NIS2 in Poland — what to do before the law is in force

The Polish transposition of NIS2 is still ongoing, but essential and important entities should already be acting. The regulator will not accept “we were waiting for the law”.

5 things to do in the next 30 days

1. Confirm scope. Are you essential or important? Which group entities are in scope?
2. Run a gap analysis against Art. 21. 10 risk-management measures — each mapped to your current controls.
3. Build a 24-hour reporting playbook. NIS2 requires an early CSIRT warning within 24 hours.
4. Map your ICT supply chain. Art. 21(2)(d) requires assessment of critical suppliers.
5. Brief the board. Personal board liability is new in NIS2 — the board must approve the measures.

Why start now

Full NIS2 alignment takes 3–9 months. If you start when the law comes into force, you will be late.