Poland is aligning itself with EU standards under the NIS2 Directive, which aims to enhance Member States’ resilience to cyber threats.
With the entry into force of the amendment to the Act on the National Cybersecurity System (KSC), cybersecurity is no longer merely good organisational practice but becomes a legal obligation affecting thousands of businesses in Poland.
The new regulations represent one of the most significant changes for business in recent years and significantly expand the scope of entities subject to regulatory obligations.
Who are the new regulations aimed at?
The amendment divides companies into two basic categories:
- critical entities,
- important entities.
The groups covered by the regulations may include, amongst others, companies from the following sectors:
- energy and transport,
- healthcare,
- banking and financial services,
- digital infrastructure and ICT services,
- manufacturing and industry,
- water and waste management.
In practice, this means that the new obligations may apply not only to large corporations but also to medium-sized enterprises operating in key sectors of the economy.
Key change: responsibility lies with the business
One of the key elements of the new system is that it is often up to the business to assess for itself whether it is subject to the regulations.
A lack of clear understanding in this regard may lead to serious consequences, including ex officio entry into the register of entities covered by the Act and increased scrutiny by state authorities.
Key dates for the implementation of the new obligations
The new regulations come into force in stages. The most important dates for businesses are:
- 3 April 2026
Entry into force of the amendment to the KSC Act implementing NIS2.
From this point onwards, the new cybersecurity system will formally come into operation.
- 3 October 2026
Deadline for self-identification and registration in the register of critical and important entities (S46 system). Failure to register may result in ex officio inclusion.
- 3 April 2027
Deadline for full implementation of the Act’s requirements by all covered entities. This means that entities must have, among other things: information security management systems, incident response procedures and cyber risk analyses.
- 3 April 2028
First mandatory cybersecurity audit for key entities.
Subsequent audits will be carried out periodically (at least every 3 years).
New obligations for companies
The amendment to the Act significantly expands the list of obligations for businesses. In practice, these include, amongst other things: implementing a cybersecurity management system, identifying and analysing risks, monitoring and reporting incidents, ensuring business continuity, staff training, and management oversight of IT and security.
Cybersecurity is therefore becoming an integral part of organisational management, rather than merely a technical issue.
Consequences of non-compliance
Failure to meet these obligations may result in, amongst other things:
- administrative and financial penalties,
- the obligation to implement remedial measures under the supervision of the authorities,
- liability of board members,
- operational and reputational risk.
Why act now?
Although some implementation deadlines have been postponed, the process of complying with NIS2 takes time.
The biggest challenges for companies are:
- determining whether they are subject to the regulations,
- assessing the current level of security,
- implementing procedures and tools,
- preparing the organisation for incident reporting.
Taking early action helps avoid time pressure and reduces the risk of non-compliance. The new cybersecurity regulations introduce a significant shift in the approach to data and IT system protection within organisations. For many companies, this means a transition from a reactive model to a systematic approach to cyber risk management.
If you wish to check whether your company is subject to these new obligations and how to prepare for them, please contact our law firm.