NIS2 Directive – Which Organisations Must Comply with the New Cybersecurity Requirements?
ANSWER
The question of which specific organisations in Poland will be required to comply with the provisions of the NIS2 Directive will ultimately be determined by the Act on the National Cybersecurity System (KSC), the draft of which is currently under legislative development. The following information is based solely on the assumptions arising directly from NIS2 Directive (EU) 2022/2555 and may be further specified at national level.
In accordance with the NIS2 Directive, cybersecurity obligations will apply to:
- Essential entities, including:
- providers of energy services (electricity, gas, district heating),
- entities in the transport sector (rail, aviation, maritime, road),
- providers of healthcare services (including hospitals, laboratories, e-health providers),
- providers of water services (drinking water supply and wastewater treatment),
- providers of digital services (e.g. DNS, domain name registries, cloud computing),
- public administrations (selected central and local government bodies).
- Important entities, including:
- providers of postal and courier services,
- manufacturers of electronic, computer, optical, and medical devices,
- entities in the food and chemical sectors,
- advisory and research services critical to key infrastructure,
- providers of certain ICT services to essential entities.
In general, the Directive applies to organisations with more than 50 employees or an annual turnover/revenue exceeding 10 million euros. An exception applies to organisations operating in particularly sensitive sectors, where obligations may apply irrespective of size.
