NIS2 implementation

We will comprehensively prepare your organisation for compliance with the NIS2 directive. This includes determining whether you fall within its scope, conducting an audit and identifying gaps, developing an action plan, and implementing the necessary processes and security measures. Risk management and audit readiness will be ensured throughout, so your organisation can operate with confidence and peace of mind.

M €

fine for non-compliance with NIS2

4.88

M €

average global cost of a data breach

of companies report downtime costs of over $100,000 per hour

Fundamentals

Information

Benefits

FAQ

Recommendations

Contact

Where to start with NIS2 implementation

NIS2 Directive: key requirements at a glance

Risk management, business continuity, incident reporting, suppliers, training, and management responsibility.

NIS2 calls for a genuine security system, not just paperwork. Here are the key areas that need to be addressed:

Risk management: threat identification, risk owners, reduction plan.
Business continuity: backups, recovery tests, established recovery times.
Incidents: detection and response procedures, deadlines for reporting to appropriate teams.
Suppliers: security requirements in contracts, periodic assessments.
Access: principle of least privilege, multi-factor authentication, permission reviews.
Updates and vulnerabilities: patching process, scanning, and rapid remediation of critical gaps.
Monitoring and logging: event logging and post-incident analysis.
Training and awareness: regular training for employees and management.
Role of the board: formal oversight, policy approval, and accountability for decisions.

NIS2 Directive: who does it apply to?

Qualification criteria (essential vs. important entities), sectors covered, and the impact on companies within the supply chain.

NIS2 applies to organizations that are critical for the continuity of services in the economy, as well as to their key suppliers. In practice, this applies to companies in critical sectors as well as digital entities and IT infrastructure managers.

Categories: essential entities (e.g. energy, healthcare, banking, digital infrastructure) and important entities (e.g. postal/courier services, selected manufacturing industries, administration).
Size threshold (as a general rule): ≥50 employees and ≥€10 million turnover/balance sheet total; possible exceptions for services of critical importance.
Supply chain: security requirements for suppliers and subcontractors (contractual provisions, assessments, audits).
Typical in digital business: IT maintenance/management providers (private hosting/cloud), online platforms and services, and logistics operators serving companies subject to NIS2.

NIS2 in Poland

How EU regulations have been implemented in Poland, what is changing for businesses, and what the obligations are

Poland is implementing NIS2 through an amendment to the Act on the National Cybersecurity System (Krajowy System Cyberbezpieczeństwa, KSC). The EU deadline passed on 17 October 2024, and the European Commission took action against Poland for missing the deadline; the government is working on the bill and has announced its adoption, which will set national deadlines for registration and compliance once the act enters into force. On 7 May 2025, the Commission issued a reasoned opinion against Poland for failing to notify the full transposition of the directive.

What this means for businesses:

Status identification: classification as an essential or important entity according to the NIS2 criteria carried over into the KSC. (the proposed regulations extend the scope of industries and the supply chain).
Organisational and technical obligations: a risk management system, business continuity planning, supplier oversight, staff training, and a readiness to report incidents within the deadlines set by national legislation.
National procedure: once the act is passed, registration windows and compliance deadlines will be established (details to follow upon adoption).

Businesses will need to formally assign accountability, put processes in place, and document their security practices in line with Poland’s NIS2 implementation.

NIS2 implementation: what does it look like in practice?

From rapid qualification to audit readiness: four steps, no unnecessary theory.

Qualification and scope: we establish whether NIS2 applies to you, under which category (essential or important), and which systems, processes, and suppliers fall within scope.
Audit and gap map: we compare the current state against NIS2 requirements, producing a prioritised gap list with assigned responsibilities.
Roadmap and quick wins: we set out a timeline and tackle high-impact, low-effort improvements first (e.g. access controls, backups, core procedures) while building out the documentation in parallel.
Implementation and final review: processes launched (risk, incidents, continuity), security controls configured, staff trained; we close out with an incident reporting drill and evidence review.

They recommend us

Check out what our partners are saying about us!

Trust and partnership approach to projects

Our long-standing cooperation with Centuria is based on high trust and partnership approach to projects, but also on the camaraderie within the project teams. Flexibility, good communication and our sense of security resulting from the support of a team of experts very familiar with Magento make us ready to recommend Centuria to others. We feel that we can always rely on them.

Borys Skraba - CEO

Strix

Proactive business partner

Centuria is a proactive business partner that doesn't wait for us to make a move, but independently looks for needed solutions or improvements that we can implement together. Together we have been working for years for the success of one of the largest Magento instances in Poland. Sincerity in cooperation and professional advice, which we are happy to use for years, are invaluable to us. With a clear conscience, we can recommend Centuria as an infrastructure expert.

Kuba Zwoliński

Snowdog

Partnership based on trust

We want to deliver high value to our customers. The key to ensuring the secure and smooth operation of Magento stores is the right server solutions. We needed a proactive partner in this area, one that looks for the best possible solutions itself and is very proactive. Centuria, with whom we have been working for about 2 years now, is such a partner for us. We really like how they streamline and organize every project they start working on. Centuria is a partner we trust and can recommend as an expert in server solutions for Magento.

Mateusz Ogonowski - Co-founder

Growcode sp. z o.o.

Recommended company

We have been working with Centuria for many years, valuing the team's extensive knowledge, experience and flexibility. The company stands out for its extremely professional approach to support and high responsiveness to the tickets we throw in. It is a great advisor on IT infrastructure management. A reliable business partner for the implementation of large e-commerce projects on Magento - definitely worth recommending.

Rafał Gadomski - CEO

Advox Studio

A reliable and competent partner!

We highly value cooperation with Centuria for their proactive approach, expertise and commitment at every stage of the project. Centuria's team has helped us more than once in selecting server solutions for our clients, and thanks to their experience and professional support, we have received solutions tailored to specific business needs. We recommend Centuria to anyone who needs a reliable and competent partner in the area of IT infrastructure.

Cezary Kożon - CEO

Spyrosoft Ecommerce S.A.

Acting in the customer's interest

In our opinion, Centuria is distinguished above all by acting in the interests of the client's company. Working with them, you can count on a personalized and individual approach to even the most difficult cases. We feel that the proposed solutions are "tailor-made" to our needs, by involving our agency in the process of their creation, based on joint discussions of possible solutions.

Paweł Biliński - CTO & co-founder

Lizard Media

Professionalism and expertise

I value the cooperation with Centuria above all for its professionalism and expertise related to Magento. This is an invaluable asset in critical situations. The 24/7 support gives great peace of mind to both us and our clients. I strongly recommend Centuria to anyone who takes business seriously and counts on a professional, stable partner for the development of their business.

Szymon Niedziela - CEO

Panda Group

Professionalism and high commitment

Together with Centuria, we are developing one of the largest e-commerce sales platforms based on Magento in Poland. Professionalism and high commitment directly translates into results. Centuria are specialists in administration and management of infrastructure with a very complex structure and a multitude of links between systems. The continuity and availability of the aforementioned system since the beginning of our cooperation is maintained in a way that meets our requirements, and orders are carried out with the utmost care.

Tomasz Stefanowski - Web Development Manager

Castorama Poland

Centuria proved a reliable and responsive partner for many years.

The team never left us wondering if things were getting done. We instead had full confidence that this knowledgable team knew what to do and that they'd get it done. I write this review because changes within our organization moved us in a different direction and we now no longer work with Centuria. To show my appreciation for their attentiveness and effectiveness

Charles Nicoletti

mTab

A reliable and experienced partner

Due to the specific nature of our e-commerce project gear.cdprojektred.com, we needed a reliable partner well-versed in modern technologies to quickly and efficiently implement the infrastructure for our application. Centuria handled the task in an exemplary manner and additionally ensured the stability of sales during the large promotional campaigns we were conducting.

Aleksandra Jarośkiewicz - Board Member

CD PROJEKT RED STORE

FAQ

NIS2: what does it mean in practice for management and business teams?

In short: NIS2 is an obligation to take cybersecurity management seriously, with clearly assigned board-level responsibility, regular risk assessments, and tangible evidence that the organisation can detect an incident, respond to it, and maintain business continuity.

For management: formal risk oversight (approved policy, objectives, and budget), defined roles and metrics (e.g. recovery time, patching timeliness, training completion rates), regular status reviews, and readiness to meet statutory incident reporting obligations (including early notifications and final reports).

For business and operations: consistent processes (access, updates, backups and recovery tests), security requirements embedded in supplier contracts, regular staff training, vulnerability scanning and patching, event monitoring, and complete documentation and registers; so that in the event of an audit, you can demonstrate not just that procedures exist, but that they are actually followed.

What is the size threshold and what are the exceptions (small businesses in a critical role)?

Size threshold (general rule): if you operate in sectors covered by NIS2 and are at least a medium-sized company (≥50 employees and ≥€10M in turnover or balance sheet total), you fall within the scope of the directive.

Automatic exceptions (regardless of size): certain types of entities are always in scope, including providers of cloud services and data centres, managed IT services (MSP/MSSP), public networks and electronic communications, DNS/TLD services, trust services, and certain digital platforms and services.

Small companies in a critical role: even below the threshold, you may be brought into scope if you play a key role in service continuity, such as the sole significant supplier in a region or supply chain, or due to a high risk profile.

What are the penalties and sanctions for non-compliance with NIS2?

Financial (administrative) penalties:

Essential entities: up to €10M or 2% of global annual turnover, whichever is higher.
Important entities: up to €7M or 1.4% of global annual turnover, whichever is higher.

Additional sanctions and supervisory measures:

binding orders to remediate violations with set deadlines,
audit/inspection and obligation to provide evidence of compliance,
public disclosure of the violation (including the entity’s name),
possible temporary removal of management personnel from security-related responsibilities.

What does NIS2 implementation look like step by step and how long does it take?

Step by step:

Scoping and qualification (1–2 weeks): confirmation of whether you are subject to NIS2, under which category (essential/important), and which systems/processes/suppliers are in scope.
Audit and gap mapping (2–4 weeks): assessment of the current state against NIS2 requirements; prioritised gap list with assigned responsibilities and risks.
Roadmap and quick wins (2–4 weeks): action plan, implementation of quick wins (access controls, backups, core procedures), beginning of documentation process.
Implementation and audit readiness (4–12+ weeks): processes (risk, incidents, continuity), technical measures, training; evidence pack prepared and incident reporting drill completed.

How long does it take?
For a typical medium-sized organisation, core implementation usually takes 8–16 weeks; full process maturity and cyclical review takes 3–6 months. The duration depends primarily on the complexity of the environment, number of suppliers, availability of data and evidence, and the organisation’s readiness for change.

Does compliance with ISO 27001, PCI DSS, or GDPR mean a company is already compliant with NIS2?

In short: No. Being ISO 27001, PCI DSS or GDPR compliant is very helpful, but does not guarantee compliance with NIS2. A gap analysis is needed, along with addressing requirements specific to NIS2.

Why is it not enough?

Scope:
- ISO 27001: information security management system (ISMS), but without some of the NIS2 supervisory obligations.
- PCI DSS: narrow scope (card data).
- GDPR: personal data protection, not comprehensive service resilience.
Specific to NIS2: management responsibility, categories of entities (key/important), supply chain requirements, incident reporting deadlines (initial notification within 24h, update within 72h, final report), possible supervisory measures and penalties.

What usually needs to be added despite ISO/PCI/GDPR?

formal NIS2 qualification and registration under national law,
incident reporting policies and procedures, including dry run,
security requirements for suppliers and evidence of verification,
metrics and reporting to management confirming oversight,
a coherent set of compliance evidence aligned with NIS2 implementation in Poland.

Conclusion: existing certifications shorten the path, but a gap map against NIS2 and closing the missing elements is necessary.

Which is the competent authority/CSIRTs in Poland and how does communication work?

Competent authorities and CSIRTs in Poland:

Supervision is sector-based. Competent authorities are typically the relevant ministries (e.g., Digital Affairs for digital infrastructure, respective ministries for infrastructure/energy/health etc.). The contact list is published by, among others, the EC.
Three national-level CSIRTs: CSIRT NASK (CERT Polska), CSIRT GOV (ABW) and CSIRT MON(MON) cooperating and coordinating incident handling within the KSC framework.

NIS2: when will it apply in Poland and what are the transitional timelines

Current status: the EU deadline for transposing NIS2 into national law passed on 17 October 2024. For countries that missed the deadline (including Poland), the European Commission initiated infringement procedures and issued reasoned opinions in May 2025.

What happens next in Poland: On 22 October 2025, the Council of Ministers adopted a draft amendmentto the KSC Act implementing NIS2 (currently going through the legislative process). The proposal sets out avacatio legis period: 1 month, followed by 6 months for adjustment for essential and important entities. The final deadlines and procedures will be confirmed once the law is formally adopted.

Practical takeaway: if you potentially fall within the NIS2 scope, preparations (qualification, gap map, action plan) are worth starting before the final legislation is enacted, as the real window for full adoption will be short.