Cybersecurity & NIS2/KSC Compliance

The EU cybersecurity regulatory landscape has fundamentally changed. The NIS2 Directive and its Polish implementation — the amended Act on the National Cybersecurity System (KSC) — extend mandatory security obligations to over 42,000 entities across 18 sectors, from energy and transport to digital infrastructure and manufacturing.

We help organisations determine whether they fall within scope, understand what is required, and build a practical compliance roadmap — working jointly with our cybersecurity technology partner to deliver both the legal and technical dimensions of NIS2/KSC compliance.

Our cybersecurity practice covers:

• Scoping and classification: determining whether your organisation qualifies as a key or important entity under the new framework
• Registration in the national registry of key and important entities (deadline: September 2026)
• Risk management measures: designing governance frameworks, security policies, and incident response procedures that satisfy the statutory requirements
• Supply chain security: reviewing vendor contracts, assessing third-party dependencies, and implementing SBOM-based transparency obligations
• Incident reporting: establishing notification workflows aligned with the mandatory 24-hour early warning and 72-hour full notification timelines
• Board-level accountability: advising management on personal liability exposure and compliance oversight duties
• NIS2 mapping for defence suppliers: tailored compliance programmes for companies operating in or supplying to the defence sector

We combine deep regulatory expertise with hands-on technology delivery through our partnership with a specialist cybersecurity firm, providing a single point of contact for end-to-end KSC/NIS2 compliance — legal framework, technical implementation, and audit readiness.