Training: How to Implement KSC / NIS2 in Practice
Is your organisation prepared for the NIS2 requirements? The NIS2 Directive has been implemented into Polish law through the Act on the national cybersecurity system (KSC or the KSC Act). The new regulations are not only a set of obligations — they are also an opportunity to raise the level of IT security and increase business resilience. Our training will show you step by step how to implement the NIS2 requirements effectively.
Certificate and substantive support
after the training
8 key KSC / NIS2 competencies
KSC / NIS2 documentation templates
Training: How to Implement KSC / NIS2 in Practice
Our training is a practical guide for managers and IT departments who want to go through this process efficiently. You'll learn what specific actions should be taken to meet the requirements of the KSC Act, while also boosting your organisation's resilience to cyber threats. During the training, our experts will not only share their knowledge but also present tried-and-tested practical solutions that will genuinely facilitate the implementation of the KSC Act.
Participants will have the opportunity to share experiences and discuss specific challenges from their organisations. You will return to your company with a clear plan of action and ready-made solutions that will enable you to adapt effectively to new requirements. The programme includes key information about the NIS2 requirements, which every member of the management and IT department responsible for the organisation's cybersecurity and compliance with the new regulations should know.
What's the detailed schedule for the workshops?
How to Implement KSC / NIS2 in Practice
Knowledge in practice
Acquire eight new key skills
- 1.Understanding the new responsibilities arising from NIS2 and their impact on organisations.
- 2.Establish and implement cybersecurity policies tailored to the requirements of the NIS2 and the specificities of the organisation.
- 3.Identify key assets and manage the risks associated with cyber threats.
- 4.Assessment and implementation of effective security measures to minimise the risk of incidents.
- 5.Preparation of organisations for audits and controls, including documentation of compliance with NIS2 requirements.
- 6.Cybersecurity incident management procedures, reporting of incidents and responding to breaches.
- 7.Cooperation with CSIRT and supervisory authorities to effectively implement reporting and information exchange obligations.
- 8.Engage management and key departments in building cybersecurity awareness and responsibility for implementing NIS2.
Guides
Training team

„We train in the way we wish to be trained. We discuss real-world problems and point out tools to help solve them.”
Tomasz Ochocki
Data Protection Officer (DPO) for the ODI content team
Materials to download
Opinion of the participants
Tomasz G.
2 years ago
I wanted to thank you for the wonderful training I've had at your company, the materials were very well prepared, and the instructor has shown tremendous knowledge and experience.
Aleksandra P.
2 years ago
Training at a very high level, I highly recommend!!! Training materials very useful in everyday work.
Sławomir M.
2 years ago
Mrs. Mecenas, it was an honor to be able to take part in this training, and thank you very much for your professional approach and valuable practical guidance.
Wacław T.
3 years ago
The IOD course organized by ODO24 has met all my expectations, a very practical approach, concrete examples and professional support.
Maria K.
1 year ago
The training was conducted in a way that was understandable even to those without previous experience in this field.
Piotr N.
10 months ago
Very good training, a lot of practical examples, a little bit too little time to ask questions, but overall I'm satisfied.
Anna W.
8 months ago
A professional approach, a great atmosphere during the training, the instructor answered all the questions thoroughly, and I highly recommend ODO24!
Jan K.
1 year ago
It's the best personal data protection training I've ever had, specific examples from real life, not just a dry theory, I recommend it to anyone who works with GDPR.
Katarzyna J.
6 months ago
The training meets my expectations. A lot of practical knowledge, good materials. The only drawback is too much group, so less time for individual consultations.
Michał L.
4 months ago
Excellent training! A very competent conductor with vast experience. Everything explained in a clear and understandable way. The training materials are very useful.
Joanna D.
3 months ago
I recommend ODO24 training to anyone seeking a sound knowledge of the field of ODO: professional service, excellent organisation and excellent teaching facilities.
Andrzej S.
2 months ago
Sometimes the pace was a little too fast, but the conductor was happy to return to the topics discussed earlier at the request of the participants.
Our greatest value is the trust of our customers.
Each person who makes payment for the training at least 14 days before the date will receive a PLN 100 discount.
How to implement KSC / NIS2 in practice - questions and answers
The NIS2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022) is an EU legal act intended to ensure a high, common level of cybersecurity across the European Union. It replaces the earlier NIS Directive of 2016, significantly expanding the range of sectors covered by the rules and introducing more stringent requirements on risk management and incident reporting. The new rules cover a broader catalogue of essential entities and important entities, strengthen supervisory obligations and place greater responsibility on organisational management. In Poland, NIS2 was implemented in 2026, through an amendment to the Act on the national cybersecurity system (KSC or the KSC Act).
The NIS2 requirements apply to medium and large enterprises operating in certain sectors considered essential or important for the functioning of EU society and the economy. Criteria include, among others, the number of employees (over 50) and annual turnover (above EUR 10 million). Some small enterprises may also fall within the scope if they provide services of significant importance to society or the economy.
The NIS2 requirements expand the range of sectors covered compared with the previously applicable NIS. They include, among others:
- •Energy
- •Transport
- •Banking and financial market infrastructure
- •Healthcare
- •Drinking water supply and wastewater management
- •Digital infrastructure
- •Public administration
- •Manufacture and distribution of chemicals
- •Food production
- •Postal and courier services
- •Waste management
- •Digital service providers
To assess whether your company is subject to the KSC Act, you should:
- •Determine the company’s sector of activity and check whether it is listed in the Directive as essential or important. The decisive factor is the actual carrying out of activities in the sectors listed in the annexes to the Directive.
- •Check whether the company meets the size criteria (number of employees and annual turnover).
- •Consider the importance of the services provided for society and the economy. Online tools, such as questionnaires, are also available to help make a preliminary assessment of whether the company is subject to the Directive.
The NIS2 Directive entered into force on 16 January 2023. Member States of the European Union were required to implement its provisions into their national legal frameworks by 17 October 2024. In Poland, NIS2 was implemented in 2026, through an amendment to the Act of 5 July 2018 on the national cybersecurity system (consolidated text: Journal of Laws of 2026, item 20, as amended).
In the event of a cybersecurity incident, an organisation should activate pre-prepared incident response procedures, which are a key element of an information security management system.
First, the incident should be identified without delay, its scale and potential impact on business continuity, system integrity and data protection should be assessed. This process should include an initial technical analysis and classification of the incident according to the adopted criteria. At the same time, measures should be taken to mitigate the effects of the event – for example, isolating the infected system, restoring basic operational functions or activating contingency plans.
In accordance with the NIS2 Directive, an organisation has the obligation to notify serious security incidents to the appropriate national authority (e.g. CSIRT or another supervisory authority) within specified timeframes – usually an initial notification within 24 hours, supplemented by a report within 72 hours and a final report after the effects have been remedied. Notification of service recipients is also required if the incident may have affected the provision of essential or important services.
After the situation has been contained, the organisation should conduct an in-depth root cause analysis to identify the gaps that allowed the incident to occur. On this basis, appropriate corrective and preventive measures should be implemented, which may include updating security policies, system configurations, access management procedures or additional training for employees.
A key aspect is documenting all stages of incident response and verifying the effectiveness of the measures taken. This not only enables compliance with legal obligations to be demonstrated, but also supports the continuous improvement of the information security management system.
Obliged entities should implement appropriate technical and organisational measures to effectively manage cybersecurity risk. This includes, among other things, carrying out risk assessments, developing and applying security policies, effective incident management, organising training for personnel and securing the supply chain. An important obligation is also the reporting of serious security incidents to the relevant national authorities. Regular risk assessments and security audits should be conducted to ensure the measures in place remain up to date and effective. Cooperation with national authorities and other entities in exchanging information about threats is also of key importance.
The Act on the national cybersecurity system provides for severe penalties for non-compliance with its provisions:
- •For essential entities: up to EUR 10 million or 2% of annual turnover.
- •For important entities: up to EUR 7 million or 1.4% of annual turnover.
Additionally, persons responsible for management may be held liable for breaches of the obligations arising under the Directive.
In principle the NIS2 requirements apply to medium and large enterprises. However, some small and micro-enterprises may be covered if they provide services of significant importance to society or the economy, such as DNS service providers, domain registrars or qualified trust service providers.
The differences between the NIS Directive and the NIS2 Directive are significant and reflect the growing need for a more effective approach to cybersecurity at Union level. The NIS2 Directive introduces a number of important changes compared with its predecessor.
First, the scope of entities has been expanded – the new rules cover many more sectors, including, among others, postal services, waste management, the manufacture of selected products (e.g. pharmaceuticals or electronics), and public administration. More precise criteria for classifying entities as "essential" or "important" have also been introduced, which affects the scope of obligations and supervision.
Second, NIS2 provides for more stringent requirements on risk management and incident reporting. Obligations in this area have been clarified and harmonised across the EU, and entities must implement specific remedial measures and report serious incidents within defined timeframes.
Third, the responsibility of senior management has been increased. Under NIS2, they are not only responsible for the implementation of technical and organisational measures, but must also demonstrate engagement in oversight of cybersecurity, including participation in training.
Moreover, the new rules provide for harsher sanctions for non-compliance, including administrative fines that can be significant – both for organisations and for their management.
A final key change is the strengthening of cooperation and information sharing between Member States, including through the establishment of the European cooperation network (EU-CyCLONe) and improved communication between CSIRTs and the relevant national authorities.
Preparing a company for implementation of the NIS2 requirements requires a comprehensive approach to cybersecurity management. The first step should be a detailed risk assessment that will identify potential threats to operational continuity and the security of information systems. On this basis, appropriate technical and organisational measures should be implemented to enable effective management of the identified risks.
Another important element is the development and implementation of procedures for reporting security incidents in line with the requirements of the KSC Act – including defining how incidents are classified and the deadlines and procedures for reporting them to the competent authorities. Equally important is adequate training of staff, not only technical personnel but also management, to ensure awareness of threats and familiarity with the applicable procedures.
One must also maintain contact with the competent national authorities and participate in the information-sharing system on threats and incidents, which is a key element of the security framework at the European level. Regular updating of activities and documentation based on changing requirements and emerging threats will be necessary to ensure compliance with the KSC Act.
What our customers say about our services
Marcin Wieczorek

„I am very impressed with the high level of substantive expertise of the training staff”
From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.
Magdalena Węglewska

„We can wholeheartedly recommend ODO 24 as a professional and reliable partner”
For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.
Agnieszka Karłowicz

„A practical approach, continuous advisory availability, and positive working relationships”
We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.
Tomasz Siwicki

„I recommend the company ODO 24 as a professional partner”
For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.
Training online
Training in Warsaw
You don't like the training schedule?
Tell us about it, and we'll figure it out.

