ISMS and risk management
We design an information security management system (ISMS) appropriate to the scale of risk and the business model.
NIS2 / KSC for businesses
We guide organisations from entity status qualification through ISMS implementation, the 24h/72h/1 month incident process and supervisory readiness.
Brands we've worked with
scope of NIS2 and the KSC amendment
We support companies in moving from applicability analysis to operational compliance: ISMS, governance, incidents, audits and supply chain obligations.
Incidents and reporting obligations
We build procedures for the 24-hour, 72-hour and 1-month obligations along with ready-made notification templates.
Management board responsibility
We organise the role of the entity's head, the supervisory model and the annual training required by the act.
Supply chain and HRV
We assess IT vendor risks, design contractual clauses and plan migration scenarios following HRV (high-risk vendor) decisions.
Entry into force: 1 month from publication in the Journal of Laws; if published in late February 2026, this means the end of March 2026 (estimate).
Administrative sanctions: essential entity up to EUR 10 million or 2% of turnover, important entity up to EUR 7 million or 1.4% of turnover; in critical situations up to PLN 100 million.
Legal status/material: 21 February 2026.
essential and important entities
First we determine the organisation's legal status, because it dictates the supervisory model, the scope of audit and the level of sanctions. In practice the key decision is: are you an essential entity (often referred to as „critical”) or an important entity.
How to determine status: 4 qualification steps
Step 1: sector of activity
We check whether the activity falls within the sectors listed in Annex 1 (essential sectors) or Annex 2 (important sectors).
Step 2: size of the organisation
We verify the medium-sized enterprise threshold: at least 50 employees or at least EUR 10 million in turnover and EUR 10 million in total balance sheet.
Step 3: size-independent exceptions
Some entities fall under the regime regardless of size, e.g. DNS/TLD, selected ICT services, qualified trust service providers, CER critical entities and some public entities.
Step 4: status and supervisory model
The result is either essential or important entity status, which determines the mode of supervision, audit and the scope of evidentiary obligations.
Essential entity
As a rule: large entities from essential sectors and the categories designated by statute regardless of size (including some ICT providers and critical entities).
- Proactive supervision
- External feed
- Highest sanction tier
Important entity
Typically medium and large entities from important sectors, plus some entities from essential sectors that do not meet the criteria for essential status.
- Reactive supervision
- Audit on order or after an incident
- Full systemic obligations
DORA and financial entities
For financial entities we separate DORA and KSC obligations and design a single integrated compliance model to avoid duplicated processes.
Registration and self-identification
The entity classifies its own status and submits an entry to the list. After the act enters into force, the typical timelines are 6 months to register entities that already meet the criteria, and 2 months from the moment the criteria are met later on.
Is it an essential entity? The most common examples
Essential entity- A large hospital or network of healthcare providers
- A large operator of digital infrastructure (cloud, data centre, CDN)
- DNS/TLD service provider or qualified trust service provider
- A critical entity within the meaning of CER
Is it an important entity? The most common examples
Important entity- A medium or large food, chemicals or electronics manufacturer
- A medium-sized operator of postal services or waste management
- A medium-sized company in an essential sector that does not meet the criteria of an essential entity
- Selected public entities from Annex 2
legal status / content as of: 21 February 2026
implementation timeline
We show both confirmed and conditional dates to avoid sending the wrong message about when the rules take effect.
23 January 2026
The Sejm passed the KSC amendment implementing NIS2.
20 February 2026
The Senate adopted the act without amendments.
after publication in the Journal of Laws
Vacatio legis: 1 month from the date of publication.
end of March 2026
Indicative scenario assuming publication in late February 2026.
~6 months from entry into force
Deadline for registering the entity in the list.
~12 months from entry into force
Deadline for full implementation of the system requirements.
legal status / content as of: 21 February 2026
NIS2/KSC implementation plan: stages 0-10
We close each stage with a document that can be used both operationally and as evidence before the supervisory authority.
Stage 0 — entity qualification
We check whether KSC applies to the organisation and whether it is an essential or important entity. It ends with an applicability assessment.
Stage 1 — registration and governance
We enter the entity into the list, set up contact roles and the management responsibility model. A registration package is delivered.
Stage 2 — ISMS and risk management
We build the Information Security Management System (ISMS), the risk methodology and a set of security policies.
Stage 3 — supply chain
We assess vendors, run due diligence and prepare the organisation for an HRV scenario. A supply chain security package is delivered.
Stage 4 — incident procedures
We design the notification and escalation process for significant incidents — the result is an incident reporting procedure.
Stage 5 — cyber structures
We set up internal functions or select an outsourced SOC/CSIRT model. A cyber governance charter is delivered.
Stage 6 — training
We create programmes for the management board and teams together with a training register. A training matrix is delivered.
Stage 7 — audit
We prepare the organisation for periodic audit and for the ordered audit mode. The result is an audit readiness package.
Stage 8 — regulatory integration
We tie KSC together with DORA, GDPR, AI Act and the remaining regulations into a single regulatory matrix.
Stage 9 — continuous monitoring
We implement a review mechanism, change management and readiness for protective orders. A continuous compliance maintenance plan is delivered.
Stage 10 — internal audit and competitive edge
We review compliance on a regular basis, optimise costs and use it as a competitive edge. An annual review report is delivered.
incidents: the 24h / 72h / 1 month rule
Procedural readiness is key. In practice, the biggest risks are late notification and inconsistent communication with the CSIRT and customers.
24 hours
Early warning after a significant incident is detected.
72 hours
Incident notification with an updated impact assessment and indicators of compromise.
1 month
Final report or progress report if the incident is still being handled.
We integrate the process with GDPR obligations to avoid conflicting messages in incidents involving personal data.
ICT supply chain and HRV
The most expensive area can be replacing vendors and technologies. That is why we plan contractual, operational and migration risks before any crisis-driven decisions.
Vendor risk assessment
We assess critical vendors, technical dependencies and concentration risk.
Contractual clauses
We implement SLA, audit, notification and vendor exit-plan clauses.
HRV migration plan
We build a migration scenario for high-risk vendor (HRV) decisions.
integrating NIS2/KSC with other regulations
We implement a single compliance model covering cyber, data and operations, rather than parallel silos.
NIS2/KSC + DORA
Delineation of IT obligations for financial entities and their providers.
NIS2/KSC + GDPR
Consistent incident handling and aligned communication with regulators and users.
NIS2/KSC + AI Act
Cybersecurity of AI systems and governance of model usage.
NIS2/KSC + CER
A shared resilience architecture for critical entities.
NIS2/KSC + MiCA
A cybersecurity model for CASPs and crypto-asset services.
NIS2/KSC + eIDAS
Coordinated requirements for trust services and digital infrastructure.
NIS2/KSC service packages
We tailor the implementation scope to the organisation's maturity and the level of regulatory risk.
NIS2/KSC readiness diagnosis
A quick assessment of status, gaps and action priorities.
Workshop: the management board's responsibility for cyber
Workshop for the management board: personal liability and decision model.
Full NIS2/KSC implementation
Full NIS2/KSC implementation: documentation, procedures, training and a compliance maintenance model.
Incident response procedure
Incident reporting and handling model with ready-made templates.
Supply chain security (HRV)
Vendor assessment and migration plan for HRV scenarios.
Ongoing NIS2 compliance support
Continuous compliance maintenance, change monitoring and supervisory support.
expert leading the NIS2/KSC practice
In NIS2 projects we combine the legal and operational perspectives to reduce management risk and keep services running.
Expert support from the qualification stage onwards
- Entity qualification and obligations map
- Practical design of the ISMS and incident handling
- Support for the management board and technical teams
Podcasts | Legal Geek
- Experience at the intersection of several regulations: DORA, GDPR, AI Act, MiCA
- Support during inspections and proceedings
- Implementation model tailored to the size of the organisation
Contact us about NIS2/KSC
Tomasz Klecor
Managing Partner
FinTech navigator. Lawyer.
For 15 years he has helped Poland's largest and most ambitious fintechs grow safely and globally. Starting as a lawyer, he now combines law, strategy, and technology — advising founders and boards on key decisions: how to scale in compliance with regulations, how to correctly implement DORA, MiCA, or AML and prepare for PSD3/PSR, and how to avoid the regulatory killers that can stop growth in its tracks.
LinkedIn
NIS2/KSC FAQ
The most common questions from management boards, compliance and IT teams during NIS2 implementations.
No. Qualification depends on the sector of activity and size thresholds, and some entities are covered regardless of size because of the nature of their services.
First we identify the sector (Annex 1/2), then size thresholds and the exceptions that apply regardless of size. Essential status usually means a higher level of supervision and audit.
It is a multi-stage incident reporting process: an early warning, a more detailed notification and a final or progress report to the relevant CSIRT.
Yes. Management is responsible for implementing and overseeing the security system, so the governance model and evidence of compliance must be in order.
No. In the financial sector, obligations from both regimes need to be properly separated and integrated to avoid gaps or duplicated work.
You need a migration plan, a management decision path and contractual safeguards for service continuity, before operational pressure builds up.
Essential entities undergo periodic audits, while important entities may be audited at the regulator's request, after an incident, or once breaches are identified.
With status qualification and a gap map. This sets the order of stages 0-10, the scope of documentation and the implementation priorities.
ITSec DORA/NIS2 guidelines ready to implement
A resource for organisations that want to quickly bring order to their cyber activities and team responsibilities. Download the PDF and work from ready-made control points.
- 1250+ guidelines covering the full cycle: governance, incidents, continuity, providers.
- 26 categories that can be mapped to NIS2/KSC and DORA obligations.
- A practical format for security, compliance, and board teams.
- Material designed for joint work with ICT providers across the supply chain.
get in touch about NIS2/KSC
In the first call we determine the project stage: diagnosis, implementation or compliance maintenance after the system goes live.