Cybersecurity is no longer solely an IT or compliance issue. With the implementation of the NIS2 Directive, responsibility for information security has become a matter of direct management oversight, with potential personal consequences for members of management bodies.
The amendment to the Polish National Cybersecurity System Act (KSC) implements Directive (EU) 2022/2555 (NIS2), adopted on 14 December 2022, aiming to harmonise and strengthen cybersecurity standards across the European Union. The new framework significantly expands the scope of regulated entities and increases supervisory expectations.
Scope of NIS2
The previous version of the KSC Act mainly applied to operators of essential services (such as energy or transport). NIS2 introduces two categories of entities and significantly expands the list of organisations covered by the Directive:
- essential entities,
- important entities.
The amendment to the KSC Act extends regulatory coverage to many new businesses operating in sectors such as wastewater management, postal services, the space sector, as well as the production and distribution of chemicals and food.
At this stage, it is already possible to make a preliminary assessment of whether a given company will fall under NIS2 by analysing the following factors:
- whether the company meets the criteria of at least a medium-sized enterprise,
- whether it operates in sectors covered by NIS2 (e.g. energy, transport, healthcare, digital services, critical infrastructure, trust services),
- whether it previously held the status of an operator of essential services or an important entity.
Responsibility of the Management Body
NIS2 imposes direct obligations on management bodies, explicitly stating that they:
- approve cybersecurity risk management measures,
- oversee their implementation.
Management bodies are required to supervise, among others:
- the assessment of vulnerabilities of key ICT suppliers,
- risks arising from dependencies on third-party entities,
- the adequacy of contractual provisions related to cybersecurity.
In addition, management bodies bear responsibility for breaches of the above obligations. In practice, this means that a management board member becomes responsible for cybersecurity, which is now as important as managing business, financial or operational risks. These obligations are personal in nature and cannot be delegated to IT departments, external service providers or other entities. Management bodies are therefore required to undergo cybersecurity training.
Sanctions Imposed on Management Bodies
The new regulations introduce severe sanctions not only for the entity itself, but also directly for the head of an essential or important entity – in practice, the CEO or members of the management board.
The sanctions include:
- up to EUR 10 million or 2% of global annual turnover – for essential entities,
- up to EUR 7 million or 1.4% of global annual turnover – for important entities,
- a temporary ban on holding managerial positions,
- administrative monetary penalties.
Summary
The NIS2 Directive and amendments to the KSC Act significantly change the rules of responsibility for cybersecurity — placing the primary duty of oversight on management boards. Members of management bodies must be aware that they may bear personal liability, both financial and organisational.
SKLAW supports management boards and senior executives in preparing organisations for compliance with the NIS2 Directive, in particular through:
NIS2 and KSC compliance audits;
support in implementing risk and incident management procedures;
analysis of supply chain security and contractual provisions;
executive-level cybersecurity and legal liability training;
advisory services for management board members regarding personal liability.
Legal status as of 26 January 2026. This article is for informational purposes only and does not constitute legal advice.