From 3 April 2026, the amended Act on the National Cybersecurity System (KSC), implementing the EU NIS2 Directive, is in force in Poland. For thousands of organisations across Europe, this means new cybersecurity obligations — regardless of whether they already comply with the GDPR. Because the GDPR and NIS2 are two separate legal instruments that operate in parallel and cover partially overlapping areas: risk management, data security, and incident reporting.
What Is NIS2
NIS2 (Directive 2022/2555) is an EU regulation imposing cybersecurity obligations on entities operating in critical sectors of the economy. In Poland it was implemented through an amendment to the Act on the National Cybersecurity System, published on 2 March 2026 and entering into force on 3 April 2026.
NIS2 replaces the previous NIS Directive from 2016 and significantly expands the range of entities subject to the regulation — covering not only critical infrastructure operators but also organisations from 18 economic sectors, including the food, chemical, postal and wastewater sectors.
Who Is Subject to NIS2 — Essential and Important Entities
NIS2 introduces a two-tier classification:
Essential Entities — sectors of the highest criticality: energy, transport, banking and financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space. Subject to stricter obligations and more frequent audits.
Important Entities — postal and courier services, waste management, manufacture and distribution of chemicals, production, processing and distribution of food, manufacture of medical devices, machinery, motor vehicles, electronic equipment, digital services, scientific research.
Size threshold: the regulation generally applies to medium and large enterprises — at least 50 employees and applicable financial thresholds (€10 million turnover or balance sheet). However, some entities are covered regardless of size due to their particular role in the digital or infrastructure ecosystem.
Self-identification: a self-identification model applies — the organisation must independently assess whether it meets the criteria for classification as an essential or important entity. If so — it has 6 months from the entry into force of the Act to apply for inclusion in the register maintained by the Ministry of Digitalisation.
Key Deadlines
3 April 2026 — Act enters into force; incident reporting obligations apply from this date
3 October 2026 — deadline to apply for inclusion in the register of essential and important entities (6 months from entry into force)
3 April 2027 — deadline to implement an information security management system (ISMS) and risk and incident management procedures (12 months from entry into force)
~April 2028 — deadline for essential entities to conduct the first mandatory compliance audit (24 months from entry into force)
Grace period: the Act provides that administrative financial penalties may be imposed for the first time only after 2 years from the date of entry into force — i.e. from approximately April 2028.
Where NIS2 and GDPR Overlap
Both regulations operate in parallel — NIS2 does not replace the GDPR and vice versa. But they cover the same areas, imposing similar — though not identical — requirements. Organisations subject to both must comply with both simultaneously.
Risk management — both the GDPR (Article 32) and NIS2 require risk assessment and appropriate technical and organisational measures. The GDPR focuses on risk to the rights and freedoms of individuals; NIS2 focuses on risk to service continuity and system security. An organisation with an implemented GDPR risk assessment and DPIA has a solid foundation for NIS2 requirements, but needs to extend it to include the cybersecurity perspective.
Incident reporting — the GDPR requires reporting a personal data breach to the supervisory authority within 72 hours. NIS2 introduces even stricter timelines: an initial report of a serious incident to the relevant CSIRT within 24 hours, a full report within 72 hours, and a final report after one month. A NIS2 incident may — but need not — simultaneously be a personal data breach under the GDPR. If it is, it may require parallel reporting to the supervisory authority.
Technical and organisational security — Article 32 GDPR and NIS2 impose similar requirements: encryption, access control, vulnerability management, business continuity. Organisations that have implemented security measures under the GDPR have a good starting point for NIS2 — but NIS2 requirements are more technically detailed.
Management accountability — both the GDPR and NIS2 emphasise management responsibility. In NIS2 this is stated explicitly: managers of essential and important entities are directly responsible for fulfilling cybersecurity obligations and may bear personal liability for violations.
Documentation and accountability — the GDPR requires maintaining a record of processing activities and documenting policies. NIS2 requires maintaining an incident register, security measure documentation, and risk management policies. In many cases, GDPR documentation provides the foundation to build on for NIS2 requirements.
What NIS2 Adds Beyond the GDPR
NIS2 goes beyond the GDPR in several significant areas:
Supply chain security — NIS2 requires assessment and management of cybersecurity risks from suppliers and subcontractors. The GDPR regulates data processing agreements — NIS2 goes further, requiring active assessment of the security level across the entire supply chain.
Business continuity and crisis management — NIS2 requires business continuity plans (BCP) and disaster recovery plans (DRP). The GDPR has no such explicit requirements — though it does require measures ensuring “the ability to restore the availability and access to personal data in a timely manner”.
Management training — NIS2 explicitly requires training of senior management in cybersecurity. This is a new requirement compared to the GDPR.
Compliance audit — essential entities are required to conduct a compliance audit within 24 months of the Act entering into force.
The Role of the DPO Under NIS2
A Data Protection Officer appointed under the GDPR does not replace the NIS2 requirements for cybersecurity specialists. These are two separate roles with different competencies. The DPO focuses on personal data protection and GDPR compliance — NIS2 requires expertise in technical cybersecurity and incident management.
However, the DPO can and should cooperate with those responsible for NIS2 compliance on: incidents that simultaneously constitute personal data breaches, documenting security measures required by both regulations, and risk assessments covering both the GDPR and NIS2 perspectives.
Practical Plan — What to Do Now
Step 1 — Check whether NIS2 applies to you (by 3 October 2026) Assess whether your organisation operates in one of the 18 sectors covered by NIS2 and meets the size criterion (≥50 employees and ≥€10M turnover). If so — apply for inclusion in the register of essential and important entities.
Step 2 — Map gaps against NIS2 Compare existing GDPR documents and procedures with NIS2 requirements. Many elements — risk assessment, security policies, incident response procedures — can be extended rather than built from scratch.
Step 3 — Implement an information security management system (by 3 April 2027) The ISMS should cover risk management, incident management, business continuity, and supply chain security procedures.
Step 4 — Prepare incident reporting procedures Procedures must be operational from 3 April 2026 — an incident can happen at any time. The 24-hour deadline for an initial report to CSIRT is stricter than the GDPR’s 72-hour deadline.
Step 5 — Conduct a compliance audit (by ~April 2028, for essential entities) The audit confirms fulfilment of obligations under the NIS2 Act and is a statutory requirement for essential entities.
Summary
NIS2 and the GDPR are two regulations that overlap in the areas of risk management, data security, and incident response — but have different scopes and objectives. The GDPR protects the rights of individuals. NIS2 protects the continuity of critical services and the security of information systems. Organisations subject to both must comply with both — while having the opportunity to use existing GDPR documentation as a starting point. The nearest key deadline: 3 October 2026 — registration as an essential or important entity.
FAQ
No — the regulation generally covers medium and large enterprises (≥50 employees) operating in 18 specified sectors. Some entities are covered regardless of size due to their particular role in infrastructure.
Many elements overlap — risk assessment, security policies, incident response. But NIS2 adds requirements the GDPR does not have: supply chain security, business continuity plans, management training, compliance audits.
The Act provides a grace period — administrative financial penalties may be imposed at the earliest after 2 years from the Act’s entry into force, i.e. from approximately April 2028. The maximum penalty for essential entities is €10 million or 2% of annual turnover.
A CSIRT (Computer Security Incident Response Team) is a cybersecurity incident response team. The initial report of a serious incident must be submitted within 24 hours of detection.
The DPO and the NIS2 cybersecurity specialist are two separate roles with different competencies. One person may hold both roles — but must possess competencies in both areas and there must be no conflict of interest.
GDPR and NIS2 have more in common than you think
If you understand risk assessment under the GDPR and know how to document incidents — you have a solid foundation for understanding the processes required by NIS2. iGDPR helps you keep GDPR in order every day.
START FREE TRIAL
