Check your readiness for NIS2 / KSC

In the new legal order, cybersecurity is no longer the sole domain of IT departments; it is becoming a key element of the responsibility of top management. The challenge faced by thousands of Polish enterprises is twofold.

On the one hand, they must meet stringent statutory requirements; on the other hand – and more importantly – they must build a genuine ability to detect, repel and mitigate the effects of incidents. A key issue revealed by initial readiness analyses is the distinction between a formal declaration of compliance, based on dead procedures, and genuine operational resilience. In the face of the growing number of hybrid threats and unprecedented financial penalties, compliance audits and thorough gap analysis are no longer optional assessments; they are becoming tools for managing legal and business risk.

Basic concepts and assumptions of the new cybersecurity system

Understanding the new security architecture requires a precise definition of the relationship between the EU NIS2 Directive and the Polish legal order. The amended Act on the National Cybersecurity System (hereinafter: KSC) is the instrument that transposes European requirements into domestic law – it specifies the tasks and obligations of the individual entities of the system. Pursuant to Article 1 of the KSC, its material scope covers the organisation of the National Cybersecurity System, the tasks and obligations of the entities forming part of that system, as well as the manner in which supervision and control over the application of its provisions are carried out.

In order for an organisation to manage compliance effectively, it must rely on precise statutory definitions:

• Information systems security (Article 2(3)(d) of the KSC) – the resilience of information systems, at a given level of assurance, to events that compromise the confidentiality, integrity, availability and authenticity of the data processed or of the services associated with such data and offered by those systems.
• Cybersecurity (Article 2(4) of the KSC) – defined by reference to Regulation (EU) 2019/881 (the Cybersecurity Act): the activities necessary to protect networks and information systems, users of such systems and other persons against cyber threats.
• Incident (Article 2(5) of the KSC) – any event that has or may have an adverse impact on the security of information systems. The provisions differentiate incidents according to their severity and consequences, including:
• critical incident (Article 2(6) of the KSC) – resulting in significant harm to security or public order, international interests, economic interests, the functioning of public institutions, or the rights and freedoms of citizens,
• serious incident (Article 2(7) of the KSC) – one that causes or may cause a serious deterioration in the quality of, or interruption to, the continuity of service provision, financial losses, or that affects other entities by causing serious material or non-material damage.

Pursuant to Article 3 of the KSC, the overarching objective of the national cybersecurity system is to ensure cybersecurity at the national level, including the uninterrupted provision of services by essential entities or important entities, by achieving an appropriate level of security of their information systems and effective incident handling.

Essential entities and important entities – does your organisation fall under the new rules?

The KSC amendment significantly broadens the catalogue of entities subject to obligations. An entity’s classification determines the scope of supervision and the severity of sanctions. The distinction is based mainly on the sector of activity and the size of the undertaking, but the provisions also provide for a number of specific criteria.

Pursuant to Article 5(4) of the KSC, the principle of the higher classification applies: if an entity meets the criteria for both an essential entity and an important entity, it is deemed to be an essential entity.

Classification Criteria Overview (Articles 5 and 5a of the National Cybersecurity System Act)

It is worth noting an important legal nuance that is often omitted in simplified analyses. Pursuant to Article 5(6) and (7) of the NIS Act, even where a company exceeds the size criteria (for example, as part of a large capital group), it may not be classified as an essential entity or important entity if it demonstrates that its information system is entirely independent of the systems of affiliated or partner undertakings and that it does not provide services jointly with those undertakings. This is a critical point for capital groups in determining whether they fall within the scope of the NIS Act.

New catalogue of obligations – detailed analysis of Article 8 of the NIS Act

The most operationally important provision is Article 8 of the NIS Act, which requires entities to implement an information security management system. The legislator requires technical and organizational measures to be „appropriate and proportionate” to the risk, while taking into account the latest state of knowledge and implementation costs.

Below are 10 key areas requiring implementation, together with expert commentary:

Risk assessment and security policies (Article 8(1)(2)(a))

A general policy is not sufficient. The required policies must be topic-specific and precisely address the identified threats within particular business processes.

Physical and environmental security (Article 8(1)(2)(c))

Protection of infrastructure against unauthorized physical access and environmental threats (fire, flooding) must be included in the ISMS risk analysis.

Supply chain security (Article 8(1)(2)(e) and (2))

This is one of the most stringent areas. The entity must take into account not only the technical aspects of security, but also supplier-related vulnerabilities (Article 8(2)(1)), the overall quality of ICT products and, very importantly, the results of the coordinated security assessment at EU level. The organization must demonstrate that it verifies its suppliers for geopolitical and technical risk.

Business continuity and recovery plans (Article 8(1)(2)(f))

The Act requires the documentation and regular testing of business continuity plans (BCP) and disaster recovery plans (DRP). The lack of documented tests is one of the most common causes of negative audit results.

Education and cyber hygiene (Article 8(1)(2)(i) and (j))

The Act imposes an obligation to provide regular training for personnel and to implement basic cyber hygiene principles. The security of human resources must be supported by verification of employees’ awareness.

Cryptography and secure communication (Article 8(1)(2)(k) and (l))

The entity is required to use encryption wherever justified and to use secure communication channels — within the entity and within the national cybersecurity system.

Multi-factor authentication (MFA) (Article 8(1)(2)(l))

Where appropriate, MFA should be the standard for protecting access to systems processing data that affect the provision of the service.

Asset management and access control (Article 8(1)(2)(m) and (n))

Each entity must maintain a complete inventory of ICT assets and strict access control policies based on the principle of least privilege.

Incident management (Article 8(1)(4))

The obligation covers the full cycle: from detection, through logging and analysis, to mitigation. The procedure must be integrated with the reporting requirements to the relevant CSIRT.

Software updates and vulnerability management (Article 8(1)(5)(b))

The legislator introduced a specific operational requirement: before implementing an update, an analysis of its impact on the security of the service provided must be carried out. This radically changes the approach to automatic patches in critical systems.

Why is readiness verification (audit) necessary?

Conducting a gap analysis before entering the supervisory regime is the only way to avoid regulatory risk. The competent authorities have broad inspection powers, and the detection of deficiencies during an official inspection results in the issuance of post-inspection recommendations or the imposition of penalties.

Key gaps identified during readiness audits

• Dead documentation – BCP/DRP procedures exist on paper but have never been tested under simulated failure conditions.
• Lack of supply chain oversight – organisations do not have evidence of supplier security verification in accordance with the criteria set out in Article 8(2) of KSC.
• Inadequate analysis of the impact of changes – failure to document the analysis of the impact of software updates on service continuity (the requirement under Article 8(1)(5)(b) of KSC).

Benefits of a compliance audit

• Legal protection for management – possessing evidence of due diligence in overseeing the SZBI.
• Optimisation of IT investment – focusing the budget on genuine security gaps rather than unnecessary technical solutions.
• Business continuity – reducing the likelihood of a serious incident that could paralyse the company’s operations.
• Market credibility – the status of an entity compliant with the KSC Act becomes a key advantage in tenders and B2B relationships.

Risks and liability – from financial penalties to board oversight

The amendment to the KSC Act introduces unprecedented personal liability. Pursuant to Article 2(8a), the concept of the “head of the entity” is closely linked to Article 3(1)(6) of the Accounting Act. This means that responsibility for cybersecurity rests directly with the management board (in capital companies) or with the head of the unit (in the public sector).

The head of the entity is responsible for:

• implementing and maintaining the SZBI,
• approving the risk analysis,
• ensuring that resources are allocated to fulfil the statutory obligations.

The consequences of non-compliance are severe. In addition to substantial financial penalties (reaching millions of euros or a specified percentage of turnover), the organisation is exposed to operational risk (service paralysis) and reputational risk. In extreme cases, the supervisory authority may suspend certification or impose restrictions on the conduct of business if it finds persistent breaches of cybersecurity rules.