NIS2: Are you compliant with cyber security requirements?

What is NIS2?

The NIS2 Directive is a new European Union regulation that will take effect under a Polish law (UKSC) implementing the EU regulations from 3 April 2026. Its main objective is to increase the level of cyber security among entities considered to be key and important for the functioning of the economy and society.

The NIS2 Directive - who does it cover?

45%

organisations are considered to be prepared for the new regulations (KPMG)

66%

companies recorded a security incident in 2023.

According to the NIS2 directive, key and important actors must implement appropriate security measures.

Key actors
Key organisations
Over 250 employees
Revenue > EUR 50 million
Actors of importance
Important organisations
At least 50 employees
Revenue > EUR 10 million
Important: The NIS2 regulations also cover companies working with key entities.
NIS2

Sectors subject to
at the NIS2 Directive

01
Energy
02
Post and couriers
03
Transport
04
Production
05
Medical care
06
Digital infrastructure
07
Administration
08
Cosmos
09
Banking
10
Digital services
11
Food
12
Public networks.
13
Water
14
Data Centers
15
Wastewater and waste

New NIS2 requirements

Key changes and responsibilities for the organisation:

Extension of scope
All medium-sized and large enterprises in key and important sectors are subject to a new regulatory framework.
Reporting of incidents
Duty to report incidents in the regime 24h (early warning), 72h (full notification) and a final report after one month.
Cyber resilience
Emphasis on implementing modern IT security technologies and continuous monitoring of systems to build permanent cyber immunity.
Personal responsibility
Management is directly responsible for failure to implement the requirements. The penalty can be up to 300% salary.
Administrative penalties
Even to EUR 10 million or 2% annual revenue for key players and to EUR 7 million or 1.4% for important actors.
Information exchange
Mandatory cooperation at union level and the exchange of data on new threats between Member States.

Financial implications of non-compliance

Failure to comply with the requirements of the NIS2 Directive comes with severe sanctions. These are intended to mobilise organisations to make their processes realistically secure, rather than treating cyber security merely as a formal obligation.

Key Sector
Administrative sanctions
€10 million maximum penalty
cash
or
2% annual revenue
from the previous year
Sector Important
Administrative sanctions
€7 million maximum penalty
cash
or
1,4% annual revenue
from the previous year
IMPORTANCE: In any case, the supervisory authorities shall apply higher value (between the quota threshold and the percentage threshold).

Ensure NIS2 compliance with the Rulity

We help companies through the process of complying with the directive - from the initial gap analysis to technology selection and ongoing security monitoring.

01
Gap analysis and compliance audit
We assess the state of security and identify areas that need to be addressed before NIS2 comes in.
02
Infrastructure implementation and protection
We implement technical solutions tailored to the scale of your business.
03
Continuous supervision (SOC)
Our team is on alert around the clock - we detect threats before they become an incident.

A cyber threat may be operating on your network.

Don't wait for an incident - find out how to effectively protect your organisation and meet NIS2 requirements.

Contact an expert