26.05.2026

CyberSec Update#21 – ICT services under NIS2, KSC 2.0

Changes to ICT Supplier Contracts in Light of NIS2 and KSC 2.0

The transposition of the NIS2 Directive into the national legal framework and the entry into force of amendments to the Act on the National Cybersecurity System (KSC 2.0) have prompted organizations to take a much closer look at their relationships with ICT service providers.

New regulations – direct and indirect impact on the market

Regulatory changes affect not only essential and important entities, but also technology providers themselves. Increasingly, suppliers are being asked by their customers about applied security standards, incident response procedures, and the possibility of conducting audits.

Although the regulations do not explicitly impose an obligation to amend all contracts with ICT service providers, regulatory practice shows that, without appropriate contractual provisions, meeting the requirements arising from NIS2 and KSC 2.0 may prove very difficult. As with GDPR or DORA, the new regulations are based on a risk-based approach and require genuine oversight of ICT outsourcing.

Supply chain security as a key area

Supply chain security is becoming particularly important. KSC 2.0 indicates that essential and important entities should implement appropriate technical and organizational measures covering not only cybersecurity, but also the security and continuity of ICT product, process and service supply.

In practice, this means the need to organize relationships with suppliers and verify whether existing contracts genuinely allow for effective cybersecurity risk management.

Where to start organizing supplier relationships?

The first step should be identifying ICT service providers and assessing the criticality of the services they deliver to the organization. The next step is to review existing contractual terms and conduct a supplier self-assessment process.

Such a self-assessment may take the form of a questionnaire covering, among other things, applied technical and organizational safeguards, held certifications (e.g. ISO 27001 or ISO 22301), security procedures, frequency of penetration testing, or possession of cyber insurance.

What should a contract addendum include?

Particular attention should be paid to areas that ought to be reflected in contract addenda or separate agreements with ICT service providers. These include, in particular:

  • the right to audit and inspect the ICT service provider,
  • security incident reporting obligations,
  • rules governing the use of subcontractors,
  • obligations to cooperate with essential or important entities in the event of supervisory authority actions,
  • requirements relating to cyber insurance policies and contractual liability.

Provisions concerning incident reporting timelines are also gaining importance. Organizations increasingly expect notification obligations within 24 hours of detecting an incident, as well as the establishment of dedicated crisis communication channels.

Security breaches and continuity of cooperation

The liability of ICT service providers remains a significant issue. In practice, mechanisms enabling contract termination in the event of serious security breaches are negotiated, while at the same time allowing for remedial procedures on the part of the supplier.

Essential and important entities are also increasingly seeking safeguards in the form of commitments by ICT service providers to cover liability arising from potential administrative fines imposed on the organization as a result of breaches attributable to the supplier.

A new contractual reality

NIS2 and KSC 2.0 are changing the way organizations think about relationships with technology suppliers. Contracts with ICT service providers are no longer merely procurement or operational documents – they are becoming one of the key tools for managing cybersecurity and business continuity.

Organizations that structure this area at an early stage will not only reduce regulatory risk, but also gain a competitive advantage in the new compliance landscape.

Author

Jarosław Straś

 jaroslaw.stras@kwkr.pl

KWKR Experts

1 36 37 38 39 40 59

Newsletter

Want to stay up to date?
Subscribe to our newsletter.

By entering your e-mail address above and clicking ‘Subscribe!’ you declare that you have read and accept the Terms of Service and subscribe to the newsletter, i.e. information on legal topics, including information on important legal events, legislative changes and the Law Firm's activities, services and products, via e-mail communication.

The controller of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with its registered office in Kraków, Kącik 4 Street, 30-549 Kraków. Your data will be processed in order to provide the newsletter service and thus send commercial and marketing information to the e-mail address provided, in accordance with the Privacy Policy and the Terms of Service. For more information on the principles of personal data processing, including your rights, please see the Privacy Policy.

Please wait...

Thank you for sign up!