With over 10 years of experience in information security and business continuity, ODO 24 offers expert implementation of the NIS2 directive, combining a legal obligation with enhancing your organisation's cybersecurity.
Ensure smooth implementation of the necessary procedures that will increase protection against cyber threats and strengthen your company's digital resilience. As part of NIS2 implementation, we will conduct a full compliance audit, a comprehensive risk analysis, and prepare the necessary documentation and train employees and management.
NIS2 implementation is not only about meeting formal legal requirements, but above all consciously building cyber resilience and the security of your business.
If you want to find out who the NIS2 directive applies to, whether your company is subject to the obligations arising from NIS2, and what steps you need to take to meet the new requirements – complete the free test.
The NIS2 requirements audit is a process in which we thoroughly examine how your company meets the provisions of the Act on the National Cybersecurity System, identifying both areas of conformity and those requiring adjustment. It is a key step towards ensuring that all operations and systems are not only secured but also fully aligned with current regulations, providing a solid foundation for further strengthening the organisation's cyber resilience.
As part of the NIS2 risk analysis, we are closely examining potential threats to
Preparation and updating of documentation in the context of the NIS2 Directive is key
This includes developing or reviewing risk analysis, safety and security policies.
We also focus on the security of procurement, development and maintenance processes.
Our documentation also takes into account the policies and procedures
Our board training focuses on key aspects of the National Cyber Security System Act, highlighting the board's role in effective cyber risk management. The training programme includes an understanding of the UKSC requirements, including risk analysis policy, incident handling, business continuity and crisis management. We emphasise the importance of the board's active participation in shaping the cyber security culture and in making security policy decisions, which is key to effectively protecting against threats and minimising the impact of incidents on the organisation.
Our staff training focuses on raising awareness of cyber hygiene and cybersecurity, which is key to meeting NIS2 requirements.
Employees gain an understanding of the basics of cyber hygiene, including the safe use of IT systems, recognising potential threats such as phishing or malware, and responding appropriately to cyber incidents.
The training programme also includes an understanding of the role each employee plays in ensuring the business continuity and security of the organisation, highlighting the importance of adhering to the company's security policies and procedures. In this way, employees become an essential part of the company's cyber risk management system.
Marcin Wieczorek
From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.
Magdalena Węglewska
For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.
Agnieszka Karłowicz
We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.
Tomasz Siwicki
For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.
The implementation of NIS2 should begin with a risk analysis – this is the first and key step that allows you to identify assets, threats and vulnerabilities.
Why is this important?
The UKSC, like RODO, does not specify concrete protective measures – it is you who, based on the conducted risk analysis, must determine appropriate security measures.
The subsequent steps of NIS2 implementation are:
In summary: start with a risk analysis, and only then address appropriate technical and organisational safeguards and training.
From regular reviews of supplier registers through contractual risk analysis to classification of service criticality – every piece of this puzzle matters. Learn what steps to take to not only meet the requirements of NIS2 (UKSC), but also to build your organisation's resilience to contemporary challenges. In this article we discuss best practices and tools that will help you keep the supply chain fully under control.
Read the article: How to implement NIS2 – supply chain
Business continuity has become one of the pillars of security in the digital era, and NIS2 (UKSC) sets new standards that organisations must meet in order to respond effectively to threats and avoid disruptions to their operations. Introducing appropriate regulations and procedures is no longer optional — it is a necessity for essential entities and important entities, which bear the responsibility for maintaining the stability of critical services.
Read the article: How to implement NIS2 – business continuity
An incident management policy is one of the key elements of an effective information security system, particularly in the context of the requirements introduced by UKSC. The main objective of an incident management policy is to establish clear rules and procedures that enable an organisation to react quickly and effectively to breaches, minimise their impacts and prevent similar events in the future. A properly implemented incident management policy not only helps to meet legal requirements, but also protects the organisation's reputation, reduces financial losses and builds trust among customers and business partners.
Read the article: How to implement the NIS2 Directive – incident management
Risk analysis is the foundation of effectively implementing any security measures under NIS2 (UKSC). Like RODO, UKSC is technology-neutral, which means it does not impose specific safeguards on organisations but emphasises flexibility and tailoring measures to the specifics of a given organisation.
Read the article: How to implement the NIS2 Directive – risk management
The introduction of the NIS2 Directive, i.e. the latest EU regulations in the field of network and information systems security, is a breakthrough that completely changes the rules of the game. Essential and important organisations for the economy must now not only increase their resilience to cyber threats, but also implement concrete and systematic protective measures. The aim is to create effective, threat-resilient structures that will be able to fully secure both data and the company's critical infrastructure.
Read the article: How to implement the NIS2 Directive – information security policy
Implementation of the NIS2 Directive involves adapting to the requirements set out in the Act on the National Cybersecurity System (UKSC). In practice it is the process of preparing the organisation to meet the new requirements:
NIS2 regulations in Poland, i.e. the requirements set out in the Act on the National Cybersecurity System (UKSC), mainly cover medium and large companies (≥50 employees or turnover ≥10 mln EUR) operating in essential and important sectors of the economy.
Essential sectors (Essential Entities - EE):
Important sectors (Important Entities - IE):
Organisations that were previously subject to the requirements introduced by the NIS1 Directive should also review policies and procedures, primarily in the areas of risk management and reporting obligations. A compliance assessment and gap analysis will enable the preparation of a comprehensive strategy to align with the NIS2 Directive.
Our comprehensive services will help your company achieve a high common level of cybersecurity and meet the UKSC requirements. We offer:
Contact us and find out how we can help your organisation ensure compliance with the UKSC. Together we will look after the security of your company in the rapidly changing world of cyber threats!
UKSC must be complied with by so‑called essential and important entities, which are defined in the Act. This includes a wide range of organisations operating in various sectors, such as energy, transport, banking, financial market infrastructure, health, drinking water supply, the digital economy, public administration and space. These entities are obliged to introduce and apply measures aimed at enhancing cybersecurity and managing digital risk, and to report serious security incidents. The Act expands the definition of these entities to include medium and large enterprises from these sectors, emphasising that the requirements apply not only to operators of essential services but also to providers of digital services.
The NIS2 regulation is based on the NIS2 Directive, that is the Directive on measures for a high common level of cybersecurity on the territory of the UE – a legal act aimed at strengthening the security of networks and information systems across the UE. The Directive expands the scope of sectors covered by the rules and introduces new categories of essential and important entities that must meet certain requirements. NIS2 obliges these entities to implement appropriate cybersecurity risk management measures and to report serious incidents, with the aim of increasing resilience and providing better protection against cyber threats at both national and UE level. In Poland, NIS2 was implemented on 2 March 2026 by amending the Act on the National Cybersecurity System (UKSC).
In Poland, the NIS2 Directive was implemented on 2 March 2026 by amending the Act on the National Cybersecurity System (UKSC). This Act has direct application to entities and organisations operating in Poland and replaces the previous provisions concerning cybersecurity.
NIS2, i.e. in Poland: the Act on the National Cybersecurity System (UKSC), must be complied with by so‑called essential and important entities, which are defined in the Act. This includes a wide range of organisations operating in various sectors, such as energy, transport, banking, financial market infrastructure, health, drinking water supply, the digital economy, public administration and space. These entities are obliged to introduce and apply measures aimed at enhancing cybersecurity and managing digital risk, and to report serious security incidents. NIS2 expands the definition of these entities to include medium and large enterprises from these sectors, emphasising that the requirements concern not only operators of essential services but also providers of digital services.
NIS2 introduces a number of requirements for essential and important entities, including:
Above all, practical examples and ready-made solutions. Our trainers are happy to share the knowledge they have acquired, answer questions, and continuously learn from their clients – the training is regularly updated based on our experience from hundreds of IT audits carried out and supporting our clients in building an information security system. We consistently encourage all participants to ask questions – even after the training.
No, directives such as NIS2 do not apply directly. They require transposition into the national law of each Member State of the European Union. In Poland, transposition was effected by an amendment to the Act on the National Cybersecurity System (UKSC), which has direct application to entities and organisations.
The UKSC provides for the possibility of imposing sanctions on organisations that do not comply with its requirements:
For breaches of the UKSC provisions – essential entities may be fined up to 10 million euros, while important entities up to 7 million euros. Independently of imposing a fine for breaches of the Act, the competent authority may impose a periodic monetary penalty on an essential or important entity if it delays in performing the duties imposed on it as part of supervisory activities or enforcement measures. Such a penalty amounts to from 500 to 100,000 zlotys for each day of delay.
According to the draft amendment to the Act on the National Cybersecurity System (UKSC), the manager of an essential or important entity may be subject to a financial penalty for failure to perform the duties indicated in the Act, if this is justified by the time, scope or nature of the breach. The maximum amount of the penalty that may be imposed is also increased – up to 300% of the manager's remuneration, calculated according to the rules applicable when determining the monetary equivalent for leave (the previous penalty was a maximum of 200% of monthly remuneration).
Context of the organization
Leadership
Planning
Support
Operational activities
Assessment of the effects of action
Improvement
Reliable and documented assessment of the organisation's compliance with the requirements of the National Cybersecurity Act audit report.Precise recommendations to address any deficiencies or omissions in clauses, statements, records or procedures.Evidence to external auditors that you regularly assess the effectiveness of information security measures.
Risk analysis identifies, assesses and prioritizes potential threats to the organisation, defines both the likelihood of a particular event occurring and the possible impact on the business.
The risk analysis shall be carried out in accordance with the requirements of ISO 27005.
Risk analysis report with list of possible threats and their potential impactRisk register detailed list of identified risksRisk management plan document indicating appropriate strategies for managing each riskStatement of Applicability required by the standardsRecommendations for implementation specific recommendations for corrective actionsUp-to-date risk information regular updates on risks that may affect the organisation
The documentation confirms that the company is operating in accordance with the requirements of the NIS2 Directive, which is necessary during audits or inspections carried out by regulatory authorities.
We supplement or create documentation of information security policies and procedures that is tailored to the size of the company, the level of IT and the number of employees.
Documentation ensuring continuity of operation and systematic incident managementConfirmation of the proper implementation of the requirements of the National Cybersecurity ActFull package of security policies and procedures tailored to the specifics of the organisation
Conscious leaders support building a culture of security, which translates into more reliable and resilient business operations.
Management training enables a better understanding and implementation of key standards within an organisation.
Training helps to understand the incident management processes required by NIS2 and to implement preventive measures and emergency procedures. As a result, the company is better prepared for challenges, minimises the risk of disruption and can respond quickly to threats, ensuring stability and business continuity.
A trained management that is aware of its responsibilities under security procedures significantly increases the level of protection of the organisation and its ability to respond to incidents.Confirmation of the proper implementation of the requirements of the National Cybersecurity Act
Through education, organizations increase the efficiency and consistency of standards implementation, and knowledgeable employees contribute to improving the safety, quality and continuity of the company's operations.
Employee training is not just about communicating information it is about building a culture of understanding, engagement and excellence.
When we teach our teams "why" and "how", we not only raise the bar for our organisations, but more importantly, we invest in the people who become the pillars of that excellence. Remember, real change starts with people, and the right training is the bridge to that success.
Trained personnel who know their responsibilities under safety proceduresConfirmation of the proper implementation of the requirements of the National Cybersecurity Act
