The NIS2 Directive, which came into force in Poland in October 2024, introduces a range of cybersecurity obligations for entities classified as essential or important. If your organization is listed among them, now is the time to act.

This article outlines what the directive means in practice and what your company should do to stay compliant and reduce cybersecurity risks.

What Obligations Does NIS2 Impose?

NIS2 focuses on two key areas:

• Cybersecurity risk management

• Incident notification obligations

Below, we break down how these obligations translate into real actions for affected organizations.

Cybersecurity Risk Management – What Needs to Be Implemented?

Organizations subject to NIS2 must implement comprehensive risk management measures in their IT environment. These include:

• Policies for risk assessment and information system security

• Incident response procedures and crisis management plans

• Business continuity strategies and regular readiness testing

• Supply chain security controls, including third-party oversight

• Secure procurement, development, and maintenance processes for IT systems

• Mechanisms for detecting and reporting vulnerabilities

• Regular testing of implemented security measures

• Employee training on cybersecurity awareness and digital hygiene

• Cryptographic controls and encryption, where applicable

• Access control policies and secure communication channels, especially in crises

Additionally, the European Commission is expected to issue implementing acts specifying technical requirements for certain sectors, such as cloud service providers, DNS providers, and domain registrars.

Cybersecurity Incident Reporting – What Are the Rules?

Organizations must report any cybersecurity incident that:

• Disrupts service delivery

• Causes significant financial losses

• Poses a threat to individuals or other organizations

Incident Reporting Timeline:

• Within 24 hours – early warning with preliminary causes and possible cross-border impact

• Within 72 hours – main report with updated details and initial impact assessment

• Within 30 days – final report summarizing the incident and mitigation actions

Additional Requirements:

• If users or clients are affected, they must be notified without undue delay

• The organization must provide clear mitigation guidelines to those affected

• If the incident has cross-border relevance, it must be reported to EU-level authorities

• Trusted service providers (e.g., e-signature providers) are required to notify within 24 hours

Organizations may also voluntarily report lower-impact incidents. While these are handled with lower priority, they still follow a formal process and reflect a mature cybersecurity posture.

What Should You Do Now? [Checklist]

1. Check whether your organization falls under the scope of NIS2

2. Assess your current compliance with risk management and incident reporting requirements

3. Prepare or update your internal cybersecurity policies and response plans

4. Train your team – both technically and operationally

Need Support?

At Cyberforces, we help companies across Europe comply with NIS2:

• We conduct readiness audits

• We develop and update policies and procedures

• We train technical and operational teams

• We support secure incident response and reporting processes

Contact us to assess your organization’s readiness and get expert guidance on becoming fully NIS2-compliant.