NIS 2 in Poland: Businesses Must Prepare for New Cybersecurity Compliance Duties Under the KSC Act
NIS 2 in Poland is no longer a distant regulatory topic- it is now a real cybersecurity compliance challenge for businesses operating in sectors of strategic importance to the economy. Following the amendment to the Act on the National Cybersecurity System, which entered into force on 3 April 2026, medium and large companies- and, in certain cases, also micro and small enterprises- may need to verify whether they qualify as essential or important entities and prepare for new statutory cybersecurity obligations, including:
- registration in the S46 System;
- implementation of an Information Security Management System;
- reporting of serious cybersecurity incidents;
- external compliance audits, where required.
The compliance clock is already running: companies should determine their status early, map the obligations that apply to them and align their internal cybersecurity processes with the statutory timeline.
Is Your Business Ready for the NIS 2 Compliance Timeline?
| Date | Compliance milestone | Business action point |
| 3 April 2026 | The amended Act on the National Cybersecurity System entered into force | Businesses operating in sectors of strategic importance to the economy should assess whether they may fall within the scope of the new KSC Act obligations as essential or important entities. |
| 3 October 2026 | Deadline for self-assessment and registration in the S46 System | Companies should conduct a self-assessment and submit an electronic application for entry into the register of essential and important entities. |
| 3 April 2027 | Deadline for full implementation of the Information Security Management System | Businesses should implement ISMS/SZBI, prepare security documentation and start reporting serious incidents to the relevant CSIRT teams. |
| 3 April 2028 | Deadline for the first external compliance audit | Essential/key entities should conduct their first mandatory external compliance audit. |
Who Must Comply with NIS 2 and the Amended KSC Act in Poland?
The new cybersecurity obligations apply mainly to medium and large companies operating in sectors of strategic importance to the economy. In strictly defined cases, the amended KSC Act may also apply to micro and small enterprises.
Under the amended KSC Act, obligated entities are divided into two categories:
- essential/key entities;
- important entities.
This classification is important because it determines, among other things, the level of market supervision and the scale of potential financial penalties.
The sectors covered by the new framework include, among others:
- energy, including electricity, gas, district heating, oil and petroleum;
- transport, including air, rail, water and road transport;
- banking and financial market infrastructure;
- healthcare, including manufacturers of medical devices and pharmaceutical products;
- drinking water and wastewater;
- digital infrastructure, including cloud computing and data centre services;
- managed ICT services;
- postal and courier services;
- waste management;
- chemicals and food;
- manufacturing, including medical devices, computer, electronic, optical and electrical equipment, machinery and vehicles;
- digital service providers, including online marketplaces, search engines and social networking platforms;
- scientific research.
This sectoral classification should be treated as a starting point for a legal and organisational assessment of whether the new cybersecurity regime applies to a given business.
What Are the Key NIS 2 Compliance Obligations Under the Amended KSC Act?
Companies covered by the amended KSC Act must take a proactive approach to cybersecurity risk management. This includes implementing appropriate and proportionate technical, operational and organisational measures to strengthen their resilience against cyber threats.
In practice, the key compliance obligations include:
- self-identification as an essential/key or important entity;
- registration in the S46 System, the register of essential and important entities;
- implementation of an Information Security Management System;
- preparation of security documentation and incident reporting procedures;
- reporting serious incidents to the relevant CSIRT teams;
- external compliance audit, where required for essential/key entities.
For businesses covered by the amended KSC Act, NIS 2 compliance is not only a cybersecurity issue. It also requires proper internal organisation, documented procedures and readiness to meet statutory deadlines.
What Should Businesses Do Now?
Businesses operating in sectors covered by the amended KSC Act should not wait until the statutory deadlines are approaching. The implementation schedule is phased, but the first key deadline- self-assessment and registration in the S46 System- falls on 3 October 2026.
At this stage, companies should focus on the following steps:
- verify whether their business falls within the scope of the amended KSC Act;
- assess whether they may qualify as an essential/key or important entity;
- prepare for self-identification and registration in the S46 System;
- review their current approach to cybersecurity risk management;
- plan the implementation of an Information Security Management System;
- prepare security documentation, incident reporting procedures and, where applicable, audit readiness.
In practice, implementation will require more than technical adjustments. Companies should also ensure that responsibilities, procedures and reporting paths are properly organised before the key deadlines arrive.
How Can Dudkowiak & Putyra Support Your NIS 2 Compliance Process?
The amended KSC Act creates a practical compliance challenge for businesses that may fall within the scope of the new cybersecurity regime. Companies should verify their status, identify the obligations applicable to them and prepare for the upcoming statutory deadlines.
Failure to comply with the amended KSC Act / NIS 2 obligations in a timely manner, including failure to register in the register of essential and important entities, may expose businesses to significant administrative fines of up to EUR 10 million or 2% of global annual turnover, as well as potential personal liability for management board members.
Dudkowiak & Putyra can support businesses with:
- assessing whether the company may qualify as an essential/key or important entity under the amended KSC Act;
- analysing the scope of cybersecurity compliance obligations applicable to the business;
- supporting the self-identification process and preparation for registration in the S46 System;
- assisting with the implementation of required normative documentation and ISMS/SZBI procedures;
- supporting incident reporting procedures and audit readiness;
- developing a dedicated roadmap for KSC Act / NIS 2 compliance.
Do not wait until the statutory deadlines start creating pressure. If the amended KSC Act or NIS 2 may affect your current or planned business operations, contact our experts to assess your obligations and develop a dedicated compliance roadmap.
D&P Legal
MILAN