NIS2 - blog cover - A1

NIS2 – what it is, why it was introduced, and who it applies to

What is NIS2? 

NIS2 is the commonly used name for Directive (EU) 2022/2555 of the European Parliament and of the Council, formally titled the Directive on measures for a high common level of cybersecurity across the Union. It is an EU legal act aimed at strengthening organizations’ resilience to cyber threats and harmonizing the level of cybersecurity across Member States.

The NIS2 Directive replaces the earlier NIS Directive (commonly referred to as NIS1), which had been in force since 2016. Compared to its predecessor, the new regulation significantly expands both its scope and applicability. It also introduces more precise requirements and increases the accountability of senior management for IT security.

Why was NIS2 introduced? 

Since the adoption of the original NIS Directive, the cyber threat landscape has changed dramatically. Today, organizations face:

  • a sharp increase in cyberattacks (including ransomware),
  • growing dependence on IT systems and data,
  • complex supply chains, where a single weak link can compromise the entire ecosystem,
  • increasing scale and sophistication of cybercriminal activity.

At the same time, NIS1 proved insufficient. Its implementation varied across Member States, and it covered a relatively limited group of entities. As a result, it failed to ensure a consistent level of protection across the EU.

NIS2 was introduced to: 

  • raise the overall level of cybersecurity in key sectors of the economy,
  • improve harmonization and alignment of requirements across the European Union (while recognizing that the directive must be implemented into national law – in Poland, through the Act on the National Cybersecurity System, UKSC),
  • extend regulatory coverage to a broader range of organizations,
  • increase the accountability of management boards for information security,
  • enhance cooperation and information sharing between EU Member States in the field of cybersecurity.

Who does NIS2 apply to? 

One of the most significant changes introduced by NIS2 is the substantial expansion of the scope of covered entities. Instead of the general classification used in NIS1, the directive introduces two categories:

Essential entities

These include organizations operating in sectors where disruption could have serious consequences for national security, the economy, or public health, such as:

  • energy,
  • transport,
  • banking and financial market infrastructure,
  • healthcare,
  • drinking water and wastewater,
  • digital infrastructure,
  • public administration (at central and regional levels).

Important entities

This category includes, among others:

  • digital service providers,
  • manufacturing companies (e.g. medical devices, electronics, machinery),
  • postal and courier services,
  • waste management,
  • IT service providers and MSPs delivering critical services to other organizations.

Importantly, applicability is determined not only by sector but also by the size of the organization. As a general rule, NIS2 applies to medium-sized and large entities. However, in certain cases, smaller organizations are also included – particularly those playing a critical role in the supply chain.

What is the legal basis for NIS2? 

NIS2 has been adopted as an EU directive, which means that:

  • it applies to all EU Member States,
  • it is not directly applicable and must be transposed into national law,
  • each Member State is required to adopt national legislation aligned with its provisions (in Poland, this is the Act on the National Cybersecurity System – UKSC).

EU Member States were required to transpose the directive into national law by 17 October 2024. In Poland, this is being implemented through an amendment to the UKSC.

Transposition of NIS2 into Polish law 

In Poland, NIS2 is being implemented through an amendment to the Act on the National Cybersecurity System (UKSC), signed by the President of Poland on 19 February 2026, after the EU transposition deadline. The new regulations define, among other things: the competent national authorities, the classification of entities as essential or important, supervisory procedures, and the system of administrative penalties. The transposition of NIS2 into the Polish legal framework clarifies the organizational and technical obligations that covered entities must meet and strengthens the role of management boards in overseeing cybersecurity. For organizations operating in Poland, it is essential to monitor national implementing regulations, as these determine in practice how the directive’s requirements must be fulfilled.

Summary 

NIS2 and its national implementation – the Act on the National Cybersecurity System (UKSC) – are not “just an IT regulation.” On the contrary, they directly impact:

  • risk management strategy,
  • the accountability of management board members,
  • relationships with suppliers and partners,
  • operational and reporting processes.

As a result, for many organizations this means the need to restructure processes, implement formal security management mechanisms, and gain better control over what is actually happening within IT systems and operational processes.

NIS2 isn't just a regulatory requirement – it's a risk your board owns. Let's make sure you have the right answers before your regulator asks the questions.

The administrator of the data entered in the form is Finture Ltd. Personal data will be processed to establish contact and answer questions. More information about your rights and data processing rules is available in the privacy policy.

A seated man, seen from the side from the waist up, with a yellow phone to his ear. In the background, there is a green plant and a wall.

Interesting? Feel free to share!