Skip to content

NIS2 in 2026: who it applies to and what to do now

11 min readIntermediate

Poland transposed NIS2 in April 2026. We explain it without scaring you with fines: who it applies to, the timelines, and what to do in the first 30, 180 and 365 days.

NIS2 requirements against the 2026-2028 timeline

Three weeks of paper-based work

On 7 March 2026, more than a thousand workstations were encrypted at the Provincial Specialist Hospital in Szczecin. Staff spent three weeks using pens and manually rewriting test results. A week later the same scenario played out at Bonifraterskie Centrum Medyczne, a network of three hospitals in Katowice, Krakow and Lodz, plus eight affiliated facilities.

These are weeks in the lives of thousands of patients who didn't receive their histopathology results on time. This is staff who didn't remember which medication they had administered earlier. This is doctors who, instead of treating, manually rewrote patient files. And this is not a one-off incident. It is a daily argument for why the NIS2 directive is finally entering Polish law.

Around the same time, after 17 months of delay, Poland transposed the EU's NIS2 directive. This is not a coincidence. Lawmakers know that Polish healthcare is under constant attack. The new law won't help hospitals that have already been attacked. It can help those who aren't waiting their turn.

This text is for people who know that NIS2 changes something but aren't sure whether it applies to their company, when to react, and what they actually need to do.

NIS2 in 60 seconds

NIS2 is an EU cybersecurity directive from December 2022 (officially: Directive 2022/2555). It replaced the older NIS from 2016, which proved too narrow. The old directive covered seven sectors; the new one covers eighteen. The old one applied to a handful of essential service operators; the new one will cover approximately 38,000 entities in Poland alone.

Three things are genuinely new:

  • Self-identification. You determine whether you're covered and register yourself in the official register. The state will not come with a list.
  • Supply chain security. Your company must have documented control over your suppliers' security. Which means your clients will demand the same from you.
  • Personal management accountability. Cybersecurity is no longer an IT department problem. The CEO, director and board members are personally responsible for overseeing implementation.

Unlike GDPR, you can be fined not just for a data breach. You can be fined for failing to implement the required measures. Even if you've never had an incident.

NIS2 vs NIS vs GDPR: don't confuse them

Three regulations that sound similar and are usually confused in boardroom conversations. A short distinction.

GDPR (2018)

Protects personal data. The Polish supervisory authority is UODO. Penalises data breaches or non-compliant processing. Applies to every company in the EU that processes personal data.

The old NIS (2016)

The first EU directive on cybersecurity of critical infrastructure. Transposed in Poland in 2018. Covered around 400 entities. Replaced by NIS2.

NIS2 (2022)

Successor to NIS. Broader scope: 18 sectors, around 38,000 entities in Poland. Requires supply chain security and personal management accountability. The Polish supervisory authorities are sectoral CSIRTs and the Minister of Digital Affairs.

The most common trap in boardroom conversations: we have GDPR in place, so we comply with NIS2. This is wrong. GDPR protects personal data; NIS2 protects service continuity. They work in the same direction but don't substitute for each other. You can be fined under both regimes for different aspects of the same incident (with the ne bis in idem limitation we cover below).

NIS2 in Poland: timeline 2026-2028

Poland transposed the directive by amending the National Cybersecurity System Act (uKSC).

  • 23 January 2026. Parliament adopts the amendment.
  • 19 February 2026. President Karol Nawrocki signs the act. He simultaneously refers it to the Constitutional Tribunal for subsequent review (the high-risk supplier provisions are particularly contested).
  • 2 March 2026. Publication in the Journal of Laws (Dz.U. 2026 poz. 252).
  • 3 April 2026. The act enters into force. From this day, the incident reporting obligation (24h / 72h / 1 month) and self-identification apply.
  • 3 October 2026. Deadline for register entry (self-registration in the S46 system operated by NASK) for entities covered from day one.
  • 3 April 2027. End of the transition period. Full implementation of the security management system.
  • 3 April 2028. First mandatory audit for key entities. From this date, administrative penalties can be imposed.

Three dates to mark in your calendar: October 2026, April 2027, April 2028.

The Constitutional Tribunal may strike down part of the act in the meantime. Until any such ruling, the deadlines continue normally. Worth monitoring, not worth waiting on.

Does NIS2 apply to my company

This question comes up more than any other in our conversations. The answer depends on two things: sector and size. Below are the four most common cases.

Clinic, hospital, NZOZ

The healthcare sector is in Annex I (highest criticality). Practical rules:

  • A hospital or clinic with 250+ staff or turnover above EUR 50 million is a key entity.
  • A clinic with 50 to 249 staff or turnover between EUR 10 and 50 million is an important entity.
  • SPZOZ (public self-managed healthcare entity) is always covered, regardless of size.
  • Any entity with an emergency department or trauma centre is key by default.

A small private clinic under 50 staff formally doesn't usually fall under the rules. But if it's a subcontractor to a key entity (NHS contract, large hospital network) or provides a critical service in a municipality, things get complicated. In practice, every county, regional and university hospital exceeds the threshold.

Law firm

Generally not. The legal services sector does not appear in the NIS2 annexes. Regardless of the number of lawyers.

With two caveats. First, law firms are subject to GDPR and professional secrecy anyway, so cybersecurity is a topic regardless of NIS2. Second, if you serve a key client (hospital, bank, energy), sooner or later that client will require contractual security clauses from you. We discuss supply chain below.

NGO and foundation

It depends on activity, not legal form. A foundation running a hospice or clinic operates in the healthcare sector and may be covered. A typical cultural, educational or charitable foundation has no sector in the annexes.

Remember though: using European funding (FE, KPO) increasingly requires having information security policies in place. NIS2 or not, the grant reviewer will gladly look into your rulebook.

Software house, IT company

This is where we see the most misunderstanding.

The ICT service management sector is in Annex I and covers MSPs and MSSPs, i.e. companies providing managed IT services and managed security services. The Polish act goes further than the EU minimum: MSSPs are covered from the small enterprise threshold (10 employees, EUR 2 million turnover).

In practice:

  • A software house that writes code to order and hands it to the client: not covered, as long as it doesn't meet the general size thresholds.
  • A software house that hosts, monitors, maintains client environments: may be covered from 10 employees.
  • Cloud, hosting, data centre, DNS, qualified trust service providers: covered regardless of size (special exceptions).

Second thing that's rarely mentioned: even if you formally don't fall under NIS2, your key-entity clients will demand NIS2 compliance from you contractually. This isn't an MSSP sales fantasy. It's the requirement of Art. 21(2)(d) of the directive, which addresses supply chain security.

Supply chain in NIS2: what clients will demand

Most readers of this text aren't directly covered by NIS2. Good news: you don't have to file affidavits with the authority under penalty of perjury, you don't have to hire a quasi-DPO.

Bad news: your clients that are covered will demand contractual security clauses from you. We can already see this in public tenders and in corporate invitations to cooperate. Security questionnaires, right-to-audit clauses, requirements around MFA, backups and incident response times are appearing.

At EPKO we sit on both sides of this table. We are ourselves an IT provider for clients subject to EU regulations (healthcare, finance, law firms serving banks). And we apply the same requirements to our own suppliers (hosting, monitoring, external APIs).

If you run a small or mid-sized company and one of your biggest contracts requires NIS2 compliance, in practice it boils down to four things:

  • A documented information security policy.
  • MFA on all accounts with access to client data.
  • A working incident reporting process to the client within the timeframe defined by their internal procedure (usually shorter than 24 hours).
  • Annual, documented cyber-hygiene training for the team.

This minimum can be implemented in 2 to 3 months for a 5 to 15 person company, without drama. The bigger problem starts where the client wants to see ISO 27001 certification or equivalent. That's a topic for a separate article.

NIS2 implementation step by step

Four phases. Stick to this order, regardless of company size.

First 30 days after status check

  • Short note for the board: are we a key or an important entity, based on which threshold.
  • Appoint two KSC contact persons (one primary, one backup).
  • Appoint a board member as programme sponsor.
  • Inventory critical systems (on a single page, not in an Excel with 200 columns).

Within 6 months

  • Register in the KSC entity list and the S46 system (electronic signature, declaration under penalty of perjury, so read carefully).
  • Gap analysis against the 10 points of Art. 21 of the directive: risk analysis, incident handling, business continuity, supply chain, MFA, encryption, training, access control, and so on.
  • Run the 24/72/1-month incident reporting procedure as a drill. For real, dry-run, with a stopwatch.

Within 12 months

  • Full information security management system (most easily mapped to ISO 27001:2022).
  • Policies: business continuity, access control, MFA, cryptography.
  • Security clauses in supplier contracts.
  • Documented training.
  • Backups following the 3-2-1-1-0 rule (three copies, two media, one offsite, one offline, zero errors on restore).

Within 24 months (key entities only)

First external compliance audit. From this date, penalties can be imposed.

If you start today (May 2026), you still have the full window the act allows. If you start in December, you'll be doing phase two under time pressure. Phase three under time pressure simply doesn't succeed.

Penalties for NIS2 non-compliance

The penalties you hear about in MSSP sales emails are real, but only from April 2028. The Polish act introduced a penalty moratorium (Art. 35 of the amendment).

Maximum penalty amounts:

  • Key entity: up to EUR 10 million or 2% of global annual turnover (whichever is higher). Polish minimum PLN 20,000.
  • Important entity: up to EUR 7 million or 1.4% of turnover. Polish minimum PLN 15,000.
  • Private-company executive: up to 300% of annual remuneration.
  • Public-entity executive: up to 100% of remuneration.

Plus a ban on holding management positions. Plus a public statement obligation about the breach. Plus binding remedial recommendations.

Important relief: if you've already been finally penalised by UODO for the same act under GDPR, KSC proceedings cannot be opened (ne bis in idem clause, Art. 76c uKSC).

And the honest truth: for most readers of this text, the real risk is not the administrative fine. The real risk is:

  1. Losing a contract with a major client demanding security clauses.
  2. An incident that halts operations for three weeks.
  3. For companies with a collegial board: personal liability of each board member, even if no specific person was designated.

Each of these three risks is closer than April 2028.

NIS2 glossary: the acronyms we use

For people who landed here from Google without the acronym baggage.

  • MSP (managed service provider): provider of managed IT services (hosting, monitoring, administration of client environments).
  • MSSP (managed security service provider): provider of managed security services (SOC, SIEM, EDR, threat monitoring).
  • SPZOZ: self-managed public healthcare entity. Every SPZOZ falls under NIS2 regardless of size.
  • NZOZ: non-public healthcare entity (historical name; today formally 'medical entity not being an entrepreneur').
  • SOR: hospital emergency department. Having an ED makes the hospital a key entity by default.
  • MFA (multi-factor authentication): a hard requirement of Art. 21 NIS2.
  • KSC: National Cybersecurity System. The Polish act transposing NIS2.
  • CSIRT (Computer Security Incident Response Team): incident response teams. Sectoral CSIRTs receive incident reports.
  • S46: the incident reporting and entity self-registration system, operated by NASK.

First step in NIS2 implementation

If you run a clinic, hospice, SPZOZ or mid-sized company in one of the 18 sectors: NIS2 applies to you and a plan will help. The first step is cheap: status note, two contact persons, board member as sponsor.

If you run a small IT firm, a law firm or a foundation without medical activity: NIS2 doesn't apply to you directly. But take a look at who your biggest client is. If it's a hospital, bank or energy distributor, your contract will change within a year.

If you don't know which group you're in, get in touch. We'll do an honest status assessment, not a PLN 50,000 audit.

Frequently asked questions

How quickly do I need to react if I find out NIS2 applies to me?
Within 30 days: prepare a status note for the board, appoint two KSC contact persons, a board-level sponsor, and do a simple critical-systems inventory. Within 6 months: register in the entity list and do a gap analysis against article 21 of NIS2.
Does a small IT company without managed services fall under NIS2?
A typical software house that only writes code and doesn't run client environments usually doesn't fall under NIS2. This changes if you provide MSP/MSSP services or host, monitor and administer client systems - then you may be covered from as few as 10 employees.
What are the real penalties for NIS2 non-compliance?
For key entities: up to EUR 10 million or 2% of global turnover. For important entities: up to EUR 7 million or 1.4% of turnover. Plus personal penalties for management and a ban on holding office. Penalties apply after the first audits, from April 2028.
What if I don't fall under NIS2 but my client does?
Your client will likely add security requirements to the contract: information security policy, MFA, incident reporting procedures and team training. Failing to meet these requirements can mean losing the contract, even without formally falling under NIS2.

Related posts

What GDPR actually requires from a clinic website in 2026 (and what an auditor checks first)

A booking form, patient reviews, a chat with reception, marketing pixels. Every one of these is processing patient data. Here is what GDPR really requires from a clinic website, what an auditor checks first and how to do it so the site keeps selling.

6/16/202611 min read

Booking portals vs your own clinic booking system: economics and control

Each month you look at three invoices and ask whether it is time for your own booking system. The real economics of commissions, the hidden cost of control, and the threshold where building your own pays back faster than paying the portal one more year.

5/19/202611 min read

What a clinic website really costs in 2026: four tiers and what you actually buy

Real costs of a clinic website in Poland in 2026: from a 5,000 PLN business card to a full platform with online booking, SMS reminders and EHR integration.

5/15/202614 min read
View all posts