Cybersecurity - Poland

The Act on the National Cybersecurity System of 5 July 2018 established Poland's horizontal cyber framework (operators of essential services, digital service providers, public bodies) implementing NIS1; it remains the backbone, now upgraded for NIS2. The Ministry of Digital Affairs is the lead authority.

The amendment transposing NIS2 was signed by President Nawrocki on 19 February 2026, published in the Dziennik Ustaw (Journal of Laws) in March 2026, and entered into force in early April 2026 — after Poland missed the EU's 17 October 2024 deadline and faced Commission infringement action.

The NIS2 amendment replaces the old 'operators of essential services' model with the NIS2 categories of essential and important entities, expanding coverage to tens of thousands of organisations across sectors such as energy, transport, banking, health, digital infrastructure, public administration, and (in some drafts) food and chemicals.

Entities must report significant incidents to the competent national CSIRT (CSIRT NASK, CSIRT GOV, or CSIRT MON) following the NIS2 staged model: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within one month. The original KSC Act already imposed a 24-hour incident-reporting limit on operators of essential services.

A distinctive Polish feature: the minister responsible for IT/digital affairs may designate suppliers of ICT products, services, or processes (and their corporate-group members) as 'high-risk vendors' where they pose a threat to state security, triggering restrictions on their use by regulated entities.

The law imposes ISMS obligations (referencing PN-EN ISO/IEC 27001 and ISO 22301) and direct top-management responsibility for cyber risk management. Fines reach up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% for important entities, with transitional periods before the highest fines apply.