The Polish amendment to the National Cybersecurity Act (KSC2), transposing the EU NIS2 Directive, enters real enforcement in the second half of 2026. Factories producing chemicals, food, machinery, automotive, electronics or medical devices — if they employ more than 50 people — are classified as "important entities" and fall under the full obligations package. This article walks through the ten Article 21 NIS2 requirements from an MES perspective: which functions already produce compliance evidence, what is missing, how every external API (OpenAI, cloud LLM, SaaS MES) grows your audit surface, and what to do concretely in the remaining months of 2026.