NIS2 · EU 2022/2555

Does NIS2 apply to your company?

The NIS2 directive covers hundreds of companies in Poland. Fines reach 10 million EUR. Check if you need to comply and learn about our 30/60/90 day plan.

Check readinessBook a consultation

What is NIS2?

NIS2 (Network and Information Security Directive 2) is a European Union directive (EU 2022/2555) on cybersecurity. It replaces the previous NIS directive from 2016 and significantly expands the scope of entities covered. In Poland, it is being implemented through amendments to the National Cybersecurity System Act (KSC).

The directive applies to essential and important entities from sectors such as: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemical manufacturing, and food production. Penalties for non-compliance reach 10 million EUR or 2% of global annual turnover for essential entities.

30/60/90 day implementation plan

Day 1-30

Analysis and assessment

  • NIS2 gap analysis
  • Cybersecurity risk assessment
  • Critical asset identification
  • Security policy review
  • Recommendations report
Day 31-60

Implementation

  • Security policy development
  • Technical controls implementation
  • Incident reporting procedures
  • Supply chain management
  • Employee training
Day 61-90

Verification

  • Internal audit
  • Business continuity testing
  • Compliance documentation
  • Management review
  • NIS2 readiness report

FAQ — NIS2

Essential and important entities from 18 economic sectors. Companies with more than 50 employees or turnover above 10 million EUR, operating in sectors covered by the directive. Regardless of size: DNS service providers, TLD registries, trust service providers.
For essential entities: up to 10 million EUR or 2% of global annual turnover (whichever is higher). For important entities: up to 7 million EUR or 1.4% of global annual turnover. Additionally, personal liability for management.
As a rule, no, but there are exceptions. Regardless of size, NIS2 applies to: DNS service providers, TLD registries, trust service providers, and companies designated by a member state as essential entities due to their significance.
The NIS2 directive entered into force on 16 January 2023. Member states had until 17 October 2024 to transpose it into national law. Poland is working on amending the KSC Act.
NIS2 requires reporting significant cybersecurity incidents in three stages: early warning (24h), incident notification (72h) and final report (1 month). Reports are directed to the relevant CSIRT or supervisory authority.
No. NIS2 applies to all companies operating in the European Union that meet the sectoral and size criteria. A company registered abroad but providing services in Poland may also be subject to NIS2.
The cost depends on company size, sector and current cybersecurity maturity level. Our packages start from 15,000 PLN net for full implementation in a 90-day plan. The initial consultation is free.

Ready to talk?

Book a free 30-minute consultation

kontakt@redmoon.com.pl+48 604 785 773
Book a consultation
Does NIS2 apply to your company? | RedMoon