Poland is currently working on implementing regulations that will align national law with the EU’s NIS 2 Directive, designed to raise cybersecurity standards across EU member states. Although the deadline for adopting national legislation passed on 17 October 2024, Poland failed to meet it. However, the final draft of the new act is now ready, and the new rules may soon enter into force—introducing stricter requirements for data protection, IT systems and incident response.
As automation, digitalization and the use of artificial intelligence continue to grow, businesses are developing faster than ever before. Yet, with technological progress comes a growing number of risks that many business owners underestimate.
The NIS 2 Directive, which entered into force in January 2023, aims to strengthen cybersecurity across the EU. Member states were given 21 months to implement the directive into national law, meaning Poland is already more than a year past the deadline. However, on 4 November, the government published the final text of the draft act amending the national cybersecurity system (UC32). A vote may still take place before 30 November, enabling the law to enter into force at the start of the new year.
“Companies can and should begin implementing new procedures now,” explains Karolina Praszek-Gołębiewska, an information security specialist.
“There will be only 30 days between publication and the law entering into force. For large organizations, this is extremely little time to implement all required changes. NIS 2 has been directly applicable at the EU level since October 2024, so the implementation period has already begun. Now is the moment to assess your organization’s readiness—because those 30 days may turn out to be far too short.”
Growing Cyber Threats: Why NIS 2 Matters
Cyberattacks have increasingly disrupted the operations of companies and public institutions in recent years. Phishing, ransomware and skimming have become part of the everyday vocabulary of modern business. The larger and more strategically important a company is, the more attractive it becomes to cybercriminals.
“NIS 2 will not eliminate cyberattacks,” says Praszek-Gołębiewska.
“Its goal is to give companies tools to recover quickly from incidents—limiting downtime and financial loss. The directive’s core purpose is to ensure business continuity and operational stability.”
NIS 2 Will Apply to Most Companies—Not Only Large Corporations
The directive divides organizations into three categories:
- Essential entities – organizations of strategic significance whose disruption could threaten national security (e.g., healthcare, military, banking).
- Important entities – those whose operations remain important but whose disruption would not immediately endanger the state.
- Other organizations meeting specific size or revenue thresholds (over 50 employees and annual turnover above €10 million).
NIS 2 will also apply to companies providing services to essential or important entities or operating within their supply chains.
“This is crucial—organizations will be required to choose partners who maintain comparable security standards. It is estimated that NIS 2 will ultimately apply to 80–90% of all entities operating in Poland,”
says Praszek-Gołębiewska.
No One-Size-Fits-All Approach: Every Company Must Adapt Individually
Even the most precise regulations cannot produce a universal checklist. Each organization requires an individual approach that considers:
- structure
- size
- number of employees
- types of data processed
- risk exposure
NIS 2 requires companies to perform risk assessments and implement adequate technical and organizational measures. A professional analysis conducted by an auditor or data protection specialist is essential to identify the right solutions.
Risk analysis forms the foundation of the entire process—identifying vulnerabilities and implementing appropriate legal, technical and organizational safeguards. The EU emphasizes that companies must proactively manage cybersecurity, including establishing clear procedures for reporting incidents.
Audits performed by information security inspectors will evaluate the company’s overall level of protection, including how data is processed and whether security procedures are sufficient.
“We examine how the company stores data—whether it’s printing documents and putting them in binders (which I strongly advise against) or using a professional risk-based approach with proper safeguards. This helps us identify the most vulnerable areas,”
explains Praszek-Gołębiewska.
Security as a Condition for Cooperation: Companies Will Need to Verify Partners
NIS 2 introduces a requirement for vendor and partner verification. Before establishing collaboration, companies must check:
- the partner’s IT systems
- implemented security controls
- whether the partner is supervised by a data protection officer
- how they protect themselves from cyberattacks
“If we grant another company access to our infrastructure or our data, they must be as secure as we are,”
she explains.
Vendor verification usually begins with security questionnaires, followed by audits—common in sectors such as finance.
Maintaining a secure supply chain is only possible if partners implement security measures at comparable levels.
Personal Liability for Company Boards
A major change introduced by NIS 2 in the Polish legal system is personal liability of management board members for ensuring appropriate information security levels within a company.
This is the first such explicit regulation in Poland, signaling that company leadership cannot avoid consequences for negligence. In extreme cases, executives may bear financial liability, including their personal assets such as:
- homes
- vehicles
- bank accounts
“This is a clear message: security oversight becomes a strategic obligation, not a mere formality. You cannot declare bankruptcy or resign to avoid responsibility,”
says Praszek-Gołębiewska.
“We invest in good schools, high-quality homes, monitoring systems, and vacations—but we forget that our businesses generate the money that pays for all of this. We must secure our business before anything else.”
