Amendments to the NSC Law (NIS2): A guide to the changes

Faced with the growing scale and complexity of cyber threats, the European Union has taken decisive steps to strengthen common digital resilience. The result of these steps is the NIS2 Directive, whose implementation in Poland takes the form of a comprehensive amendment to the National Cyber Security System (NSC) Act. This is one of the most important legal transformations in recent years, which will fundamentally remodel the landscape of cyber security obligations for thousands of Polish companies. It changes the previous narrow approach in favor of a broad, horizontal regulation covering entire sectors of the economy.

Many organizations are still in wait-and-see mode for the final official text of the law, postponing preparations. This is a strategic mistake. An analysis of successive publicly available versions of the draft amendment shows that the core of the requirements remains unchanged and is now fully established. Key areas such as risk management, supply chain security and incident response procedures are clearly defined. Waiting for the last bell to ring is an easy path to chaos and costly “last-minute” implementations. Smart organizations are taking advantage of this time to start strategic preparations today and turn the new legal obligation into a real strengthening of their digital resilience.

Why is the amendment to the KSC Act one of the most important legal changes for Polish business?

The amendment to the Law on the National Cyber Security System (UKSC) is not a cosmetic fix, but a legislative revolution. Its significance stems from two main factors: the drastic expansion of the scope of entities and the imposition of specific, enforceable obligations directly on company boards. The previous law covered a relatively narrow group of key service operators. The new legislation, which implements the NIS2 directive, will create a division between “key” and “important” entities, covering thousands of new companies in more than a dozen sectors – from energy and transportation, to manufacturing and digital services, to food and postal services.

The second revolutionary element is the introduction of direct management responsibility. The amendment stipulates that the board of directors will be personally responsible for approving risk management policies and overseeing their implementation. What’s more, the legislation provides for severe financial sanctions not only for the company (up to €10 million or 2% of total annual worldwide turnover), but also potential penalties for managers. This is a fundamental change that moves cyber security from the IT department straight into the boardroom, making it an integral part of corporate governance.

What is the NIS2 directive and how does it relate to the Polish KSC Act?

The Network and Information Systems Directive 2 (NIS2) is a piece of European Union legislation that came into force in early 2023. It is the successor to the first NIS Directive of 2016, responding to the growing scale and complexity of cyber threats. The goal of NIS2 is to raise and standardize the level of cyber security of key economic sectors across all EU member states.

It is important to remember that an EU directive is not a law that operates directly in member countries. It sets goals and frameworks that each country must implement (transpose) into its legal order. In Poland, the tool for this implementation is precisely the amendment to the National Cyber Security System Act. The Polish law must reflect all the key requirements and mechanisms contained in NIS2, adapting them to the specifics of the national legal and institutional system.

Understanding this relationship is key. By analyzing the requirements of the NIS2 Directive, Polish companies can predict with very high probability what specific obligations will be included in the final version of the new law on the NSC. This is precisely why organizations do not have to wait for the completion of the legislative process in Poland – they can and should base their preparations directly on the text of the NIS2 Directive, which is the overarching and final act.

Who will be covered by the new regulations – who are “key players” and “important players”?

The amendment to the NSC Law significantly expands the catalog of regulated companies, introducing two new categories: essential entities and important entities. Classification into one of these groups depends on the size of the organization and the sector in which it operates.

Key players will include larger companies in sectors of the highest strategic importance to the state and the economy. These include energy, transportation (air, rail, water, road), banking and financial markets infrastructure, healthcare (e.g. hospitals, drug manufacturers), digital infrastructure (e.g. cloud providers, data centers), public administration or the space sector. These entities will be subject to stricter, more proactive oversight by state authorities.

Important players will include companies in a number of other sectors that are also important to the economy and society. This group will include postal and courier services, waste management, chemical production and distribution, food production and processing, as well as broad manufacturing (e.g., medical devices, computers, machinery) and digital service providers such as online trading platforms and search engines. They will be subject to reactive (ex-post) surveillance, meaning that inspection will most often occur as a result of a reported incident. Regardless of category, both groups will have to implement the same broad set of risk management measures.

What are the most important risk management responsibilities imposed by the new law?

At the heart of the amendment is the requirement to implement a comprehensive and systematic cyber security risk management process. This is a shift away from an incident-based approach to a continuous, risk-based analysis of the security lifecycle. The law requires organizations to adopt an “all-hazards” approach, taking into account not only hacking attacks, but also hardware failures, human error or natural disasters.

Each covered entity will need to develop and implement a policy for risk analysis and information systems security. This means identifying key assets, assessing potential threats and vulnerabilities, and estimating the likelihood and potential impact of an incident. Based on this analysis, the company must implement appropriate and proportionate countermeasures.

The risk management process cannot be a one-time activity. The new regulations require it to be systematically reviewed and updated. Organizations will have to prove to auditors that their approach to security is a living process that adapts to a changing environment, new threats and the evolution of their own infrastructure.

Why has ICT supply chain security become a key part of the law?

The amendment to the NSC Law, following the example of NIS2, places unprecedented emphasis on the security of the information and communications technology (ICT) supply chain. The legislature rightly noted that a company’s digital resilience depends not only on its own security, but also on the security of its software, hardware and service providers. Supply chain attacks such as the SolarWinds incident have proven to be one of the most dangerous attack vectors.

The new regulations will require companies to consider vendor risks as part of their own risk management policies. Organizations will have to assess and review the security practices of their key technology partners. It will be necessary to include appropriate security clauses in contracts, require suppliers to adhere to certain standards and have incident response capabilities.

Moreover, the law introduces mechanisms for assessing high-risk products, services and suppliers. Assessments may emerge at the national and EU levels indicating that the use of specific technologies or services from specific suppliers (especially those outside the EU) involves increased risks. Key and important players will have to take these assessments into account in their purchasing decisions and risk management strategies, which may in practice mean having to drop certain suppliers.

How does the KSC amendment change the approach to incident management and reporting?

The new regulations significantly tighten and clarify responsibilities for security incident management. The goal is to create a consistent, national early warning and response system based on rapid and transparent information sharing. Every entity covered by the law will be required to have a formal process for handling incidents, including detection, analysis, classification, containment and recovery.

The biggest change is the introduction of strict timeframes for incident reporting. Key and important entities will be required to report “major incidents” to the relevant Computer Security Incident Response Team (CSIRT) at several stages:

Early warning: within 24 hours of the incident being identified.
Incident report: within 72 hours, including a detailed assessment of the incident.
Final report: no later than one month after the submission of the incident report.

“Serious incident” is defined as an event that causes or is likely to cause serious disruption of service operations or financial loss to an entity, as well as one that has affected or is likely to affect other individuals or legal entities, causing significant tangible or intangible damage. These short deadlines force organizations to have rehearsed and well-functioning response procedures.

Key Areas of Requirements of the New NSC Law (NIS2) – Action Plan.
Requirements Area	Main Task for the Organization	Potential Solutions and Actions
Risk Management	Develop and implement a formal risk analysis policy. Conduct regular assessments and audits.	Implementation of an Information Security Management System (e.g. ISO 27001), regular risk analysis (e.g. OCTAVE, EBIOS method).
Supply Chain Security	Security assessment and verification of key ICT vendors. Introducing requirements into contracts.	Supplier safety audits, contract clauses, requesting SOC 2 reports, implementing Software Bill of Materials (SBOM).
Incident Management	Create and test an incident response plan. Ensure 24/72h reporting capability.	Implementation of SIEM/XDR technology, regular exercises (table-top), retainer-type contract with external IR team.
Responsibility of the Board of Directors	Ensure that board members understand the risks, have received training, and actively oversee the implementation of security measures.	Dedicated training for the board, regular reporting on the status of cyber security at meetings, formal approval of policies.

How can nFlo help you conduct a compliance assessment and implement KSC/NIS2 requirements?

At nFlo, we fully understand that preparing for new regulations is a complex process that requires not only legal expertise, but more importantly deep technical and organizational expertise. We act as a strategic partner to guide organizations through the entire path to compliance and viable cyber resilience.

Our key service is a comprehensive KSC/NIS2 compliance readiness audit. This is a detailed gap analysis, during which our team of auditors and engineers verify the client’s current state of technical and organizational safeguards against all key requirements of the new law. The result of the audit is a precise report that identifies areas of non-compliance and provides a roadmap with specific, implementable recommendations.

Based on the audit results, we support organizations in implementing the missing elements. As part of our strategic consulting and vCISO services, we help create and formalize required policies and procedures – from risk management policies to incident response plans to vendor security assessment program. Our technical team helps implement specific security features, such as SIEM/XDR/NDR systems for incident monitoring and reporting, or access control mechanisms. We also conduct penetration tests that verify the effectiveness of implemented measures, providing evidence of their effectiveness.