NIS2 Country Guide

NIS2 Poland: Amendment to the Act on the National Cybersecurity System (KSC)

See how Poland is preparing to transpose the NIS2 Directive through a far-reaching amendment to the Act on the National Cybersecurity System (KSC), why the process is delayed, and what essential and important entities should do now even though the new law is not yet in force.

Get Ready Checklist Get Consultation
Poland NIS2 transposition: delayed / in progress National framework: Act on the National Cybersecurity System (KSC)

Introduction: NIS2 Directive & the Polish context

Poland implemented the original NIS Directive through the Act on the National Cybersecurity System (KSC) adopted in July 2018, which created a decentralised national cybersecurity system built around three national CSIRTs (CSIRT NASK, CSIRT MON and CSIRT GOV) and operators of essential services and digital service providers.

NIS2 requires Poland to significantly broaden this regime, move the focus from individual services to entire entities, expand the list of sectors and organisations in scope, and introduce stronger enforcement, including direct liability for management and stricter vendor controls.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Poland

Poland is transposing NIS2 through an amendment to the Act on the National Cybersecurity System (KSC), rather than adopting a new standalone law. Multiple draft versions of the amendment were published between 2023 and 2025, reflecting extensive political and industry debate.

After a prolonged legislative process, the amendment was adopted by the Sejm on 26 January 2026 and subsequently approved by the Senate. Promulgation and publication in the Journal of Laws — and the determination of the final entry-into-force date — are pending.

The adopted amendment keeps the KSC as the backbone of the national regime but introduces NIS2 concepts such as essential and important entities, stricter incident-reporting rules, a central register of regulated entities, vendor-risk provisions (including “high-risk vendor” mechanisms) and a strengthened sanctioning framework.

Status

NIS2 is not yet transposed into Polish law. Work on the amendment to the KSC is at an advanced but still unfinished stage; several successive drafts have been published, but the act has not been promulgated.

Legal structure (planned)

NIS2 will be implemented through a comprehensive amendment to the 2018 Act on the National Cybersecurity System, supported by secondary legislation and sectoral regulations.

Expected impact

The future law is expected to bring over 10,000 entities into scope, covering a wide range of public and private organisations and significantly increasing supervisory reach.

NIS2 Poland: what you need to know about compliance

Even without a final act in force, the Polish drafts closely follow the NIS2 model of essential and important entities and give a clear picture of the obligations organisations will face once the amendment is adopted.

Who is likely in scope?

  • Entities operating in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Medium and large organisations meeting NIS2 size or turnover thresholds.
  • Entities covered regardless of size, such as DNS and TLD operators, trust-service providers, major cloud and data-centre operators.

Core obligations (based on draft)

  • Implement risk-management measures for networks and information systems aligned with NIS2 Article 21.
  • Introduce governance structures and policies, including management-approved cybersecurity strategies.
  • Detect, handle and report significant incidents and certain cyber threats within strict deadlines.
  • Manage supply-chain and vendor risk, with special rules for “high-risk vendors” in sensitive sectors.
  • Ensure that management bodies are directly responsible for overseeing and approving cybersecurity measures.

Register of entities

Drafts foresee a central register of essential and important entities maintained at national level. Entities will either be identified by the authority or required to submit information to be included in the register and keep their data up to date.

Key message: although the law is delayed, the direction is clear. Polish organisations in NIS2-relevant sectors are expected to prepare on the basis of the Directive and the published drafts, rather than wait for the final act.

Competent authorities & CSIRTs

Poland operates a decentralised national cybersecurity system anchored in three national CSIRTs and coordinated through the KSC. The NIS2 amendment builds on this structure and clarifies roles for supervision and incident handling.

Role Authority Notes
National cybersecurity authorities Authorities designated under the KSC (e.g. Government Plenipotentiary for Cybersecurity, sectoral authorities) Oversee implementation of the KSC, coordinate NIS2 transposition and supervise operators of essential services, digital service providers and future essential/important entities.
National CSIRTs CSIRT NASK, CSIRT MON, CSIRT GOV Three national CSIRTs share responsibility for incident handling: CSIRT NASK (civilian and commercial sector), CSIRT MON (defence) and CSIRT GOV (government and public administration).
Sectoral CSIRTs Sector-specific CSIRTs (planned) The draft amendment provides for sector and subsector CSIRTs to support essential and important entities in particular sectors and to relay incidents to the national CSIRTs.

NIS2 timeline & key dates (Poland)

July 2018 — Original Act on the National Cybersecurity System (KSC) enters into force, implementing NIS1 in Poland.
January 2023 — NIS2 Directive enters into force at EU level; work begins on amending the KSC to transpose it.
17 October 2024 — EU deadline for NIS2 transposition passes; Poland has not yet adopted the amendment to the KSC.
Late 2024 – 2025 — Multiple new drafts of the amendment are released (fourth, fifth, sixth, seventh, and later drafts), reflecting ongoing negotiations and changes.
7 May 2025 — European Commission issues a reasoned opinion to Poland for failure to notify full NIS2 transposition.
January 2026 — Sejm adopts the amendment to the KSC implementing NIS2 and senate approves the amendment.
Early 2026 — Promulgation and publication in the Journal of Laws pending; entry into force to follow as specified in the final act.

Sector-specific notes for Poland

  • Energy: electricity, gas and other critical energy operators will fall under strict essential-entity obligations once the amendment is in force.
  • Digital infrastructure: data centres, electronic communications networks and cloud providers are a major focus, with specific vendor-risk rules.
  • Public administration: ministries, key central authorities and selected local government entities will be included as essential or important entities.
  • Industry & manufacturing: manufacturers of critical products and key industrial players will be captured as important entities in line with NIS2.
  • Finance & health: banks, financial market infrastructures and healthcare providers will face combined obligations from NIS2 and sector-specific EU rules.

Penalties for non-compliance

The planned Polish NIS2 regime is notable for a particularly strict sanctions model, going beyond the basic NIS2 ceilings and adding specific national mechanisms and direct liability for management.

  • For essential entities: fines aligned with NIS2, up to around €10 million or 2% of worldwide annual turnover (whichever is higher).
  • For important entities: fines up to around €7 million or 1.4% of worldwide annual turnover.
  • Additional national cap: in certain high-risk scenarios, a special fine of up to PLN 100 million (approx. €20–25 million) is foreseen in some drafts.
  • Management liability: courts may disqualify board members from holding management functions for several years in cases of repeated or serious negligence.
  • Corrective measures: orders to remedy deficiencies, enhanced supervision and follow-up audits for non-compliant entities.

How to prepare for NIS2 in Poland

  1. Assess whether you are likely in scope: map your organisation against NIS2 Annex I & II sectors and size thresholds; assume that the Polish law will broadly follow them.
  2. Monitor the legislative process: follow official publications and legal updates on the amendment to the KSC so you know when the law is finally adopted and when it enters into force.
  3. Run a NIS2 gap assessment now: compare your current cybersecurity posture against NIS2 Article 21 requirements (governance, technical controls, processes, documentation).
  4. Plan for registration: prepare internal data (services, systems, dependencies, key contacts) that you will need to provide once the register of entities goes live.
  5. Strengthen incident management: design monitoring, triage and reporting workflows that can support 24-hour early warning and follow-up reports required by NIS2.
  6. Review supply-chain and vendor risk: identify high-impact suppliers and plan contractual updates, mindful of possible “high-risk vendor” restrictions in Poland.
  7. Align with recognised frameworks: build or refine an ISMS aligned with ISO/IEC 27001 or similar to make NIS2 implementation structured and auditable.
  8. Engage the board: brief senior management on upcoming personal liability and ensure cybersecurity is treated as a strategic, not just technical, topic.
Run Eligibility Check Start Readiness Test

Official links & resources

🇵🇱 European Commission — NIS2 implementation in Poland
📘 Polish legislative portal — drafts amending the Act on the National Cybersecurity System
📊 ECSO NIS2 Transposition Tracker — Poland
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Poland

Has Poland fully transposed NIS2?
No. As of late 2025, Poland has not yet adopted the amendment to the Act on the National Cybersecurity System needed to transpose NIS2, and the European Commission has initiated infringement proceedings for late transposition.
Which law will implement NIS2 in Poland?
NIS2 will be implemented via an amendment to the existing Act on the National Cybersecurity System (KSC), which already serves as the backbone of Poland’s NIS1-based cybersecurity regime.
Should we wait until the law is adopted to start preparing?
No. Organisations in NIS2-relevant sectors are strongly advised to start preparing now based on the Directive and existing Polish drafts, as the main obligations and scope are already clear.
Who are the main NIS2 players in Poland?
The amendment will continue to rely on the national CSIRTs (CSIRT NASK, CSIRT MON, CSIRT GOV) and the national cybersecurity authorities designated under the KSC, with an extended role in supervising essential and important entities.
Will ISO 27001 be mandatory?
The draft does not mandate a single certification such as ISO/IEC 27001, but aligning with recognised standards will be one of the most effective ways to structure and demonstrate NIS2 compliance in Poland.
Information provided for general guidance; always consult the final Polish NIS2 legislation, official publications on the Act on the National Cybersecurity System and legal counsel for definitive compliance requirements in Poland.