Skip to content
Breachroad
Back to the blog
Compliance

NIS2 in Poland: new obligations and 2026 deadlines

The amended KSC act implements NIS2 and applies from 3 April 2026. We explain who it covers, the deadlines and what you need to do.

KR
Karol Rapacz
28 June 2026 · 12 min read
NIS2 in Poland: new obligations and 2026 deadlines

Cybersecurity is ceasing to be solely an IT-department matter — it’s becoming a legal obligation with personal accountability for management. The NIS2 directive has been implemented in Poland through an amendment to the National Cybersecurity System Act (KSC), in force from 3 April 2026. Below is a practical summary of what changes.

Who it covers

The new rules expand the list of sectors and lower the size thresholds, so they will cover far more entities than the previous act — including many mid-sized companies that weren’t regulated before. Entities are split into essential and important, with different levels of oversight. The first step is a self-assessment of whether, and into which category, you fall.

Key deadlines

  • 3 April 2026 — the amendment enters into force.
  • 3 October 2026 — deadline for qualifying entities to apply for entry in the relevant register.
  • 3 April 2027 — time to align systems, procedures and structures with the requirements.
  • 3 April 2028 — by this date essential entities must carry out their first cybersecurity audit; subsequent ones at least every three years.

The legislator also provided a transition period for penalties — administrative fines will in most cases only be possible around two years after the rules take effect.

Which sectors the new rules cover

The list of sectors is broad and goes far beyond “classic” critical infrastructure. The high-criticality sectors (entities usually classed as essential) include energy, transport, banking and financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure (DNS, cloud, data centres), public administration and space. The important sectors include postal and courier services, waste management, chemicals, food production, manufacturing (including medical devices, electronics, machinery and vehicles), digital services (marketplaces, search engines, social media platforms) and scientific research.

The size thresholds are low: as a rule, 50 employees or EUR 10 million in turnover is enough for a mid-sized company in a covered sector to fall within scope. Importantly, the obligations also reach smaller companies indirectly — as suppliers in the supply chain of regulated entities, which will require their contractors to demonstrate their security posture.

Incident reporting deadlines in practice

The new rules for reporting significant incidents are strict and worth knowing by heart:

  • 24 hours from detection — an early warning to the competent CSIRT (including whether the incident may have resulted from unlawful action or could have cross-border effects).
  • 72 hours — a full incident notification with an assessment of its severity and impact.
  • On the CSIRT’s request — interim progress reports.
  • 1 month — a final report describing the causes, course and remediation measures applied.

These deadlines are unrealistic without a pre-built process: who classifies the incident, who writes the notification, who approves it and through which channel it reaches the CSIRT. It’s the same mechanism we describe for data breach response — build it once, jointly for GDPR and NIS2.

Penalties: what is actually at stake

The administrative fine ranges are high: for essential entities up to EUR 10 million or 2% of worldwide turnover (whichever is higher), for important entities up to EUR 7 million or 1.4% of turnover. A practically significant novelty is personal accountability of management — a manager can be fined up to a multiple of their remuneration, and in extreme cases a temporary ban on holding management positions in an essential entity is possible. That changes the budget conversation: the risk stops being abstract for the board.

The main obligations

  • Risk management and the implementation of adequate, documented safeguards.
  • Incident reporting under unified, tightened rules and deadlines.
  • Business continuity and supply chain security.
  • Management-body accountability — cybersecurity is formally assigned to leadership, with personal responsibility.

How to prepare

NIS2 compliance isn’t a one-off project but a process. A sensible order:

  1. Establish your status — essential entity, important entity, or out of scope.
  2. Run a gap analysis against the requirements (risk management, incidents, continuity, supply chain).
  3. Implement the missing pieces and document them — an audit checks evidence, not just declarations.
  4. Plan the audit in advance so you meet the 2028 deadline.

It’s worth treating NIS2 not as a bureaucratic burden but as an external nudge to put security in order — many of the requirements are simply good practices we write about in the context of incident response. If you’d like to assess your readiness, get in touch.

Frequently asked questions (FAQ)

How do I know whether my company falls under NIS2? Check three things: whether your activity fits one of the sectors in the act’s annexes, whether you exceed the size thresholds (as a rule 50 employees or EUR 10 million in turnover), and whether you belong to a category covered regardless of size (e.g. parts of digital infrastructure). In borderline cases — a capital group, mixed activity — it’s worth confirming the qualification with a lawyer; we help with the technical side of the gap assessment.

Does a small subcontractor need to care about NIS2 too? Formally it may be out of scope, but practically — yes. Regulated entities must manage supply chain security, so they will require suppliers to show security policies, test results and contractual commitments. Lacking these increasingly means lost tenders, not just regulatory risk.

What’s the difference between an essential and an important entity? The obligations are similar — the intensity of oversight and the penalties differ. Essential entities are subject to ongoing supervision (including announced and unannounced inspections and mandatory audits at least every three years), while important entities face ex-post supervision — mainly after an incident or a signal of non-compliance.

Does an ISO 27001 certificate settle NIS2 compliance? Not automatically, but it helps a lot. ISO 27001 covers most of the risk management and documentation requirements; NIS2 adds, among other things, specific incident reporting deadlines, registration duties and management accountability. Mapping the differences is a typical part of a gap analysis.

Where do we start if we have nothing today? With establishing your status and registering on time, and a gap analysis in parallel. Then: an incident-handling process with the 24/72-hour deadlines, an inventory of systems and suppliers, baseline controls (MFA, backups, vulnerability management) and board training — because the board is formally accountable. A NIS2 readiness audit turns this into a prioritised plan.


Sources and further reading: gov.pl — KSC act amendment, Biznes.gov.pl. This article is not legal advice.

Share this article

Services Book a consultation