Cybersecurity is no longer the exclusive domain of the IT department. In 2026, it is becoming increasingly clear that it is becoming an integral part of corporate governance, managerial responsibility, and corporate governance. Therefore, it is worth considering two legal frameworks together: the strengthened powers of the supervisory board under the Commercial Companies Code, effective as of October 13, 2022, and the current requirements arising from NIS2 and the Polish amendment to the Act on the National Cybersecurity System of 2026.
The amendment to the Commercial Companies Code was not drafted exclusively with cybersecurity in mind, but in practice it addresses the current needs of companies very well. The supervisory board of a limited liability company (sp. z o.o.) and a joint-stock company (sp. akcyjna) may examine the company’s documents, audit its assets, and request from the management board, authorized signatories, and persons performing regular activities on behalf of the company any information, documents, reports
, and explanations concerning the company, including its operations or assets. The materials should be provided immediately, generally no later than within two weeks, and the management board may not restrict the board’s access to the requested data.
From a security perspective, this is a very concrete supervisory tool. Today, the supervisory board can effectively inquire about:
In other words, oversight no longer needs to be limited to finances and formal compliance. It can also encompass the company’s digital resilience.
Another very important solution is the ability to appoint a supervisory board advisor. The Commercial Companies Code allows the board to commission an investigation into a specific matter concerning the company’s operations or assets, as well as the preparation of analyses and opinions. The management board is obligated to provide such an advisor with access to documents and necessary information.
In practice, this means the ability to commission an independent assessment of areas such as:
This is important because the supervisory board does not have to rely solely on the management board’s assurances. It can seek external, independent expertise.
The significance of these powers is growing in light of NIS2. The directive explicitly shifts responsibility for cybersecurity to the level of management bodies.
Pursuant to Article 20 of the Directive, Member States must ensure that the management bodies of critical and important entities approve cybersecurity risk management measures, oversee their implementation, and can be held accountable for breaches of these entities’ obligations.
This is no longer a model in which the board can treat cybersecurity solely as an operational matter. NIS2 requires that security be an integral part of organizational management, not merely a technical area. This is precisely why the role of the supervisory board becomes so important. It can verify whether the management board has indeed implemented appropriate measures and whether cyber risks are monitored at a level commensurate with the scale of operations.
The Polish amendment to the National Cybersecurity Act of January 23, 2026, reinforces this direction. The Act stipulates that a key or important entity should implement an information security management system covering, among other things:
The new regulations also specify that the entity’s manager is responsible for fulfilling cybersecurity obligations, makes decisions regarding the security system, plans financial resources, oversees task execution, and is required to provide regular training. This strengthens the managerial dimension of security and gives the supervisory board even stronger grounds for actively overseeing this area.
In practice, the supervisory board can effectively support the company’s cybersecurity today by asking the right questions and demanding specific answers. This applies in particular to issues such as:
The board may request information on the most significant threats, vulnerabilities, and scenarios affecting the company’s business continuity.
It is worth verifying whether the company has response procedures, a disaster recovery plan, and incident escalation mechanisms.
NIS2 strongly emphasizes supply chain security, so the board should also be concerned with the security posture of ICT partners and suppliers.
Oversight should also cover the quality of reporting. Management should provide information not only on incidents but also on the organization’s readiness level and the status of corrective actions.
Appointing a supervisory board advisor can help distinguish facts from statements and better assess the company’s cybersecurity maturity level.
In 2026, effective risk management will no longer be limited to compliance and documentation. The growing importance of NIS2, obligations under national regulations, and the ever-increasing costs of incidents mean that cybersecurity is becoming one of the key elements in protecting the company’s value. Therefore, the supervisory board should not be a passive recipient of information. It should actively use the tools already provided by the Commercial Companies Code.
The supervisory board can realistically support the company’s cybersecurity today, but only if it actively and consciously exercises its powers. The changes effective as of October 13, 2022, have given it stronger tools for accessing information and the ability to engage independent advisors. In turn, NIS2 and the 2026 amendment to the Polish Commercial Code strengthen management’s responsibility for security and risk management. Together, they form the basis for treating cybersecurity as a permanent element of corporate governance, rather than merely a technical issue.
