Blog · NIS2 · Compliance

NIS2 and patch management
what does your IT system need?

The NIS2 Directive requires vulnerability management. We look at exactly what your company has to do.

← Back to Blog
Compliance
Jakub Roszkiewicz May 2026 12 min read

The NIS2 Directive (Network and Information Security 2, Directive (EU) 2022/2555) imposes real IT security obligations on EU companies. The transposition deadline for EU member states was 17 October 2024. Poland transposed NIS2 through the amended Act on the National Cybersecurity System (KSC 2.0), which entered into force on 3 April 2026 (Journal of Laws 2026, item 252). The Polish implementation was delayed relative to the EU deadline. One of the key NIS2 requirement areas is vulnerability and patch management. Below we walk through what the directive specifically requires and how ManageEngine Endpoint Central meets those requirements.

10M EUR
maximum NIS2 fine for non-compliance (essential entities)
Art. 21(2)(e)
vulnerability management requirement in NIS2
24-48 h
typical SLA window for a critical CVE patch (good practice, not a statutory requirement)

Who is NIS2 for?

NIS2 does not cover every company - but check carefully whether yours is on the list.

Critical sectors (stricter requirements)

  • Energy and fuels
  • Public and road transport
  • Banking, finance and insurance
  • Digital infrastructure (data center, DNS, hosting)
  • Healthcare (hospitals, clinics)
  • Water utilities and waste management

Important sectors (moderate requirements)

  • Postal services
  • Manufacturing (food, chemicals, pharma, electronics)
  • Digital and SaaS services

Thresholds that apply to your company

Essential entities (energy, transport, banking, digital infrastructure etc.): 250+ employees OR revenue >50M EUR OR balance >43M EUR. Penalty up to 10M EUR or 2% of revenue.

Important entities (manufacturing, postal, waste management etc.): 50-249 employees OR 10-50M EUR revenue. Penalty up to 7M EUR or 1.4% of revenue.

Polish implementation: Poland transposed NIS2 through the amended Act on the National Cybersecurity System (KSC 2.0), which entered into force on 3 April 2026 (Journal of Laws 2026, item 252). EU deadline: 17 October 2024 - the Polish implementation was delayed. Supervisory authorities: ABW, NASK and the President of the Office of Electronic Communications.

Important: If you are a digital service provider for public-sector entities (cloud, hosting, SaaS, integrations), you are within NIS2 scope regardless of size. This applies to many Polish software houses and IT agencies.

What NIS2 says about patch management

NIS2 does not say "buy this tool and you are compliant". It talks about functional requirements. Article 21(2) requires "cybersecurity risk-management measures":

Art. 21(2)(e): vulnerability handling and disclosure

Every entity must have a process for identifying, registering and managing vulnerabilities across its IT environment. In practice this means:

  • A documented patching process: policy on paper, schedule, responsibilities
  • A register of patched/unpatched systems: where you store which patch, on which system, when
  • Vulnerability scanning (CVE): systematic search for known vulnerabilities in your environment
  • SLAs for critical patches: Art. 21(2)(e) is not specific on timing, but an inspector expects CVEs with CVSS >9.0 within 48 hours, CVSS 7-9 within 7 days, the rest on a regular schedule
  • Evidence of execution: patching logs, reports (retained at least 3 years)
  • Exception procedure: for systems that cannot be patched you must have a document with technical justification and a re-assessment date

Art. 21(2)(a): risk analysis policies

Patch management fits into IT security policy. It must be part of an overall risk management strategy, not run in isolation.

Art. 21(2)(d): supply chain security

This applies if you work with suppliers/partners. Their missing updates are your risk. You must have contracts that obligate the supplier to patch regularly.

Specifics an NIS2 inspector will demand: They arrive with a checklist. They want to see the patching policy (document), the asset register (what you have in IT), a vulnerability report, patching logs (with dates), procedures for exceptions. If you do not have this, it is not just lack of compliance - it is a breach.

How ManageEngine Endpoint Central meets NIS2

ManageEngine Endpoint Central (EC) is a tool for managing updates and vulnerabilities on Windows, Linux and macOS. Below is exactly how EC meets each NIS2 requirement. If you manage a Windows environment and use WSUS, also see our guide WSUS deprecated - patch management alternatives.

NIS2 requirementEndpoint CentralHow it works
IT asset register (CMDB)Yes, CMDBAutomatic inventory: the EC agent collects data on each endpoint: OS, version, installed apps, network
Vulnerability scanning (CVE)Yes, Vulnerability ScannerBuilt-in scanner compares installed software against the CVE database. Report: which vulnerabilities, what CVSS, which systems are affected
Patch for CVE CVSS >9.0 within 48hYes, automatic rulesSet in EC: "If CVE CVSS >9.0, deploy the patch automatically within 48h." EC executes without waiting.
Patching evidence (audit log)Yes, immutable audit logEach patching action: date, time, system, version before, version after, status, errors. PDF/CSV export for the auditor.
Documented exceptionsYes, Waiver ManagementCreate an exception: "This system cannot be patched because XYZ, re-assess 2026-10-15." The log remains in the system.
Report for management/auditorYes, ready templatesDashboard: how many systems patched, pending, at risk. Quarterly export for management.
Multi-OS (Windows+Linux+macOS)Yes, all threeEC handles patches for all three platforms from one console.
3rd-party software (e.g. Adobe, Java, 7-Zip)Over 1000 applicationsEC is not only OS patching. It covers more than 1000 third-party applications: Firefox, Chrome, Zoom, Office and others (per ManageEngine documentation).

A NIS2 compliance rollout plan: patch management

How to move from "we have no process" to "NIS2 compliant" in practice. A 6-8 week plan:

Week 1-2: Inventory

  • Install the ManageEngine EC agent on all systems (or via GPO for Windows)
  • Autodiscovery: EC finds systems on the network that do not have the agent
  • Report: list of every endpoint, OS, application versions
  • Your "NIS2 binder" item 1: Inventory report (dated)

Week 3: Vulnerability baseline

  • Run the Vulnerability Scanner in EC
  • Report: how many systems with vulnerabilities, CVSS distribution (Critical/High/Medium/Low)
  • Identify quick wins: vulnerabilities that can be patched the first weekend
  • Your "NIS2 binder" item 2: Vulnerability report BEFORE

Week 4-5: Policy and schedule

  • Create the document "[Company name] Patching Policy": goals, roles, schedule, SLAs, exception procedures
  • Define patching groups in EC: "Critical servers" (patch within 48h), "Desktop workstations" (within 7 days), "Other" (within 30 days)
  • Configure automatic rules in EC: if CVE CVSS >X.X, deploy to group Y within Z hours
  • Test on 10% of the environment
  • Your "NIS2 binder" item 3: Patching Policy document (signed by the IT manager/CISO)

Week 6-7: Critical patching

  • Deploy all CVE CVSS >7.0 on all systems
  • Monitoring: EC shows in real time what % of systems is patched, which are pending, which errors occur
  • Your "NIS2 binder" item 4: Patching logs (export from EC, PDF with dates)

Month 2: Maintenance

  • Start a regular schedule: every Tuesday patch all applications, second Tuesday of the month patch OS
  • Monthly report for the IT manager (showing trends)
  • Quarterly report for management (% of systems up to date, vulnerabilities remaining)

Quarter 2: Internal audit

  • Review the entire "NIS2 binder" through an auditor's eyes
  • Simulate a control: show documents, logs and reports to an outsider (internal auditor, consultant)
  • Apply fixes

Cost of implementation: ManageEngine Endpoint Central: license costs start around 800 PLN/year for 50 systems. Implementation (configuration, policy build, training) typically 8 000-15 000 PLN. Rotech rolls out EC for companies in Poland. Book a free analysis.

Documentation for an NIS2 auditor

When the ABW/NASK inspector arrives, they want to see this binder:

1. Update management policy

A PDF (at least 2-3 pages) containing:

  • Purpose: maintain security of systems through regular patch management
  • Scope: which systems are covered (all endpoints, servers, business applications)
  • Roles and responsibilities: who decides, who implements, who controls
  • Schedule: "Critical patches within 48h, high within 7 days, others within the maintenance window"
  • Exception procedure: "If a system cannot be patched for technical reasons, an exception is created with justification and a re-assessment date"
  • Log retention: "Patching logs retained for at least 3 years"
  • Signature and date of the CISO/IT manager, approval by leadership (or the board for larger companies)

2. Asset inventory report

Export from ManageEngine EC (or another tool): list of all systems, OS, installed software. Can be CSV or PDF. Important: report date.

3. Vulnerability report BEFORE and AFTER

Two reports: "Vulnerability status 2026-04-01" (before EC) and "Vulnerability status 2026-05-01" (after 4 weeks). Shows the trend: there were 50 vulnerabilities, now 12, risk dropped.

4. Patching logs

EC export for the last 3-6 months (latest practice: retain 3 years). Format: date, system, patch, version before/after, status (success/failed). EC generates this in one click.

5. Exceptions list

For systems you do not patch: "System A: server dedicated to application X, cannot be patched because the application does not support a newer OS, re-assess 2026-09-01."

6. CSIRT contact point

Who is responsible for patch management in the company, phone number, email. NIS2 requires a "Contact Point". It can be the same person.

All of these documents are generated or supported by ManageEngine EC. You write the policy once, then each month you click "Export report" in EC.

Penalties for NIS2 non-compliance

The NIS2 Directive (Art. 34-36) sets maximum penalty ceilings that member states implement in national law. In Poland, penalties stem from the amended Act on the National Cybersecurity System (KSC 2.0), which entered into force on 3 April 2026 (Journal of Laws 2026, item 252). Verify exact amounts and the imposition procedure against the current KSC text.

Important: The amended KSC Act, implementing NIS2, entered into force on 3 April 2026. The Act provides a transitional period for full adoption of risk management measures, with an earlier deadline for self-identification and entity registration. Verify current deadlines against the Act. Preparing documentation and processes takes time - do not delay.

Penalty ceilings from the NIS2 Directive

  • Essential entities: fine up to 10,000,000 EUR or up to 2% of global annual turnover (whichever is higher)
  • Essential entities: personal liability of board members. New in NIS2: the IT director or CEO can be held responsible
  • Important entities: fine up to 7,000,000 EUR or up to 1.4% of global annual turnover

Illustrative example

Example: assume a manufacturing plant with 200 employees, 50M PLN revenue per year (manufacturing - important entity). Assume an inspection finds systems with serious, months-old unpatched vulnerabilities and no documented patching policy.

At the maximum ceiling for important entities (1.4% of turnover), the upper bound on the fine from that revenue would be about 700,000 PLN - this is illustrative, the actual fine depends on the supervisory authority and many factors. The Act also allows personal liability of those in charge.

For comparison, the cost of implementing a patch management tool and policy is usually a few to a dozen thousand zlotys. Penalties aside, a documented patching process reduces real attack risk.

Additional risk: If a lack of patching leads to an attack (e.g. ransomware exploiting a known CVE), the inspector can hold you to blame. The fine is worse, but lack of protection is also "practically inviting hackers in".

NIS2 patch management checklist

Print this, sign as IT manager, store in the NIS2 binder:

IT asset inventory system in place - ManageEngine EC, CMDB, or equivalent
Automatic vulnerability scanning (CVE) - run at least monthly
Documented patching policy - PDF, approved by the manager, retained at least 3 years
SLAs for critical patches - CVE CVSS >9: 48h, CVSS 7-9: 7 days, others: regular schedule (e.g. second Tuesday of the month)
Patching logs retained at least 3 years - with dates, systems, versions, statuses
Quarterly report for management - % of systems up to date, number of vulnerabilities, trend
Exception procedure for systems that cannot be patched - with technical justification and re-assessment date
CSIRT contact point - who is responsible for patch management, phone/email
Vendor contracts requiring patch management - if you work with service providers or cloud providers
Internal audit at least once a year - compliance review, report, fixes

This checklist is the minimum. For critical sector companies (energy, finance, infrastructure) requirements may be stricter. Consult a CISO or compliance specialist. For the full list of 40 tasks for an IT manager see our article NIS2 IT manager checklist.

Jakub Roszkiewicz
Jakub Roszkiewicz
CTO · Rotech Group · ManageEngine implementer
Free analysis

Is your company NIS2 compliant? Patch management

In 60 minutes we will analyze: whether NIS2 applies to you, what is missing, an implementation plan, an estimated cost. No obligation.

Order a free NIS2 analysis →
Related articles
Compliance
NIS2: IT manager checklist [Poland 2026]
Jakub Roszkiewicz · 11 min read
Cybersecurity
Zero Trust for a 200-employee company: practical
Jakub Roszkiewicz · 13 min read
Service
Endpoint Central: update and vulnerability management
Rotech Group offering →
← Previous
NIS2: IT manager checklist [Poland 2026]
Next →
Zero Trust for a 200-employee company: practical
Book a free consultation →