NIS2 implementation: what you need to know to comply in 2026

Apr 29, 2026

5 min read

Summarize with AI

By now, most people running a business in Europe have heard the acronym NIS2. Whether they’ve done anything about it is another question.

The directive is being folded into national law across all 27 Member States, with some countries ahead and others still catching up . But the direction isn’t changing: what used to be voluntary cybersecurity guidance now comes with legal consequences, defined timelines, and, if you’re in management, personal liability.

Below, I outline the critical path to NIS2 compliance, so you can clearly understand how to work through this complexity.

Stanislav Kazanov

Head of GRC, Cybersecurity & Sustainability

Stanislav bakes security and sustainability into the DNA of every system. He navigates the intersection of global compliance and green computing, ensuring that infrastructures are both bulletproof against threats and environmentally responsible.

View profile

What is the NIS2 directive?

The NIS2 Directive is the EU’s flagship legislation designed to enhance the baseline level of cybersecurity.

Back in 2016, the EU put out the first NIS Directive, which was a decent start but assumed a threat landscape that looks almost quaint now. NIS2 has learned the lessons of its predecessor, and replaced it with a broader framework with uniform rules across countries, higher standards, more sectors covered, and penalties that are consistent enough that you can’t shop around for a lenient jurisdiction.

As a result, businesses across all Member States can no longer treat cybersecurity as a “best effort” activity. They must move toward a legally binding framework with clear expectations around resilience, incident reporting, and who bears responsibility if anything goes wrong.

NIS2 implementation checklist: EU core requirements

Get your free NIS2 compliance checklist and assess your current level of readiness. It’s a simple way to see what’s already in place and what still needs attention.

How Poland implemented NIS2

Poland passed its updated law — changes to the National Cybersecurity System Act — in early 2026. The structure follows the EU directive but splits oversight in a way that reflects local institutional arrangements.

For instance, CSIRT MON* oversees defense-related entities; CSIRT NASK** covers critical digital infrastructure and public administration. Other sector-specific bodies supervise areas like energy, finance, healthcare, and transport. In addition, there’s a central register documenting which entities are classified as essential or important.

As of April 2026, compliance with the reporting requirements, supervisory procedures , and enforcement procedures under the Polish legislation is mandatory.

Which companies are affected?

The scope is wider than before. Classification depends on two things: sector and size, and extends beyond traditional critical infrastructure.

NIS2 distinguishes between essential entities, whose disruption would have a major societal or economic impact, and important entities, where the impact would be significant but less critical.

Essential entities

Large enterprises (250+ employees, €50m+ turnover) in key sectors; or medium enterprises in critical sectors.

Energy, transport, banking, financial market infrastructures, health, digital Infrastructure.

Important entities

Medium enterprises (50-249 employees, €10m–€50m turnover) in key sectors; or any entity (regardless of size) in specific sectors.

Postal services, waste management, chemicals, food (large producers and distributors), manufacturing (medical devices, electronics).

Even if you don’t meet the size thresholds, authorities can still designate you as “essential” or “important” based on the potential impact of a disruption to your service.

Key cybersecurity requirements under NIS2

Under the directive, you’ll operate on a risk-based approach, which means the measures you take should be proportional to the size of your company and the threats it can face. These are usually formalized through an information security management system (ISMS). To this extent, you will perform the following activities:

Conduct regular risk assessments
Maintain documented security policies that formalize the organization's roles, responsibilities, and controls
Establish a process to deal with security incidents, including prevention, detection, reporting, and response within specified timeframes for notifying authorities
Ensure backup management, disaster recovery, and crisis management plans are in place and operational during disruptions
Conduct due diligence and continuous monitoring of suppliers, including setting security requirements and collecting vendor evidence
Implement basic system protections, such as access control, encryption, MFA, and patching
Provide staff and management with ISMS training and establish procedures for secure onboarding and offboarding

Expert support to manage NIS2 requirements

Assess compliance gaps, implement controls, and stay audit-ready with Innowise.

New NIS2 compliance deadlines

The EU required Member States to transpose the directive by 17 October 2024. Some did, while others didn’t. So deadlines now depend on where you’re registered, as they are set at the national level and vary by jurisdiction.

Entity registration

Typically happens within a few months of the national law taking effect or when you're classified as essential or important.

Cybersecurity measures

Expected from the moment the law applies to you. In practice, from day one, although supervisory enforcement may be phased.

First compliance audit

If you're selected, it usually comes within 18 to 24 months, though authorities can move faster depending on your risk profile.

These timelines are indicative and may vary depending on how each Member State implements and enforces NIS2 at the national level, so make sure to check what applies in your country.

Penalties for non-compliance

That’s where it starts to get more nuanced. The directive sets a floor and doesn’t set a ceiling: Member States must establish a minimum level for maximum fines, but they can always go higher if they want. Under Article 34, they have to make sure the fines are effective, proportionate, and dissuasive. In plain language, big enough to hurt, fair relative to what you did wrong, and serious enough that no one looks at it and thinks “worth the risk.”

The directive breaks this into two tiers for maximum fines:

For essential entities

≥ €10 million

or 2 percent of your global annual turnover, whichever is higher

For important entities

≥ €7 million

or 1.4 percent of global annual turnover, whichever is higher

To see how this works in practice, let’s take Poland as an example. Its legislation mirrors these NIS2 thresholds. For larger organizations, the turnover-based calculation applies, so if you’re pulling in €1 billion globally, 2 percent is €20 million. For severe violations that threaten national defense, state security, or public safety, Polish law goes further: fines up to PLN 100 million (around €23 million).

Completely different scale, right? So it’s not just big players who need to worry about the percentage, but anyone in the wrong sector.

Why NIS2 is a major change for businesses in Poland

Two things have changed.

First, accountability. Previously, if a company had weak security, responsibility was often spread out enough that no single person felt exposed. Now, management boards are explicitly liable. That changes how these conversations go internally.

Second, the scale. Thousands of Polish companies that never faced mandatory cybersecurity audits now do. And the strict 24-hour early warning and 72-hour formal reporting windows mean you need monitoring and processes in place before something happens.

Studies show that about half of small and medium enterprises have basic security controls implemented, and about half have experienced an incident in the past two years. These numbers suggest that a lot of organizations are starting from behind.

* Computer Security Incident Response Team of the Ministry of National Defence

** Computer Security Incident Response Team operated by the Research and Academic Computer Network, Poland’s national research institute

Contact us

Book a call or fill out the form below and we’ll get back to you once we’ve processed your request.

Name

Company

Phone

Message

Send us a voice message

Attach documents

Upload file

You can attach 1 file up to 2MB. Valid file formats: pdf, jpg, jpeg, png.

By clicking Send, you consent to Innowise processing your personal data per our Privacy Policy to provide you with relevant information. By submitting your phone number, you agree that we may contact you via voice calls, SMS, and messaging apps. Calling, message, and data rates may apply.

You can also send us your request
to contact@innowise.com

What happens next?

Once we’ve received and processed your request, we’ll get back to you to detail your project needs and sign an NDA to ensure confidentiality.

After examining your wants, needs, and expectations, our team will devise a project proposal with the scope of work, team size, time, and cost estimates.

We’ll arrange a meeting with you to discuss the offer and nail down the details.

Finally, we’ll sign a contract and start working on your project right away.