NIS2 – additional key areas organizations need to understand
1. What obligations does NIS2 impose on organizations?
The NIS2 Directive introduces specific and measurable obligations across governance, technology, and incident reporting. In practice, these are no longer general “recommendations,” but enforceable requirements subject to regulatory oversight.
Organizational obligations
Organizations covered by NIS2 must implement a structured approach to cybersecurity management, including:
formal cybersecurity risk management,
information security and business continuity policies,
incident response procedures,
regular training for employees and management,
oversight of supply chain security.
A key shift is that IT security is no longer solely the responsibility of technical teams – it becomes an integral part of overall organizational management.
Technical obligations
While NIS2 does not prescribe specific technologies, it defines areas that must be secured proportionately to risk, including:
IT systems and network security,
identity and access management,
backups and data recovery,
monitoring and incident detection,
protection against cyberattacks.
Technical measures should be aligned with the organization’s scale and the criticality of its systems.
Reporting obligations
A key component of NIS2 and the Polish UKSC framework is incident reporting in line with a defined timeline:
initial notification – within 24 hours,
detailed report – within 72 hours,
final report – after incident resolution.
This requires clearly defined procedures, roles, and communication channels. Without proper organizational readiness, companies risk delays in reporting and increased exposure to penalties.
2. Management accountability and sanctions – what is really changing?
NIS2 significantly strengthens the accountability of senior management for cybersecurity, making the role of the management board critical.
Role of management
Under the directive, management is responsible for:
- approving cybersecurity risk management measures,
- overseeing their implementation,
- ensuring adequate resources are allocated,
- maintaining sufficient knowledge to make informed decisions.
Lack of involvement is no longer an excuse – the directive explicitly assigns responsibility to management.
Sanctions
In the event of non-compliance, organizations may face:
- significant administrative fines,
- orders to implement specific technical and operational measures,
- temporary bans from holding management positions,
- increased regulatory supervision.
This clearly signals that cybersecurity is treated on par with other areas of regulatory risk, and should be addressed at the strategic level.
3. How to prepare your organization for NIS2 and UKSC – step by step
Preparing for NIS2 is a process, not a one-off project. A phased approach is recommended:
Step 1: Identify organizational status
Determine whether your organization qualifies as an essential or important entity. This involves analyzing your sector, company size, and role in the supply chain to define the scope of obligations.
Step 2: Inventory processes and systems
Identify key business processes, map IT systems, and determine critical points.
Step 3: Gap analysis
Compare your current state with NIS2 requirements and identify organizational and technical gaps. This allows you to prioritize actions and plan further steps.
Step 4: Define roles and responsibilities
Assign clear accountability for cybersecurity and define the roles of management, IT, security teams, and business units.
Step 5: Implementation and testing
Implement and update tools and procedures, conduct training, and test incident response capabilities.
Ongoing review
After implementation, regular reviews are required – formally at least every three years. In practice, organizations should align review cycles with their pace of change and risk profile.
4. NIS2 and IT providers and the supply chain – what does it mean in practice?
NIS2 places strong emphasis on supply chain security, meaning responsibility extends beyond the organization itself.
In practice, organizations must:
- assess risks related to suppliers,
- verify their security practices,
- include cybersecurity requirements in contracts,
- monitor key partners.
What does this mean for IT providers?
IT providers can expect:
- stricter contractual requirements,
- security audits and questionnaires,
- the need to document processes and controls,
- increased pressure for standardization and formalization.
In summary, NIS2 impacts the entire organizational ecosystem. As a result, even entities not formally covered by the directive are raising their security standards, strengthening the resilience of the entire supply chain.
NIS2 isn't just a regulatory requirement – it's a risk your board owns. Let's make sure you have the right answers before your regulator asks the questions.
The administrator of the data entered in the form is Finture Ltd. Personal data will be processed to establish contact and answer questions. More information about your rights and data processing rules is available in the privacy policy.
