Analysis of the directive and the draft law
The NIS2 Directive introduces a fundamental shift in the approach to cybersecurity in the European Union. For the first time, it explicitly assigns personal responsibility for cybersecurity to members of management bodies, including company boards. This means that cybersecurity is no longer the exclusive domain of IT or compliance departments, but rather an area of direct management oversight.
In the article we explain:
- what is the NIS2 directive,
- who is covered by the new regulations,
- what obligations and sanctions apply to members of management bodies,
- how to prepare for new regulations according to the state of legislative work as of January 2026.
What is the NIS2 Directive and why does it matter to boards?
The NIS2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022) concerns measures to ensure a high common level of cybersecurity in the EU. It replaces the previous NIS1 Directive and significantly expands both the scope and the list of obligations.
The directive is not directly applicable – it requires implementation into national law.
Member States had until 17 October 2024 to transpose it.
In Poland, implementation takes place through an amendment:
- Act on the National Cybersecurity System,
- and certain other acts (draft – parliamentary paper no. 1955, stage of parliamentary proceedings).
Who is affected by NIS2?
The NIS2 directive covers:
- key entities,
- important entities.
Their definitions are set out in Article 3 of the Directive. The final lists are to be determined by the Member States.
At this stage, entrepreneurs can conduct a preliminary self-assessment by analysing, among others:
- whether they meet the criterion of at least a medium-sized entrepreneur,
- whether they operate in sectors covered by NIS2 (e.g. energy, transport, health, digital services, critical infrastructure, trust services),
- whether they have previously had the status of an operator of essential services or an important entity.
How does NIS2 change the responsibility of members of governing bodies?
The most significant change in NIS2 is the direct assignment of responsibility to management bodies. Pursuant to Article 20(1) of the Directive, management bodies:
- approve cybersecurity risk management measures,
- supervise their implementation,
- may be liable for violations.
These obligations are personal in nature and cannot be effectively transferred solely to IT departments, external suppliers or proxies.
What cybersecurity measures must boards oversee?
Entities covered by NIS2 must implement risk management measures, the minimum set of which is set out in Article 21(2) of the Directive. These include, among others:
- risk analysis and security policies for IT systems,
- incident handling procedures,
- business continuity mechanisms (backups, data recovery),
- crisis management,
- supply chain security.
These measures must be adequate, proportionate and constantly updated, and their oversight rests with the management bodies.
Obligation to report incidents – the role of the management board
The NIS2 Directive introduces detailed rules for reporting serious cybersecurity incidents (Article 23).
Although the entity formally submits the notification, the management board members are responsible for:
- establishing procedures for detecting and assessing incidents,
- correct qualification of events,
- timeliness and completeness of applications.
Lack of procedures or incorrect assessment of an incident may be considered a breach of supervisory duties.
Do board members need to have cybersecurity knowledge?
NIS2 does not explicitly impose certification or specific education requirements, but in practice it requires that members of governing bodies:
- understand cyber risks,
- were able to assess the consequences of incidents (legal, financial, operational),
- made informed supervisory decisions.
In practice, this means the need to:
- management training,
- ongoing advisory support,
- regular cybersecurity reports.
Supply chain security is a management responsibility
The NIS2 Directive places particular emphasis on supply chain security. Governing bodies must oversee, among other things:
- vulnerability assessment of key IT suppliers,
- risks arising from dependence on third parties,
- adequacy of contractual provisions regarding cybersecurity.
A cyberattack on a supplier may result in liability on the part of the entity covered by NIS2.
What are the sanctions for violating NIS2 obligations?
The NIS2 Directive provides for both sanctions against entities and personal sanctions against persons exercising management functions.
Possible sanctions include:
- temporary ban on performing management functions,
- administrative fines:
- up to 10 million euros or 2% of global turnover – key entities,
- up to EUR 7 million or 1.4% of global turnover – important entities.
The draft Polish act additionally provides for the possibility of fines against managers of entities within the meaning of the Accounting Act and the Public Finance Act.
How does Graś i Wspólnicy Law Firm help in preparing for NIS2?
Graś i Wspólnicy Law Firm supports management boards and management staff in preparing their organizations for the requirements of the NIS2 Directive, in particular by:
- NIS2 and national cybersecurity system compliance audits,
- advice for management board members on personal liability,
- support in implementing risk and incident management procedures,
- analysis of supply chain security and contractual provisions,
- management training in cybersecurity and legal liability.
The goal is not only to meet formal requirements, but also to actually reduce legal and operational risks.
Summary
The NIS2 Directive fundamentally changes the cybersecurity accountability model, shifting the burden of oversight directly to management bodies. Board members must also consider their personal liability, including financial and organizational responsibility.
Already at the stage of legislative work it is advisable to:
- conducting a compliance audit,
- review of decision-making structures,
- preparing management boards for new supervisory responsibilities.
FAQ – NIS2 and management responsibility
Does NIS2 apply to all companies?
No. The directive covers key and important entities operating in specific sectors.
Can responsibility be transferred to the IT department?
No. Management bodies have personal supervisory responsibility.
Is there a risk of being banned from serving on the management board?
Yes – the directive provides for such sanctions in extreme cases.
Is it worth preparing before the law comes into force?
Yes. Early action reduces the risk of sanctions and personal liability.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of January 20, 2026.
Author:
Series editor:
