NIS2 Poland 2026
IT manager checklist

Who falls under NIS2: check before you read on

The NIS2 directive (EU 2022/2555) and the Polish implementing act, the National Cybersecurity System Act of 3 April 2026 (KSC), cover two categories of entities. Verify the exact wording against the current KSC text:

Essential entities: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT management, space. Fine ceiling under the directive: EUR 10m or 2% of annual revenue.

Important entities: postal and courier services, waste management, chemical production, food production, medical device production, electronics and computer production, vehicle manufacturing, digital service providers (e.g., hosting, cloud). Fine ceiling under the directive: EUR 7m or 1.4% of annual revenue.

Area 1: Qualification and registration (tasks 1-5)

Task 1: Determine whether your company is an essential or important entity

Check the annexes to the KSC act. The criteria are the sector of activity and the company size. Tools: self-verification based on PKD codes plus legal consultation for borderline cases.

Task 2: Identify critical suppliers and security agreements

Article 11 of the KSC act requires supply chain risk assessment. You need a list of suppliers with access to critical systems or processing your data. For each: security certificate verification, contracts containing security incident clauses, an obligation to notify you within 24 hours. Checklist: who has administrator access to systems? Which suppliers can manage your backups?

Task 3: Appoint an information security officer (SPOC)

Article 18(2) of the KSC act requires the appointment of a person responsible for the Information Security Management System (ISMS). This does not have to be a dedicated CISO. It can be an IT manager with an extended scope of duties, or a lawyer. Required: a formal management board decision with date and signature, entry in the register, sharing with CSIRT NASK. This person will represent the company before the supervisory authority.

Task 4: Register with CSIRT NASK in line with the KSC act requirements (in force from 3 April 2026)

Failure to register carries a fine regardless of whether an incident has occurred. The registration deadline is set out in the Polish NIS2 implementing act (the KSC amendment). Check the current status at rcl.gov.pl and the CERT Polska site. Registration procedure: the NASK S46 platform (https://s46.csirt.gov.pl), with the submission including: tax ID (NIP), main address, sector per the annex to the act, PKD codes, name of the security officer, email and phone for the SPOC. Confirmation of registration is sent by email.

Task 5: Management board resolution on the information security policy

Article 8(1) of the KSC act: a mandatory requirement. You must have a formal policy adopted as a management board resolution, covering at minimum: security goals and scope, roles and responsibilities, change management processes, incident reporting procedures. You do not have to start from zero. If you have ISO 27001, update the documents. Adoption date, signatures, archiving in the board's records: this will be reviewed at inspection.

Area 2: IT asset inventory (tasks 6-11)

This is the foundation. Without an up-to-date, complete list of systems, hardware and software, you cannot assess risk or manage incidents.

Task 6: Full hardware inventory

Required by Article 14(1) of the KSC act. List all: desktops and laptops, servers, network devices (switches, routers, firewalls), printers and mobile devices with network access, scanners, VoIP systems. For each: manufacturer, model, serial number, acquisition date, operating system version. Tools such as ManageEngine AssetExplorer scan the network automatically. We recommend that every device has an asset ID tag in the inventory.

Task 7: Software inventory and shadow IT

Article 14(1) of the KSC act. List: all licensed applications with expiry dates, system components and libraries (Windows Update, build numbers, security patches), PHP/Java/SQL versions in use, VPN and remote access. Key item: shadow IT, meaning applications installed without IT involvement. In most companies, the first inventory turns up 20-50 applications IT did not know about. Update the inventory at least once a quarter.

Tasks 8-9: System classification and privileged access

Article 15 of the KSC act requires a map of critical systems. For each: name, business purpose, owner, responsible department, RTO (Recovery Time Objective: how many hours to restore the system), RPO (Recovery Point Objective: how much data can be lost). Privileged access: who specifically has root/admin access to each system? Do accounts contain the person's name, or are they shared? Are any accounts of former employees still active? This section will be examined first during an audit.

Tasks 10-11: OT devices (manufacturing, logistics) and ongoing updates

Article 14(1) of the KSC act also covers OT (Operational Technology) devices. This applies to manufacturing, logistics and energy companies: PLC controllers, SCADA systems, robots, RFID readers, access control systems. A one-off inventory is not enough. The NIS2 requirement is an up-to-date register. The CMDB (Configuration Management Database) must be updated whenever a machine is added or changed. The auditor will compare the inventory against reality. An extra device outside the register means non-compliance.

Area 3: Incident management (tasks 12-17)

NIS2 introduces mandatory reporting deadlines. This is one of the hardest requirements for companies without a formal incident management process so far.

Tasks 12-13: Incident catalog and reporting deadlines (24h/72h)

Article 19(1-2) of the KSC act. Definition of an incident: an event that actually or potentially affects the availability, integrity or confidentiality of systems. Catalog: ransomware attack = serious, data leak = serious, system unavailable for more than 1h = serious, a single printer failure = no. The deadlines are absolute: an initial notification to CSIRT NASK (Article 19(2a)) within 24 hours of detection. A detailed report (Article 19(2)) within 72 hours. Wall-clock hours count, not business hours.

Tasks 14-17: Register, response procedures and business continuity plan

Article 19(4) of the KSC act requires an incident register containing: detection date and time, description of the event, number of records affected, actions taken, outcome. Response procedures cover: roles and responsibilities (who manages the incident, who informs the board), escalation and documentation. Tests: at least one response test per year, "ransomware at 2 pm" scenario, who runs the backup, who notifies CSIRT, how long until the system is restored. BCP (Business Continuity Plan): RTO for each critical system, switchover procedure to backup, switchover tests at least once a year.

Areas 4-5: Risk management and access security (tasks 18-27)

Risk management (tasks 18-22)

Article 16 of the KSC act requires a risk assessment. Methodology: threat identification (ransomware, phishing, DDoS, system failure, data loss, unauthorized access, supply chain security), probability assessment (high/medium/low), impact assessment (financial, operational, reputational), risk score as probability times impact, mitigation plan. Documentation: the risk assessment must be approved by the management board with a date. For critical systems: vulnerability scan at least every 3 months (Article 21(2)), report to the IT manager with remediation priorities.

Access security (tasks 23-27)

Task 23: MFA (multi-factor authentication): Article 22(1) of the KSC act requires MFA for all remote access and for critical systems. A practical rollout plan for MFA, PAM and SIEM at companies of 200 employees is set out in the article Zero Trust for a 200-employee company. At minimum: password plus a code from an app (Google Authenticator, Microsoft Authenticator) or SMS. Exception: systems that do not support MFA. In that case: login from a designated device with a fixed IP.

Task 24: Principle of Least Privilege: Article 22(2) of the KSC act. Every user receives only the permissions necessary to perform their duties. A mail administrator should not have access to the controlling system. Review permissions at least every six months and document changes in a report.

Task 25: PAM (Privileged Access Management): Article 22(1)(c) of the KSC act. Administrator accounts are a primary attack target. Requirements: automatic rotation of admin passwords every 90 days, recording of admin sessions (who does what on the system), approval of admin access by a manager, logging of every admin operation to SIEM.

Tasks 26-27: Password policy and offboarding: Article 22(1) of the KSC act. Minimum password length: 12 characters, no reuse of the last 5 passwords, admin password rotation every 90 days. Onboarding/offboarding: a new employee, account created within 1 business day. A departing employee, access deactivated within at most one business day. Procedure: printout of all access rights, confirmation of removal, archiving the list.

Areas 6-8: Monitoring, training and documentation (tasks 28-40)

Monitoring and threat detection (tasks 28-31)

Article 20 of the KSC act requires security event monitoring. Collect logs from all systems (servers, firewall, Active Directory, databases, business applications). Event correlation: 5 failed login attempts from different IPs within 10 minutes generates an alert. Alerts on critical events: employee login after 10 pm, deletion of a large number of files, change of access rights, a new firewall rule. Log retention: Article 20(2) requires archiving for at least 12 months for critical systems. Logging must be tamper-proof. The log server should be separated from production systems.

Training and security awareness (tasks 32-35)

Article 24 of the KSC act requires cybersecurity training for all employees. Required: at least once a year, at least 2 hours. Documentation: list of attendees, training dates, topics (phishing, passwords, incident response, GDPR). IT staff should have specialist training once a year. Management/board: NIS2 responsibility training (who answers for what, consequences), 1 hour. Phishing simulations at least twice a year: sending an email with a suspicious link, checking how many employees click. Report on results for management.

Documentation and compliance management (tasks 36-40)

Article 25 of the KSC act requires documentation. Information asset register: classification of each database (critical, important, standard), business owner, retention period, backup procedures. Procedures: change management processes, system testing procedures, security procedures on new-hire onboarding. Contracts with critical suppliers: a security clause covering Article 11 of the KSC act (supplier obligations), an SLA with RTO/RPO, a duty to notify incidents within 24 hours, audit rights. Internal NIS2 audit: carry it out as soon as possible (before the national KSC act takes effect). The report should set out: what is done, what is missing, a remediation plan with dates. External auditor: Article 26 of the KSC act. The supervisory authority can require an external audit.

ManageEngine and NIS2 requirements: tool table

Detailed patch management requirements under NIS2 (Article 21(2)(e)) are covered in a separate article: Windows Server 2026 patch management. Read it after the table below. For a broader treatment of NIS2 requirements for ITSM systems, see the article on NIS2 and ITSM: practical helpdesk requirements.

Frequently asked questions: NIS2 Poland 2026