13 May 2026 — forty days after the entry into force of the Polish transposition of the NIS2 Directive. What has happened, what works, what is missing, and where the trap lies.
On 3 April 2026, the Act of 23 January 2026 amending the Act on the National Cybersecurity System and certain other acts entered into force (Polish Journal of Laws of 2026, item 252, hereinafter the “Amendment”). This is Poland’s transposition of Directive (EU) 2022/2555 (NIS2), delivered with a delay of roughly seventeen months — the original transposition deadline being 17 October 2024.
For the first time since publication in the Polish Journal of Laws on 2 March 2026, the substantive obligations of the Act apply to thousands of Polish entities. This is no longer an academic discussion about regulatory direction. It is the law in force — and every day without implementation is on the record.
Below is a summary of the first forty days of application: which obligations are operative, what is often overlooked in public debate, and what entities within scope should be doing now.
Timeline: 2 March – 13 May 2026
2 March 2026 — publication of the Amendment in the Journal of Laws (item 252), together with the consolidated text of the Cybersecurity Act (Journal of Laws 2026, item 20).
3 April 2026 — entry into force of the Amendment. From that date:
- the terms “essential entity” (podmiot kluczowy) and “important entity” (podmiot ważny) replace the former concepts of “operator of essential services” and “digital service provider”,
- the number of sectors covered by the Act expands from 7 to 18 (Annexes 1 and 2),
- new incident reporting deadlines apply: 24 hours for an early warning, 72 hours for a major incident notification, one month for the final report (Article 11),
- personal liability of the head of the entity is introduced (Article 8c).
6 May 2026 — the Ministry of Digital Affairs completed ex officio registration of the first wave of entities. This covered telecommunications providers, trust service providers, public entities and critical entities. The registration was made under Article 7a(2) of the Amendment, based on data from public registers.
7 May 2026 — launch of the wykaz-ksc.gov.pl portal, used for self-registration by essential and important entities. The portal operates within the IT system referred to in Article 46(1) of the Cybersecurity Act.
13 May 2026 (today) — end of the first month after entry into force. Self-identification and registration processes are underway.
The Register: How Registration Works
The central instrument of implementation is the register of essential and important entities (wykaz podmiotów kluczowych i podmiotów ważnych), maintained under Article 7 of the Cybersecurity Act as amended. The register is accessible through the IT system operated by the Ministry of Digital Affairs at wykaz-ksc.gov.pl.
Two modes of registration are operational.
Ex officio registration (Article 7a(2)). For selected categories — telecommunications providers, trust service providers, public entities, critical entities — the Minister of Digital Affairs has registered entities on the basis of public register data. These entities have already been notified and must supplement the missing data within 6 months from delivery of the notice (Article 7b(2)).
Self-registration (Article 7c(1)). Every entity that, as of 3 April 2026, meets the criteria for classification as an essential or important entity is required to apply for entry in the register within 6 months — that is, by 3 October 2026 (see also Article 33(3) of the Amendment).
This deadline is hard. Failure to self-register is a separate administrative offence (Article 73(1a) point 1 of the Cybersecurity Act), and after the moratorium on penalties expires, it is subject to financial sanctions.
Who Is an Essential Entity and Who Is Important
Classification is essentially based on the sector (Annex 1 or 2) and the size of the undertaking within the meaning of Regulation (EU) 651/2014 (Annex I).
Essential entity (Article 5(1))
Broadly:
- an entity from Annex 1 that exceeds the criteria for a medium-sized enterprise (more than 250 employees, or annual turnover exceeding EUR 50 million, or balance sheet total exceeding EUR 43 million),
- regardless of size: DNS service provider, qualified trust service provider, critical entity, public entity listed in Annex 1, top-level domain (TLD) name registry, domain name registration service provider, operator of a nuclear power facility.
Important entity (Article 5(2))
Broadly:
- an entity from Annex 1 that meets the criteria for a medium-sized enterprise but is not an essential entity,
- an entity from Annex 2 that meets or exceeds the criteria for a medium-sized enterprise,
- a non-qualified trust service provider, an electronic communications undertaking that is a micro- or small enterprise, an investor in a nuclear power facility.
Annexes 1 and 2 cover a combined 18 sectors, including energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, chemical production, food production, manufacturing, digital service providers, scientific research, postal services and waste management.
Obligations Already in Force
Since 3 April 2026, every entity meeting the criteria of an essential or important entity is subject to the material obligations of Chapter 3 of the Cybersecurity Act:
- Information Security Management System (ISMS) — Article 8, with 14 areas of technical and organisational measures listed in Article 8(1)(2)(a)–(n), including risk assessment policies, supply chain security, business continuity planning, multi-factor authentication, staff training, and access control.
- Security documentation — Article 10.
- Incident reporting — Article 11: 24 hours for an early warning to the sectoral CSIRT, 72 hours for a major incident notification, final report within one month.
- Internal cybersecurity structures or a contract with a managed security service provider — Article 14.
- Security audit — Article 15, at least once every 3 years for an essential entity.
- Personal accountability of management — Articles 8c, 8d, 8e, including a mandatory annual training requirement with documented attendance.
Implementation deadlines are extended, but the material obligations are in force as of today:
- full implementation of security measures: by 3 April 2027 (12 months),
- first audit of an essential entity: by 3 April 2028 (24 months),
- use of the IT system: 12 months from the date of meeting the classification criteria.
The Moratorium on Penalties: Article 35 of the Amendment
This is the aspect most often discussed superficially.
Article 35 of the Act of 23 January 2026 provides:
“The financial penalties referred to in Article 73(1)–(4) and Articles 73a–73c and 76b of the act being amended under Article 1, as worded by this Act, may be imposed for the first time after the lapse of 2 years from the date of entry into force of the Act.”
In effect: the first penalties for violations of the Act may be imposed only from 3 April 2028.
The moratorium is broader than commonly assumed. It covers:
- Article 73(1)–(4) — administrative penalties for entities: up to EUR 10 million or 2% of annual turnover for an essential entity, up to EUR 7 million or 1.4% for an important entity,
- Article 73a — personal penalties for the head of an entity, up to 300% of annual remuneration (100% in the public sector),
- Article 73b — penalties for domain registries, domain registration service providers, and hardware/software producers,
- Article 73c — penalties for financial entities outside the scope of essential or important entities,
- Article 76b — periodic penalty payments for non-compliance with administrative decisions (up to PLN 100,000 per day).
To this extent, the legislator has indeed granted a two-year grace period. During this time entities are expected to implement the obligations, organise documentation and train management.
But the moratorium has one significant gap.
The Exception Almost No One Has Noticed: Article 73(5)
Article 35 of the Amendment explicitly lists: Article 73(1)–(4), Articles 73a–73c, Article 76b. It does not list Article 73(5).
Article 73(5), as amended, provides:
“If an essential entity or an important entity violates the provisions of this Act, causing:
1) a direct and serious cyber threat to defence, state security, public safety and order, or human life and health,
2) a risk of serious financial damage or serious disruptions in the provision of services
— the competent cybersecurity authority shall impose a penalty of up to PLN 100,000,000.”
One hundred million złoty. No moratorium. In force from the first day the Act applies.
Public commentary most often focuses on the first condition — “defence, state security, public order, life and health”. This indeed concerns operators of critical infrastructure, energy networks, railways, hospitals.
The second condition, however, is significantly broader. “A risk of serious financial damage or serious disruptions in the provision of services” is an open catalogue that may include:
- ransomware on a large e-commerce platform causing a multi-day sales outage,
- a DDoS attack on a bank disrupting access to electronic banking,
- a failure in a payment system at a financial services provider,
- a breach of continuity of IT services for a large B2B customer base,
- a data leak combined with service disruption in a SaaS platform serving regulated entities.
In each such case — where it can be shown that a violation of the Act (e.g. absence of an ISMS, deficient incident handling, failure to report) contributed to the risk — the competent cybersecurity authority shall impose a penalty. The word “shall impose” — not “may impose” — is legislatively significant: paragraph 5 is mandatory in character.
In practice, this requires identifying the competent authority for the relevant sector (Articles 41 and 41a). The list is long: from the Minister of Digital Affairs (public sector and digital infrastructure), through the President of the Office of Electronic Communications (electronic communications), the Polish Financial Supervision Authority (banking and financial market infrastructure), to the Minister of National Defence (national defence entities). These are authorities that have historically rarely exercised quasi-criminal powers in the area of cybersecurity. They now hold them in full and without temporal limitation.
What Essential and Important Entities Should Do Now
Operational priorities for Q2 and Q3 2026:
1. Self-identification
If you have not been registered ex officio, assess whether you meet the criteria of an essential or important entity. Classification is based on sector (Annex 1 or 2) and size (Regulation 651/2014/EU). Filing an application for entry in the register by 3 October 2026 — via the wykaz-ksc.gov.pl portal — is mandatory.
2. Zero-base audit
Take stock of your current information security management against the 14 control areas of Article 8(1)(2)(a)–(n). This is the foundation for all further work.
3. Assignment of management responsibility
Formally designate the head of the entity responsible for cybersecurity (Articles 8c and 8d). Organise the first training under Article 8e — attendance must be documented.
4. Incident handling procedure
Update your incident response policy to reflect the 24 / 72-hour and 30-day deadlines (Article 11). Designate at least two contact persons (Article 9(1)(1)). Verify how your sectoral CSIRT operates and which reporting procedures it has published.
5. Supply chain
Article 8(1)(2)(e) requires cyber risk management in the ICT supply chain. A review of contracts with key suppliers for security clauses, audit rights and incident reporting is work that cannot be left to the final month before the deadline.
6. First essential-entity audit
The 24-month deadline expires on 3 April 2028. Do not wait until the last quarter — preparing for an external audit requires 6–12 months of organisational work.
7. D&O insurance
Standard directors and officers liability policies do not cover administrative penalties under Article 73a. A review of insurance scope is essential and often requires an endorsement or a new policy.
Upcoming Deadlines
| Date | What |
|---|---|
| 3 October 2026 | Deadline for self-registration in the entity register (Article 33(3) of the Amendment) |
| 3 April 2027 | Full implementation of Chapter 3 obligations (Article 33(1) of the Amendment) |
| 3 April 2028 | First essential-entity audit (Article 33(2) of the Amendment). End of penalty moratorium (Article 35 of the Amendment) |
Three years. The timeline appears comfortable. It is not.
Conclusion
The Polish transposition of NIS2 is now operational. In the first forty days the entity register has been launched, ex officio registrations completed and self-registration opened. The centre of gravity has shifted from regulatory debate to operational implementation.
The moratorium on most penalties provides two years, but there is one exception — Article 73(5) — that warrants attention. In practice, it applies to situations in which an incident causes serious financial damage or service disruptions. That description fits most medium and large entities in NIS2 sectors.
At Harbor LEGAL, the first weeks following entry into force have been a period of intensive work with clients on classification, zero-base audits, ISMS documentation and incident reporting procedures. We invite contact in relation to:
- status assessment (essential entity / important entity / out of scope),
- sectoral classification and preparation of the entry application,
- implementation of an ISMS compliant with Article 8 of the Cybersecurity Act,
- incident handling procedures compliant with Article 11,
- pre-compliance audits ahead of the first formal essential-entity audit.