The Act of 23 January 2026 amending the Act on the National Cybersecurity System (Journal of Laws 2026, item 252) transposes the NIS2 Directive into Polish law and enters into force on 3 April 2026. If your company operates in one of 18 regulated sectors and employs at least 50 people or generates EUR 10 million in turnover, you will likely need to implement an information security management system (ISMS), report incidents, and train your board. This guide explains what, when, and why.
Key deadline: 3 October 2026 — This is the deadline for filing a registration application with the registry of essential and important entities (S46 system). Self-assessment should begin now.
Implementation Timeline — Key Dates
The amended Act does not require immediate compliance with all obligations. The Ministry of Digital Affairs has published an official implementation schedule:
- 2 March 2026 — Publication in the Journal of Laws (Dz.U. 2026, item 252)
- 3 April 2026 — Entry into force. Existing operators of key services become essential entities by operation of law
- 3 May 2026 — Deadline for the Minister of Digital Affairs to establish the registry of essential and important entities (maintained in the S46 system)
- 3 October 2026 — Deadline for filing a registration application (6 months from entry into force)
- 3 April 2027 — Deadline for full implementation of obligations — ISMS, incident procedures, training, documentation (12 months from entry into force)
- 3 April 2028 — First mandatory cybersecurity audit (essential entities only, 24 months); end of 2-year grace period — supervisory authority may impose fines
Who Does NIS2 Apply to in Poland?
The amendment replaces the previous division into operators of key services and digital service providers with a new classification: essential entities (podmioty kluczowe) and important entities (podmioty ważne). Classification is based on two criteria: the sector of activity and the size of the undertaking.
Sector Criterion — 18 Sectors in Two Annexes
The Act divides sectors into two groups. Annex 1 covers sectors of high criticality (essential), while Annex 2 covers other critical sectors (important).
| Annex | Sectors |
|---|---|
| Annex 1 (high criticality) |
Energy · Transport · Banking · Financial market infrastructure · Healthcare · Drinking water · Wastewater · Digital infrastructure · ICT service management (B2B) · Public administration · Space |
| Annex 2 (other critical) |
Postal & courier services · Waste management · Manufacture/distribution of chemicals · Food production/distribution · Manufacturing (medical devices, electronics, machinery, motor vehicles) · Digital providers (marketplaces, search engines, social media) · Research |
Size Criterion — The Size-Cap Rule
Sector membership alone is not sufficient. The entity must exceed the size thresholds defined in Regulation 651/2014/EU (Art. 5 of the Act on the National Cybersecurity System, “UKSC”):
| Size | Employees | Turnover / balance sheet | Annex 1 sector | Annex 2 sector |
|---|---|---|---|---|
| Large | ≥ 250 | turnover > EUR 50M or balance > EUR 43M |
Essential entity | Important entity |
| Medium | 50–249 | turnover EUR 10–50M and balance ≤ EUR 43M |
Important entity | Important entity |
| Micro / small | < 50 | turnover < EUR 10M and balance < EUR 10M |
Generally out of scope* | Out of scope* |
Note — corporate groups: When determining company size, data from the entire corporate group must be taken into account (linked and partner enterprises under Commission Recommendation 2003/361/EC). A subsidiary with 30 employees may qualify as a “large undertaking” if its group has 500+ people. Size is assessed as of the date of the most recent financial statements.
* Exceptions — Entities Subject to NIS2 Regardless of Size
Art. 5 UKSC provides for cases where an entity is subject to NIS2 obligations regardless of headcount and turnover:
- DNS service providers — essential entity
- Qualified trust service providers — essential entity
- TLD name registries — essential entity
- Critical entities (within the meaning of the CER Directive 2022/2557) — essential entity
- Managed security service providers (MSSPs) — essential entity (even small/medium)
- Central government public bodies — essential entity
- Electronic communications providers (micro/small) — important entity
- Non-qualified trust service providers (micro/small/medium) — important entity
- Entities of particular significance for public safety — by individual decision of the supervisory authority
An entity that simultaneously meets the criteria for both essential and important status is classified as essential (Art. 5(4)).
10 Cybersecurity Obligations — What You Must Implement
The amended Art. 8 UKSC requires essential and important entities to implement an information security management system (ISMS). Art. 8(1)(2) lists 14 categories of technical and organisational measures (letters a–n), transposing the 10 measures from Art. 21(2) of the NIS2 Directive:
| # | Area | UKSC provision | NIS2 |
|---|---|---|---|
| 1 | Security policy & risk analysis — documented ISMS policy approved by management, systematic risk assessment | Art. 8(1)(1)–(2)(a) | Art. 21(2)(a) |
| 2 | Incident handling — detection, analysis, containment, recovery procedures; ability to report within statutory deadlines | Art. 8(1)(4)–(5) + Art. 11–12b | Art. 21(2)(b) + Art. 23 |
| 3 | Business continuity — BCP/DRP plans, backups, recovery testing | Art. 8(1)(2)(f) | Art. 21(2)(c) |
| 4 | Supply chain security — IT vendor assessment, cybersecurity clauses in contracts | Art. 8(1)(2)(e) | Art. 21(2)(d) |
| 5 | Security in system acquisition & maintenance — SDLC, vulnerability management, patching | Art. 8(1)(2)(b) | Art. 21(2)(e) |
| 6 | Effectiveness assessment — audits, penetration testing, security reviews | Art. 8(1)(2)(h) | Art. 21(2)(f) |
| 7 | Training & cyber hygiene — staff education, cyber hygiene practices, mandatory annual training for the head of the entity | Art. 8(1)(2)(i)–(j) + Art. 8e | Art. 21(2)(g) + Art. 20(2) |
| 8 | Cryptography — encryption policy for data at rest and in transit | Art. 8(1)(2)(k) | Art. 21(2)(h) |
| 9 | Asset management & access control — IT asset inventory, least-privilege principle, HR security | Art. 8(1)(2)(m)–(n) + (d) | Art. 21(2)(i) |
| 10 | MFA & secure communications — multi-factor authentication, encrypted internal and emergency communication | Art. 8(1)(2)(l) | Art. 21(2)(j) |
Measures must be proportionate to the entity's size, risk exposure, likelihood of incidents, and social and economic impact (Art. 8(1)(2) in principio). The Act is technology-neutral — it sets objectives, not tools.
Incident Reporting — 24h / 72h / 1 Month
One of the most significant changes is the standardisation of the significant incident reporting procedure. Art. 11(1)(4)–(4c) introduces a three-stage reporting system:
| Stage | Deadline | Content |
|---|---|---|
| Early warning | 24 hours from detection | Whether the incident may be the result of unlawful action; whether it may have cross-border impact |
| Incident notification | 72 hours from detection | Initial assessment: scope, severity, impact; indicators of compromise (IoCs) where available |
| Final report | 1 month from notification | Detailed description, root cause, remedial actions taken, cross-border impact |
Reports are filed via the S46 system to the competent CSIRT (CSIRT MON, CSIRT NASK, CSIRT GOV, or a sectoral CSIRT). If incident handling extends beyond the final report deadline, a progress report is submitted (Art. 12b).
New under NIS2: The Act also introduces an obligation to inform service users about significant cyber threats and about significant incidents that affect the service provided (Art. 11(2a)–(2b)).
Board Liability — This Is Not an “IT Issue”
One of the most transformative changes under NIS2 is shifting cybersecurity responsibility to board level. In the Polish implementation, this is governed by Art. 8c UKSC:
- The head of the entity bears personal liability for the entity's fulfilment of cybersecurity obligations (Art. 8c(1)). In Polish law, this corresponds to the kierownik jednostki — typically the management board or CEO.
- For multi-member management bodies (e.g., a sp. z o.o. management board) — if no individual has been designated as responsible, all members of the body are jointly liable (Art. 8c(2))
- Liability does not cease when obligations are delegated to another person or an external provider (Art. 8c(3))
- Annual cybersecurity training for the head of the entity is mandatory and must be documented (Art. 8e)
The head of the entity makes decisions regarding the ISMS, plans financial resources, assigns tasks, and ensures regulatory compliance (Art. 8d). This corresponds to Art. 20 of the NIS2 Directive, which requires management bodies to “approve cybersecurity risk-management measures and oversee their implementation.”
Personal penalty for the head of the entity: The supervisory authority may impose a personal fine on the head of an essential or important entity of up to 100% of their remuneration (calculated as the holiday pay equivalent). For essential entities that persistently fail to remedy breaches, a temporary ban on exercising management functions is possible — effective until the breaches are remedied.
Penalties for Non-Compliance
The amendment introduces a GDPR-style penalty system — proportionate to global turnover:
| Category | Maximum fine | Minimum fine |
|---|---|---|
| Essential entity | EUR 10M or 2% of global annual turnover (whichever is higher) | PLN 20,000 |
| Important entity | EUR 7M or 1.4% of global annual turnover (whichever is higher) | PLN 15,000 |
| Breach threatening national security | Up to PLN 100 million | |
Administrative fines may only be imposed after 2 years from the Act's entry into force (i.e., from 3 April 2028) — this is the adjustment period. However, this moratorium applies to administrative penalties only, not to civil liability for incident consequences.
NIS2 vs. DORA — Financial Sector
Financial sector entities subject to the DORA Regulation (2022/2554) — banks, insurers, funds, investment firms — are governed by DORA as lex specialis regarding ICT risk management, incident handling, and digital resilience testing. In those areas, DORA replaces NIS2 obligations (Recital 28 NIS2 Directive, Art. 4 DORA). A financial entity still appears in the registry but fulfils its obligations under DORA rather than Art. 8 UKSC.
Self-Assessment — 5 Steps to Registration
Unlike the previous legal framework (where key service operators were designated by administrative decision), the amendment introduces a self-identification principle. Each entity must assess for itself whether it falls within scope and file its own registration application.
Step 1: Check your sector of activity
Compare your company's NACE codes (PKD in Poland) against Annexes 1 and 2 to the Act. Consider all types of activity — a company may appear in the registry multiple times if it carries on several types of activity covered by NIS2.
Step 2: Determine the size of your undertaking
Check employee headcount, turnover, and balance sheet total — taking into account data from the entire corporate group (linked and partner enterprises). Size is assessed as of the date of the most recent financial statements.
Step 3: Classify your entity
Based on sector and size, determine whether you are an essential entity, important entity, or out of scope. Check the exceptions (Art. 5). If you meet the criteria for both categories, you are classified as essential. Document your reasoning.
Step 4: File your registration application
The application is filed electronically via the S46 system within 6 months of meeting the criteria. It must include the entity's name, tax ID (NIP), sector, and the contact details of the person responsible for cybersecurity. The application is accompanied by a statement from the head of the entity under penalty of criminal liability (Art. 233 § 6 of the Criminal Code).
Step 5: Implement your obligations within 12 months
From the Act's entry into force, you have 12 months for full implementation: ISMS, incident procedures, BCP/DRP, training, documentation, supply chain security, access control, MFA. Essential entities must conduct their first security audit within 24 months.
Check If Your Company Falls Under NIS2
Free NIS2 Compliance Scan — answer questions about your sector, size, and current security posture. Receive a classification report, cybersecurity maturity score, and draft documents. 10 minutes, no commitment.
Check Your NIS2 Readiness →or book a call with a lawyer
Practical Action Plan — Where to Start
You do not need to implement everything at once. Here is a prioritised plan aligned with the statutory deadlines:
Phase 1: Now → October 2026 (self-assessment & registration)
- Inventory of information systems and services
- Sector analysis — compare against Annexes 1 and 2
- Size determination including corporate group data
- Classification (essential / important / out of scope) — document your reasoning
- File registration application in S46 (by 3 October 2026)
- Designate the person responsible for cybersecurity
Phase 2: Q4 2026 → April 2027 (ISMS implementation)
- Draft the information security policy
- Conduct first cybersecurity risk assessment
- Develop incident management procedures (24h / 72h / 1 month deadlines)
- Draft business continuity plan (BCP) and disaster recovery plan (DRP)
- Review IT vendor contracts — add cybersecurity clauses
- Deploy MFA for critical systems
- Train the board and staff
- IT asset inventory and access control policy
Phase 3: 2027–2028 (audit & monitoring)
- First security audit (essential entities only — by 3 April 2028, then every 3 years)
- Ongoing ISMS monitoring and updates
- Periodic self-assessment review (every 6 months)
- Test incident procedures and BCP plans
Essential vs. Important — Practical Differences
Substantive obligations (ISMS, incident reporting, training) are identical. The differences concern supervision, penalties, and audit requirements:
| Element | Essential entity | Important entity |
|---|---|---|
| Supervision | Proactive (ex ante audits, planned inspections) | Reactive (ex post — after an incident or signal) |
| Mandatory audit | Every 3 years (first within 24 months) | No mandatory periodic audit |
| Max fine | EUR 10M / 2% of turnover | EUR 7M / 1.4% of turnover |
| Min fine | PLN 20,000 | PLN 15,000 |
Who Supervises You? Competent Authority & CSIRT
The supervisory authority and incident response team depend on the entity's sector of activity:
Note: The exact assignment of sectoral CSIRTs will be specified in implementing regulations issued by the Minister of Digital Affairs. The table below reflects the state of affairs as of March 2026.
| Sector | Competent authority | CSIRT |
|---|---|---|
| Energy | Minister of Climate and Environment | CSIRT GOV |
| Transport | Minister of Infrastructure | CSIRT NASK |
| Banking / financial markets | KNF (Financial Supervision Authority) | CSIRT KNF (sectoral) |
| Healthcare | Minister of Health | CSIRT NASK |
| Water / Wastewater | Minister of Infrastructure | CSIRT NASK |
| Digital infrastructure / ICT | Minister of Digital Affairs | CSIRT NASK |
| Public administration | Minister of Digital Affairs | CSIRT GOV |
| Postal / Waste / Chemicals / Food / Manufacturing | Relevant sectoral minister | CSIRT NASK |
| Digital services | Minister of Digital Affairs | CSIRT NASK |
Known Risks and Legal Uncertainties
- Implementing regulations not yet issued — the timeline for individual sector registrations and the detailed mapping of sectoral CSIRTs will be specified in regulations issued by the Minister of Digital Affairs. It is worth monitoring the Official Journal of the Ministry.
- Constitutional challenge filed — the President signed the Act but referred certain provisions to the Constitutional Tribunal for ex post review (concerning high-risk vendor provisions). This does not suspend the Act's entry into force.
- Poland expanded the scope beyond NIS2 — the Act classifies more sectors as essential than the Directive requires (e.g., pharmacies, local government units, educational institutions). Critics point to over-regulation.
Summary
NIS2 is the most significant change in Polish cybersecurity law since 2018. Here are the key takeaways:
- 3 April 2026 — the Act enters into force; begin your self-assessment
- 3 October 2026 — deadline for filing your registration application in S46
- 3 April 2027 — deadline for full ISMS and procedure implementation
- The board is personally liable — cybersecurity is a management obligation, not an IT department task
- Fines up to EUR 10 million — but only after a 2-year grace period
- Self-assessment is mandatory — no authority will issue you a decision; you must determine for yourself whether you fall within scope
- Do not wait for implementing regulations — obligations flow directly from the Act, and the 12-month implementation deadline runs from 3 April 2026
Need Legal Help with NIS2 Compliance?
Use the free NIS2 Compliance Scan or book a consultation with a legal counsel specialising in cybersecurity and regulatory compliance.
NIS2 Compliance Scan — Free →or book a call with a lawyer