Training: How to Implement KSC / NIS2 in Practice

Is your organisation prepared for the NIS2 requirements? The NIS2 Directive has been implemented into Polish law through the Act on the national cybersecurity system (KSC or the KSC Act). The new regulations are not only a set of obligations — they are also an opportunity to raise the level of IT security and increase business resilience. Our training will show you step by step how to implement the NIS2 requirements effectively.

Certificate and substantive support

Certificate and substantive support
after the training

8 key KSC / NIS2 competencies

8 key KSC / NIS2 competencies

KSC / NIS2 documentation templates

KSC / NIS2 documentation templates

Check dates - from PLN 2800 net

Training: How to Implement KSC / NIS2 in Practice

Our training is a practical guide for managers and IT departments who want to go through this process efficiently. You'll learn what specific actions should be taken to meet the requirements of the KSC Act, while also boosting your organisation's resilience to cyber threats. During the training, our experts will not only share their knowledge but also present tried-and-tested practical solutions that will genuinely facilitate the implementation of the KSC Act.

Participants will have the opportunity to share experiences and discuss specific challenges from their organisations. You will return to your company with a clear plan of action and ready-made solutions that will enable you to adapt effectively to new requirements. The programme includes key information about the NIS2 requirements, which every member of the management and IT department responsible for the organisation's cybersecurity and compliance with the new regulations should know.

New features for 2025

What knowledge will you gain during your training?

You will understand the key requirements of NIS2 and their impact on organisations covered by the new regulations.

You will learn about the obligations arising from the KSC Act for their industry and how to implement them effectively in practice.

You will gain practical knowledge of the actions needed to implement the KSC Act – from risk analysis, through documentation and procedures, to incident management and cooperation with suppliers.

You will learn about the real cyber threats and learn how to effectively prevent them.

You will learn how to integrate NIS2 with existing security management systems, e.g. ISO 27001 or GDPR.

What's the detailed schedule for the workshops?

Schedule

How to Implement KSC / NIS2 in Practice

Module 1
09:00 - 11:00
I. Introduction to NIS2 – Context and Key Changes
What is the NIS2 Directive and why it mattersDifferences between NIS and NIS2 – what has changedNew obligations for organisations covered by the national cybersecurity system actWho is affected by NIS2 – essential and important sectors
II. NIS2 Requirements for Organisations – What Must Be Implemented
The national cybersecurity act and GDPR – where they complement and where they differOrganisational requirements – cybersecurity governance structure and key proceduresTechnical requirements – minimum security standards and technology best practicesThe role of management – how to effectively oversee IT security and manage risk
Module 2
11:10 - 13:00
III. Risk Analysis Under NIS2
How to effectively conduct a risk analysis in the context of NIS2Examples of good practices and the most common mistakes made in organisationsHow to prepare policies and procedures compliant with the national cybersecurity act
IV. Essential Documentation Under NIS2 – Division, Scope and Implementation
Documentation of the information security management systemDocumentation of infrastructure protection used to deliver the serviceDocumentation of the business continuity management systemTechnical documentation of the IT system used to deliver the serviceDocumentation specific to the service provided in a given sector or sub-sectorOperational documentation
Module 3
13:30 - 15:30
V. Incident Response and Crisis Management
Reporting incidents – significance threshold and reporting deadlinesIncident handling model – who is responsible for whatCreating an incident response plan – best practices
VI. Supply Chain Cybersecurity and Supplier Relations
How NIS2 affects relationships with third-party entitiesRequirements for suppliers – how to ensure complianceWhich contractual clauses are worth introducing
Module 4
15:45 - 17:15
VII. Cyber Hygiene – A Key Element of NIS2 Compliance
Why cyber hygiene is the foundation of effective organisational protectionWhich practices should become standard for employees and IT teamsHow to effectively enforce cyber hygiene policies within the organisation
VIII. Management Liability in the Context of NIS2
What obligations the national cybersecurity act places on management and senior staffPersonal liability of board members – legal and financial consequencesWhich management decisions are critical for KSC complianceCollaboration between management, the IT department and the data protection officer

Knowledge in practice

Acquire eight new key skills

  1. 1.Understanding the new responsibilities arising from NIS2 and their impact on organisations.
  2. 2.Establish and implement cybersecurity policies tailored to the requirements of the NIS2 and the specificities of the organisation.
  3. 3.Identify key assets and manage the risks associated with cyber threats.
  4. 4.Assessment and implementation of effective security measures to minimise the risk of incidents.
  5. 5.Preparation of organisations for audits and controls, including documentation of compliance with NIS2 requirements.
  6. 6.Cybersecurity incident management procedures, reporting of incidents and responding to breaches.
  7. 7.Cooperation with CSIRT and supervisory authorities to effectively implement reporting and information exchange obligations.
  8. 8.Engage management and key departments in building cybersecurity awareness and responsibility for implementing NIS2.
We train in the way we wish to be trained. We discuss real-world problems and point out tools to help solve them.

Tomasz Ochocki
Data Protection Officer (DPO) for the ODI content team

support

As part of the training you will receive:

Certificate confirming participation in the training, KSC / NIS2 documentation templates, post-training substantive support - ODO 24 support, presentation script, RODO Navigator and RODO Guide and 90-day access to the Dr RODO.

Opinion of the participants

Google

Tomasz G.

Google

2 years ago

starstarstarstarstar

I wanted to thank you for the wonderful training I've had at your company, the materials were very well prepared, and the instructor has shown tremendous knowledge and experience.

Google

Aleksandra P.

Google

2 years ago

starstarstarstarstar

Training at a very high level, I highly recommend!!! Training materials very useful in everyday work.

Google

Sławomir M.

Google

2 years ago

starstarstarstarstar

Mrs. Mecenas, it was an honor to be able to take part in this training, and thank you very much for your professional approach and valuable practical guidance.

Google

Wacław T.

Google

3 years ago

starstarstarstarstar

The IOD course organized by ODO24 has met all my expectations, a very practical approach, concrete examples and professional support.

Google

Maria K.

Google

1 year ago

starstarstarstarstar

The training was conducted in a way that was understandable even to those without previous experience in this field.

Google

Piotr N.

Google

10 months ago

starstarstarstarstar

Very good training, a lot of practical examples, a little bit too little time to ask questions, but overall I'm satisfied.

Google

Anna W.

Google

8 months ago

starstarstarstarstar

A professional approach, a great atmosphere during the training, the instructor answered all the questions thoroughly, and I highly recommend ODO24!

Google

Jan K.

Google

1 year ago

starstarstarstarstar

It's the best personal data protection training I've ever had, specific examples from real life, not just a dry theory, I recommend it to anyone who works with GDPR.

Google

Katarzyna J.

Google

6 months ago

starstarstarstarstar

The training meets my expectations. A lot of practical knowledge, good materials. The only drawback is too much group, so less time for individual consultations.

Google

Michał L.

Google

4 months ago

starstarstarstarstar

Excellent training! A very competent conductor with vast experience. Everything explained in a clear and understandable way. The training materials are very useful.

Google

Joanna D.

Google

3 months ago

starstarstarstarstar

I recommend ODO24 training to anyone seeking a sound knowledge of the field of ODO: professional service, excellent organisation and excellent teaching facilities.

Google

Andrzej S.

Google

2 months ago

starstarstarstarstar

Sometimes the pace was a little too fast, but the conductor was happy to return to the topics discussed earlier at the request of the participants.

Our greatest value is the trust of our customers.

free

Each person who makes payment for the training at least 14 days before the date will receive a PLN 100 discount.

NIS2

How to implement KSC / NIS2 in practice - questions and answers

What is the NIS2 Directive?

The NIS2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022) is an EU legal act intended to ensure a high, common level of cybersecurity across the European Union. It replaces the earlier NIS Directive of 2016, significantly expanding the range of sectors covered by the rules and introducing more stringent requirements on risk management and incident reporting. The new rules cover a broader catalogue of essential entities and important entities, strengthen supervisory obligations and place greater responsibility on organisational management. In Poland, NIS2 was implemented in 2026, through an amendment to the Act on the national cybersecurity system (KSC or the KSC Act).

Which companies are subject to the KSC Act (NIS2 requirements)?

The NIS2 requirements apply to medium and large enterprises operating in certain sectors considered essential or important for the functioning of EU society and the economy. Criteria include, among others, the number of employees (over 50) and annual turnover (above EUR 10 million). Some small enterprises may also fall within the scope if they provide services of significant importance to society or the economy.

The NIS2 requirements expand the range of sectors covered compared with the previously applicable NIS. They include, among others:

  • Energy
  • Transport
  • Banking and financial market infrastructure
  • Healthcare
  • Drinking water supply and wastewater management
  • Digital infrastructure
  • Public administration
  • Manufacture and distribution of chemicals
  • Food production
  • Postal and courier services
  • Waste management
  • Digital service providers
How can I check whether my company is subject to the NIS2 requirements?

To assess whether your company is subject to the KSC Act, you should:

  • Determine the company’s sector of activity and check whether it is listed in the Directive as essential or important. The decisive factor is the actual carrying out of activities in the sectors listed in the annexes to the Directive.

  • Check whether the company meets the size criteria (number of employees and annual turnover).

  • Consider the importance of the services provided for society and the economy. Online tools, such as questionnaires, are also available to help make a preliminary assessment of whether the company is subject to the Directive.
When did the NIS2 Directive come into force?

The NIS2 Directive entered into force on 16 January 2023. Member States of the European Union were required to implement its provisions into their national legal frameworks by 17 October 2024. In Poland, NIS2 was implemented in 2026, through an amendment to the Act of 5 July 2018 on the national cybersecurity system (consolidated text: Journal of Laws of 2026, item 20, as amended).

What actions should be taken in the event of a cybersecurity incident?

In the event of a cybersecurity incident, an organisation should activate pre-prepared incident response procedures, which are a key element of an information security management system.

First, the incident should be identified without delay, its scale and potential impact on business continuity, system integrity and data protection should be assessed. This process should include an initial technical analysis and classification of the incident according to the adopted criteria. At the same time, measures should be taken to mitigate the effects of the event – for example, isolating the infected system, restoring basic operational functions or activating contingency plans.

In accordance with the NIS2 Directive, an organisation has the obligation to notify serious security incidents to the appropriate national authority (e.g. CSIRT or another supervisory authority) within specified timeframes – usually an initial notification within 24 hours, supplemented by a report within 72 hours and a final report after the effects have been remedied. Notification of service recipients is also required if the incident may have affected the provision of essential or important services.

After the situation has been contained, the organisation should conduct an in-depth root cause analysis to identify the gaps that allowed the incident to occur. On this basis, appropriate corrective and preventive measures should be implemented, which may include updating security policies, system configurations, access management procedures or additional training for employees.

A key aspect is documenting all stages of incident response and verifying the effectiveness of the measures taken. This not only enables compliance with legal obligations to be demonstrated, but also supports the continuous improvement of the information security management system.

What are the main obligations for companies under the KSC Act?

Obliged entities should implement appropriate technical and organisational measures to effectively manage cybersecurity risk. This includes, among other things, carrying out risk assessments, developing and applying security policies, effective incident management, organising training for personnel and securing the supply chain. An important obligation is also the reporting of serious security incidents to the relevant national authorities. Regular risk assessments and security audits should be conducted to ensure the measures in place remain up to date and effective. Cooperation with national authorities and other entities in exchanging information about threats is also of key importance.

What penalties apply for non-compliance with the NIS2 requirements?

The Act on the national cybersecurity system provides for severe penalties for non-compliance with its provisions:

  • For essential entities: up to EUR 10 million or 2% of annual turnover.
  • For important entities: up to EUR 7 million or 1.4% of annual turnover.

Additionally, persons responsible for management may be held liable for breaches of the obligations arising under the Directive.

Do small companies also fall within the scope of the NIS2 requirements?

In principle the NIS2 requirements apply to medium and large enterprises. However, some small and micro-enterprises may be covered if they provide services of significant importance to society or the economy, such as DNS service providers, domain registrars or qualified trust service providers.

What are the differences between the NIS Directive and the NIS2 Directive?

The differences between the NIS Directive and the NIS2 Directive are significant and reflect the growing need for a more effective approach to cybersecurity at Union level. The NIS2 Directive introduces a number of important changes compared with its predecessor.

First, the scope of entities has been expanded – the new rules cover many more sectors, including, among others, postal services, waste management, the manufacture of selected products (e.g. pharmaceuticals or electronics), and public administration. More precise criteria for classifying entities as "essential" or "important" have also been introduced, which affects the scope of obligations and supervision.

Second, NIS2 provides for more stringent requirements on risk management and incident reporting. Obligations in this area have been clarified and harmonised across the EU, and entities must implement specific remedial measures and report serious incidents within defined timeframes.

Third, the responsibility of senior management has been increased. Under NIS2, they are not only responsible for the implementation of technical and organisational measures, but must also demonstrate engagement in oversight of cybersecurity, including participation in training.

Moreover, the new rules provide for harsher sanctions for non-compliance, including administrative fines that can be significant – both for organisations and for their management.

A final key change is the strengthening of cooperation and information sharing between Member States, including through the establishment of the European cooperation network (EU-CyCLONe) and improved communication between CSIRTs and the relevant national authorities.

How should a company prepare for implementation of the NIS2 requirements?

Preparing a company for implementation of the NIS2 requirements requires a comprehensive approach to cybersecurity management. The first step should be a detailed risk assessment that will identify potential threats to operational continuity and the security of information systems. On this basis, appropriate technical and organisational measures should be implemented to enable effective management of the identified risks.

Another important element is the development and implementation of procedures for reporting security incidents in line with the requirements of the KSC Act – including defining how incidents are classified and the deadlines and procedures for reporting them to the competent authorities. Equally important is adequate training of staff, not only technical personnel but also management, to ensure awareness of threats and familiarity with the applicable procedures.

One must also maintain contact with the competent national authorities and participate in the information-sharing system on threats and incidents, which is a key element of the security framework at the European level. Regular updating of activities and documentation based on changing requirements and emerging threats will be necessary to ensure compliance with the KSC Act.

What our customers say about our services

Marcin Wieczorek

Wojas

foto-lizard-media.jpg

I am very impressed with the high level of substantive expertise of the training staff

From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.

Scope of services:

Magdalena Węglewska

Mazda

foto-mazda.jpg

We can wholeheartedly recommend ODO 24 as a professional and reliable partner

For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.

Agnieszka Karłowicz

Spiżarnia

foto-spizarnia.jpg

A practical approach, continuous advisory availability, and positive working relationships

We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.

Tomasz Siwicki

Gefco

foto-gefco.jpg

I recommend the company ODO 24 as a professional partner

For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.

Training online

No deadlines on the internet

Training in Warsaw

No fixed deadlines

You don't like the training schedule?

Tell us about it, and we'll figure it out.

Dominik Kantorowicz - Coordinator of training

Dominik Kantorowicz

Training Coordinator

You call me:+48 690 004 852,
Write:
szkolenia@odo24.pl