms) that do not have a seat in the European Union but offer services in Poland. Such entities must appoint a representative in the territory of the EU (if they choose Poland, the representative must be established in Poland). Supervisory authorities may address this representative in matters related to the performance of statutory obligations.

In summary, at least two contact persons for operational contact with CSIRT should be designated (or one in the case of small companies) and a structure (person or team) responsible for implementing security measures must be provided. However, the ultimate legal responsibility rests with the board or the manager of the unit.

Under the provisions implementing the NIS2 Directive (i.e. the UKSC), the responsibility of the board (defined in the Act as the manager of the entity) is key, personal and non-transferable. The legislator emphasises that cybersecurity should be treated as a strategic issue, not merely a technical one.

1. Personal legal responsibility The manager of an essential or important entity (e.g. the company board, director) bears responsibility for the performance of cybersecurity obligations. Importantly, this responsibility does not disappear when tasks are delegated to another person (e.g. IT director or CISO). Even if the board outsources the implementation of cybersecurity tasks to an external company or appoints an employee to carry them out, the ultimate legal responsibility for failure to fulfil obligations still rests with the board.

2. Specific duties of the board The Act imposes a number of specific managerial tasks on the manager of the entity:

• •oversight of the system – making decisions concerning the preparation, implementation, application and review of the information security management system,
• •budget – planning adequate financial resources for the fulfilment of cybersecurity obligations,
• •structure – assigning cybersecurity tasks and supervising their execution,
• •awareness – ensuring that personnel are aware of threats and know internal regulations,
• •mandatory training – the manager of the entity (and the person to whom duties were entrusted) has a statutory obligation to undergo cybersecurity training once a year.

3. Approval and review of policies (ENISA standards) According to ENISA technical requirements, the board must formally approve the security policy for network and information systems. The approval date should be documented. Furthermore, the board should review this policy at least once a year or after the occurrence of significant incidents.

4. Financial penalties imposed on natural persons This is one of the most important changes compared with previous regulations. The supervisory authority may impose a monetary penalty directly on the manager (a natural person) if they do not perform their duties (e.g. fail to report an incident, fail to ensure an audit, fail to undergo training, fail to designate contact persons).

• •The penalty may amount to up to 300% of the salary received by the sanctioned manager (calculated in the same way as the cash equivalent for annual leave).
• •For managers of public entities, the penalty may be up to 100% of the salary.

5. Possibility of suspension from duties In extreme cases, if an essential entity persistently breaches the rules and does not remedy the deficiencies despite imposed penalties, the competent authority may issue a decision prohibiting the manager from performing managerial functions. This prohibition remains in force until the deficiencies are remedied or the breaches cease.

In summary, the board can no longer treat cybersecurity solely as the domain of the IT department. Board members must actively participate in risk management, ensure budget allocation and attend training. They also bear personal financial responsibility for negligence in this area.

The amended Act on the National Cybersecurity System (implementing the NIS2 Directive) significantly tightens financial and administrative sanctions. Penalties may be imposed not only on the company itself but also directly on management personnel.

1. Monetary penalties for entities (companies and institutions) The level of penalties depends on the category of the entity (essential or important) and the amount of annual revenue.

Essential entities:

• •maximum penalty – up to €10,000,000 or 2% of the total annual worldwide turnover from the previous financial year (the higher amount applies),
• •minimum penalty – PLN 20,000.

Important entities:

• •maximum penalty – up to €7,000,000 or 1.4% of the total annual worldwide turnover (the higher amount applies),
• •minimum penalty – PLN 15,000.

Extraordinary penalty: up to PLN 100,000,000 in the case of a breach causing a direct and serious threat to national defence, state security or to human life and health.

For what can these penalties be imposed? They may be imposed, among others, for failure to register in the register, failure to implement an information security management system, failure to carry out an audit, failure to report a serious incident, or failure to implement post‑inspection recommendations.

2. Personal monetary penalties for management This is one of the most important changes. If an entity fails to perform obligations (e.g. does not conduct audits, does not report incidents), the supervisory authority may impose a monetary penalty directly on the manager (e.g. CEO, director).

• •The penalty may amount to up to 300% of the remuneration received by the sanctioned person (calculated in the same way as the cash equivalent for annual leave).
• •For managers of public entities this limit is 100% of remuneration.

3. Periodic monetary penalties (for delay) To compel an entity to comply with a decision of the supervisory authority (e.g. an order to remedy a vulnerability), the authority may impose a periodic penalty for each day of delay.

The amount of the penalty is from PLN 500 to PLN 100,000 for each day of delay.

4. Administrative sanctions (including suspension of activity) In the case of persistent breaches by an essential entity and failure to comply with the authority's orders, severe administrative measures may be applied (these do not apply to public entities):

• •ban on holding managerial functions – the authority may issue a decision prohibiting the manager (e.g. the CEO) from holding such functions until irregularities are remedied,
• •suspension of activity – it is possible to suspend licences, permits or to remove an entity from the register of regulated activities, and even to suspend business activity in a specified scope,
• •public disclosure – the authority may order the public disclosure of information about the company's breaches of the law, which entails reputational losses.

5. Mitigating circumstances When determining the amount of the penalty, the authority takes into account, among other things, the severity of the breach, its duration, the degree of cooperation with the authority, whether the breach was intentional and what damage it caused. The authority may refrain from imposing a penalty if the breach is minor and the entity has ceased the infringement.

Yes, under the amended Act on the National Cybersecurity System (implementing the NIS2 Directive) members of the management board (referred to in the Act as the "manager of the entity") may bear personal financial liability for breaches of the regulations.

1. Level of monetary penalty The competent cybersecurity authority may impose on the manager of an essential or important entity a monetary penalty of:

• •up to 300% of the remuneration received by the sanctioned person (calculated according to the rules applied when determining the cash equivalent for annual leave),
• •up to 100% of remuneration – in the case of managers of public entities.

2. Liability of all board members The Act specifies that if the manager of the entity is a multi‑member body (e.g. the management board), and no specific person responsible for cybersecurity has been designated, all members of that body bear responsibility.

3. Breaches punishable by personal penalty A personal penalty may be imposed for failure to perform specific statutory duties, in particular for:

• •failure to submit an application for entry in the register of essential and important entities,
• •failure to implement or properly maintain an information security management system (risk assessment, technical measures),
• •lack of supervision over security documentation,
• •failure to report a serious incident to the appropriate CSIRT team,
• •failure to carry out a mandatory security audit (in the case of essential entities),
• •failure to designate contact persons with the bodies of the national cybersecurity system,
• •failure to undergo mandatory cybersecurity training (required once a year).

4. Delegation of tasks does not absolve responsibility Board members bear responsibility even if they delegate the performance of duties to another person (e.g. IT director or an external company). The board has an obligation to supervise these activities and to ensure funding for their implementation.

5. Other sanctions against the board In addition to financial penalties, in extreme cases (e.g. persistent breaches by an essential entity) the supervisory authority may issue a decision prohibiting the manager from holding managerial functions until the irregularities are remedied.

The Act on the National Cybersecurity System (UKSC), which implemented the NIS2 Directive, covers a very wide scope of the economy. It divides entities into two main groups depending on their sector of activity: key sectors (Annex No. 1 to the Act) and important sectors (Annex No. 2 to the Act).

1. Key sectors (essential entities) These are sectors of critical importance for the functioning of the state and the economy. They are set out in Annex No. 1 to the Act:

• •Energy: extraction of minerals, electricity (including generation, transmission, distribution, trading, charging points), heat (generation, trading, transmission, distribution), oil and fuels (including production, transmission, storage, transshipment, trading), gas (including production, transmission, trading, distribution, storage, liquefaction), nuclear energy (operators), hydrogen (transmission, storage, production, distribution).
• •Transport: air transport (including air carriers, airport operators, air traffic control), rail transport (infrastructure managers, carriers), maritime transport (including shipowners, entities managing seaports and inland ports), road transport (road administrators, entities providing intelligent transport systems – ITS).
• •Banking and financial market infrastructure (including credit institutions, domestic banks, branches of foreign banks, cooperative savings and credit unions, exchanges, central counterparties).
• •Healthcare: provision of healthcare and public health (including healthcare providers, EU reference laboratories), production and distribution of active substances, medicinal products and medical devices (including pharmaceutical manufacturers, including vaccine manufacturers in crisis situations).
• •Supply of drinking water and its distribution (entities supplying water intended for human consumption).
• •Collective wastewater discharge (entities discharging or treating wastewater).
• •Digital infrastructure: providers of Internet exchange points (IXP), DNS service providers, top-level domain (TLD) registries, cloud service providers, data centre service providers, content delivery network (CDN) providers, trust service providers, domain name registration service providers, electronic communications undertakings.
• •ICT service management (B2B): managed service providers (MSP), managed security service providers (MSSP).
• •Space (ground infrastructure operators supporting the provision of space services, the Polish Space Agency).
• •Public entities (including government public entities, e.g. ministries, ZUS, KRUS, NFZ).

2. Important sectors (important entities) These are sectors important for the economy. They are set out in Annex No. 2 to the Act:

• •Postal services (postal operators, including courier companies).
• •Nuclear energy investments (entities that are investors in nuclear energy facilities).
• •Waste management: waste collection, waste transport, waste processing (including sorting), together with supervision over the aforementioned activities, as well as subsequent handling of waste disposal sites, activities carried out as a waste dealer or broker.
• •Production, manufacture and distribution of chemicals.
• •Production, processing and distribution of food (food businesses engaged in wholesale distribution or industrial production).
• •Manufacturing: manufacture of medical devices and in vitro diagnostic devices, manufacture of computers, electronic and optical products, manufacture of electrical equipment, manufacture of machinery and equipment, manufacture of motor vehicles, trailers and semi-trailers, manufacture of other transport equipment.
• •Providers of online platforms (online marketplace platforms, internet search engines, social networking service platforms).
• •Scientific research (including research organisations).
• •Public entities (including municipal budgetary units, municipal cultural institutions, municipal companies, if they provide services using IT systems).

It is worth remembering that assignment to a category (essential entity or important entity) also depends on the size of the enterprise. As a rule, the regulation covers medium-sized and large enterprises, although there are exceptions concerning some small companies in critical sectors such as telecommunications or trust services.

Preparing an organisation for a compliance inspection under the Act on the National Cybersecurity System (which implemented the NIS2 Directive) is a comprehensive process that requires legal, organisational and technical actions. An inspection may take the form of a mandatory audit (for essential entities) or supervisory activities by the competent authority (for all entities).

1. Verification of status and registration The first step is formal confirmation of the organisation’s status, i.e. determining whether it is an essential entity or an important entity (this depends on the sector of activity and the size of the company).

• •Entry in the register: an application for entry in the register of essential and important entities must be submitted within 6 months of meeting the statutory criteria.
• •Contact details: at least two contact persons must be appointed and reported to the national cybersecurity system (or at least one person in the case of micro or small companies).

2. Board engagement (governance) Auditors will verify whether senior management is actively engaged in the cybersecurity process.

• •Approval of policies: the security policy for network and information systems must be formally approved by the head of the entity (e.g. the management board), with a documented approval date.
• •Management training: it must be documented that the head of the entity has completed the mandatory cybersecurity training (required once a year).
• •Responsibility: it must be demonstrated that the head of the entity oversees the security management system and allocates a budget to it.

3. Risk management (the foundation of compliance) The information security management system (SZBI) must be risk-based. The organisation must provide evidence demonstrating:

• •methodology – having a documented risk management methodology,
• •analysis – carrying out identification and assessment of risks to information systems (an all-hazards approach, taking into account not only cyberattacks but also failures, human errors and natural disasters),
• •risk treatment plan – documentation indicating who is responsible for risk mitigation and which measures have been implemented.

4. Implementation and documentation of security measures The organisation must have normative documentation (policies, procedures) and operational documentation (logs, reports) that confirm fulfilment of obligations. Preparation for inspection should cover at least the following areas (in accordance with art. 8 UKSC and ENISA guidelines):

• •incident handling – procedure for detecting, recording and reporting incidents (including early warning within 24 hours), an incident register and the ability to categorise incidents,
• •business continuity (BCM) and crisis management – contingency plans, disaster recovery plans and evidence of performing and testing backups (the 3–2–1 rule, recovery tests),
• •supply chain security – policy for assessing ICT and hardware suppliers, cybersecurity clauses in supplier contracts,
• •personnel security – onboarding and offboarding procedures (granting and revoking access rights), background checks for key positions and regular cyber hygiene training (confirmed by attendance lists or certificates),
• •access control – application of the need-to-know principle and least privilege, and where justified – multi-factor authentication (MFA) and identity management,
• •encryption – policy on the use of cryptography and data encryption (at rest and in transit),
• •vulnerability management – regular vulnerability scanning and deployment of security patches (patch management).

5. Preparation for audit (specifics for essential entities) Essential entities must carry out an audit at least once every 3 years at their own expense.

• •Choice of auditor: the audit may be conducted by an accredited conformity assessment body or by at least two qualified auditors (with appropriate experience or certifications).
• •Independence: the auditor must not be a person who performs cybersecurity tasks within the company.
• •Scope: the audit covers the assessment of information systems used to provide the essential service.

6. Internal reviews (self-assessment) Even before an official inspection, the organisation should regularly (e.g. once a year) carry out an independent review of its security posture. Such a review may be carried out by a separate internal unit (e.g. internal audit) or an external company. Results must be reported to the management board.

Checklist of documentation (evidence according to ENISA) During an inspection auditors may request the following evidence:

• •organisational chart specifying security roles (CISO),
• •risk register and risk assessment reports,
• •supplier contracts containing security requirements,
• •security test reports and vulnerability scanning reports,
• •system logs (e.g. from SIEM, firewall) confirming monitoring,
• •protocols from backup recovery tests,
• •attendance lists from awareness training,
• •password policy and evidence of MFA use.

Preparation therefore requires not only “paper” compliance, but also evidence proving that processes actually work (e.g. logs, test reports, incident protocols).