Trustlinks free webinar: Turning regulation into resilience – Register now
This article was written by Mariusz Bonisławski, Solicitor, and Mateusz Grosicki, Advocate and Partner, at Kancelaria Graś i Wspólnicy – a leading Polish law firm specialising in cybersecurity law, compliance, and corporate liability.
The NIS2 Directive introduces a fundamental shift in the approach to cybersecurity across the European Union. For the first time, it explicitly assigns personal responsibility for cybersecurity to members of governing bodies, including company board members. This means that cybersecurity is no longer exclusively the domain of IT or compliance departments – it becomes an area of direct oversight for senior management.
In this article we explain:
The NIS2 Directive (Directive of the European Parliament and of the Council (EU) 2022/2555 of 14 December 2022) concerns measures for a high common level of cybersecurity across the EU. It replaces the earlier NIS1 Directive and significantly expands both the scope of entities covered and the range of obligations imposed.
The Directive does not apply directly, it requires transposition into national law. Member States had until 17 October 2024 to complete this process.
In Poland, implementation is being carried out through amendments to:
The NIS2 Directive covers essential entities and important entities, whose definitions are set out in Article 3 of the Directive. Final lists are to be determined by individual Member States.
At this stage, businesses can conduct a preliminary self-assessment by analysing, among other things:
The most significant change introduced by NIS2 is the direct assignment of responsibility to governing bodies. Under Article 20(1) of the Directive, governing bodies are required to:
These obligations are personal in nature and cannot be effectively delegated solely to IT departments, external providers, or appointed representatives.
Entities covered by NIS2 must implement risk management measures, the minimum scope of which is defined in Article 21(2) of the Directive. These include:
These measures must be appropriate, proportionate and continuously updated, with oversight resting with the governing bodies.
The NIS2 Directive introduces detailed rules for reporting significant cybersecurity incidents (Article 23). While reports are formally submitted by the entity itself, board members are responsible for:
A failure to establish procedures or an incorrect assessment of an event may be considered a breach of supervisory duties.
NIS2 does not explicitly require certification or a specific educational background, but in practice it requires members of governing bodies to:
In practice, this means there is a need for:
The NIS2 Directive places particular emphasis on supply chain security. Governing bodies must oversee:
A cyberattack affecting a supplier may result in liability on the part of the entity covered by NIS2.
The NIS2 Directive provides for sanctions against both entities and personal sanctions against individuals performing management functions. Possible sanctions include:
The draft Polish legislation additionally provides for the possibility of financial penalties against managers within the meaning of the Accounting Act and the Public Finance Act.
The NIS2 Directive fundamentally changes the model of accountability for cybersecurity, shifting the burden of oversight directly onto governing bodies. Board members must be prepared for personal liability — including financial and organisational consequences.
Even at this stage of the legislative process, it is advisable to:
Q: Does NIS2 apply to all companies?
A: No. The Directive covers essential and important entities operating in specific sectors.
Q: Can liability be transferred to the IT department?
A: No. Governing bodies bear personal supervisory responsibility.
Q: Is a ban on holding board positions possible?
A: Yes — in extreme cases the Directive provides for such sanctions.
Q: Is it worth preparing before the legislation comes into force?
A: Yes. Early action reduces the risk of sanctions and personal liability.

Kancelaria Graś i Wspólnicy is a Polish law firm with extensive experience in cybersecurity law, corporate compliance, and regulatory matters. As a partner of Whistleblowing Solutions AB, provider of Whistlelink and Trustlinks, the firm works closely with organisations across Poland to help them understand and meet their obligations under the NIS2 Directive and other EU regulations as transposed into Polish law.
For more information about their services, please visit kglegal.pl.
Trustlinks values your privacy. We will only contact you about our solutions.
Have questions about pricing, frameworks, or how Trustlinks fits your organisation? Our team is here to help you find the right approach.
→ Or explore our Frequently Asked Questions
Need help using the platform or experiencing an issue? Our support team is ready to assist you.