Webinar ActiveProtect — next-generation backup Sign up →

For Business · NIS2 and UKSC 2026

NIS2 and UKSC — sensible compliance, not panic

The amended Polish Cybersecurity Act (UKSC) has been in force since April 3, 2026. It's not rocket science — most requirements you're already implementing to some degree. Our job is not to build everything from scratch, but to leverage what works, add missing elements, and help document compliance. Every offering of ours starts with an audit — without it, we don't know what really needs to be done.

Order compliance audit → How we work
3.04.2026date of entry into force
12 mies.for ISMS implementation
do 10M €maximum penalty

How we work

6 stages of NIS2 compliance

Every offering starts with an audit — without it, we can't tell what really needs to be done in your company. We can run the entire process end-to-end or support you only in selected stages. It all depends on what you already have and who works for you.

1. Compliance audit (gap analysis)

The starting point of every project. We check whether NIS2 applies to you, in what scope, where you are today, and where the requirements want you to be. If you already have ISO 27001 or GDPR policies — we don't throw them out, just check what still needs to be added. Result: a concrete list of gaps with priorities and estimated costs.

2. Self-identification

We check whether your company qualifies as an essential or important entity — by sector, size, and revenue. We help prepare the application for the S46 register. The deadline is 6 months from when you meet the criteria — it's not enough that the company has 50 people; the sector and service type matter.

3. Risk analysis

NIS2 doesn't mandate specific tools — it requires risk analysis. We do it together with you: identifying critical assets, threat scenarios, likelihood, and impact. Without this, further decisions are blind — both about what's worth investing in and what can be avoided.

4. ISMS and documentation

The Information Security Management System (ISMS) is the heart of compliance. Policies, procedures, roles, and responsibilities. We create documentation compliant with UKSC and readable for your team — not photocopied templates, but living documents. We build on ISO 27001 if you already have it, or build from scratch.

5. Technical controls implementation

Only those that follow from the risk analysis. MFA, EDR/XDR, SIEM, network segmentation, MDM for phones, backup with restore testing, vulnerability management. We use what you already have in your infrastructure — we only buy and deploy missing elements. We start with the highest risks.

6. Incident procedures and continuity

NIS2 requires reporting of major incidents in 24h (initial) and 72h (detailed). We prepare an incident response procedure, the path to CSIRT, report templates, business continuity plan (BCP), and disaster recovery plan (DRP) — with testing. Without this, reporting during a real incident is improvisation.

Does NIS2 apply to me?

Check self-identification — it's your obligation

UKSC doesn't designate companies through administrative decision — you have the obligation to verify yourself whether you're subject to the regulations. Lack of self-identification doesn't protect against penalties. The most common criteria: sector + company size.

Free tools

Start with a quick self-assessment

Before you order an audit — check yourself where you are. We have 2 free tools: NIS2 applicability calculator and a full IT security self-assessment.

NIS2 calculator →Cyber Risk Assessment →

Essential entities

Mostly large companies (250+ employees or EUR 50M+ revenue) from sectors: energy, transport, banking, financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure, ICT service management, public administration, space. Penalties up to EUR 10M or 2% of turnover.

Important entities

Medium-sized companies (50+ employees or EUR 10M+ revenue) from sectors: postal and courier services, waste management, chemical production, food production and distribution, manufacturing (various categories), digital service providers, scientific research. Penalties up to EUR 7M or 1.4% of turnover.

Indirectly — supply chain

Even if you're not formally subject to NIS2, you can be covered by requirements through contracts. Large essential entities must verify supplier security — which translates into contractual clauses, security questionnaires, audits at your premises. It's often easier to meet the requirements than lose the client.

Personal liability of management

This is the biggest mental shift compared to the previous law. The head of the entity (board, director) bears personal liability for negligence — administrative penalty up to 600% of remuneration. The board must also undergo mandatory cybersecurity training. This is no longer an "IT department" matter.

The hardest part isn't technology, it's the approach

NIS2 is not a magical requirement. It's discipline.

Most companies that come to us for help today already have 60-70% of requirements met — they just don't know it or haven't documented it. MFA on the admin account? You have it. Backup with tests? Usually works. Password policies? Set in AD. Our role isn't to build something new — just to look at what you have from the NIS2 perspective and show what specifically is missing. Without burying your head in the sand, but also without panic.

Order compliance audit →

FAQ

NIS2 and UKSC questions

The law came into force on April 3, 2026. Key deadlines: by October 3, 2026 — self-identification and S46 register application. By April 3, 2027 — ISMS implementation, risk and incident management procedures. By April 3, 2028 — first mandatory audit for essential entities. Administrative penalties may be imposed starting April 2028 (2-year moratorium). But the moratorium doesn't exempt from obligations — inspections can happen earlier, with enforcement after 2 years.
It's a great foundation, but not full coverage. ISO 27001 and NIS2 have significant overlap (about 70-80%) — risk analysis, policies, access control, business continuity are common. But NIS2 adds specific items: obligation to report incidents to CSIRT within specific deadlines, S46 self-identification, mandatory management training, supply chain protection per Polish requirements, S46 integration. If you have ISO 27001 — we'll leverage it fully and add only what's missing. The cheapest scenario.
There's no list of mandatory tools. NIS2 requires "appropriate technical and organizational measures proportional to the risk". This means: if risk analysis shows you're particularly exposed to endpoint ransomware attacks — EDR is practically unavoidable. If you have a large fleet of mobile devices with access to company data — MDM. If you manage critical infrastructure with dozens of systems — SIEM. But for a smaller important entity, a sensible set is often MFA + EDR + backup + external monitoring in the MSP model. Every implementation starts with risk analysis.
Yes — it's one of the most common cooperation models. Often clients want us to do audit + risk analysis + ISMS documentation (because that requires UKSC experience), and the technical implementation is done by their IT team with our consulting support. Or the other way: they write documentation themselves, and we help with tool implementation. Or the whole project is in-house, and we only do the final compliance audit as an independent verifier. Each of these scenarios makes sense. We start with a conversation about what you can already do and where you need support.
A compliance audit (gap analysis) is a verification of the actual state against UKSC requirements. We check: documentation (policies, procedures, regulations), organizational processes (risk, incident, supplier management), technical controls (access control, monitoring, backups, network segmentation, endpoint protection). Format: interviews with administrators and management, documentation review, verification of selected system configurations. Time: for SMEs usually 2-4 weeks. The result is a report with a prioritized list of gaps, estimated remediation cost, and proposed schedule — ready material for board decisions.
Administrative penalties for an essential entity — up to EUR 10M or 2% of annual global turnover (whichever is higher). For an important entity — up to EUR 7M or 1.4% of turnover. Minimum penalty: PLN 20,000 (essential), PLN 15,000 (important). Daily penalty for delay in executing an authority's order: PLN 500-100,000. Personal liability of head up to 600% of remuneration. But administrative penalty isn't everything — in case of incident, there's downtime cost, data loss, contractor claims, customer loss (especially with NIS2 supply chain — large companies don't want to risk working with non-compliant suppliers). The real cost is often higher than the penalty.