Last updated: 10.06.2026
What Does the NIS2 Directive and KSC Act Amendment Mean for Entrepreneurs in Poland?
On April 3, 2026, the amendment to the Polish Act on the National Cybersecurity System (KSC Act) entered into force, implementing the requirements of the NIS2 directive into the Polish national law.
The new regulations significantly alter the information security management model, extending the scope of regulatory obligations to thousands of entrepreneurs operating in sectors of strategic importance for the economy and digital infrastructure.
The NIS2 Directive, adopted by the European Parliament and the Council of the European Union, aims to strengthen the internal market by requiring EU Member States to adopt national measures ensuring a high common level of cybersecurity across the Union.
The regulation primarily covers medium and large enterprises, and in certain cases, also micro and small entities providing services critical to digital security.
Crucially, the amendment to the KSC Act shifts cybersecurity responsibility directly to the management level, requiring organizations to take a proactive approach to cybersecurity risk management measures and implement adequate compliance processes without waiting for action from public administration authorities. In practice, this means entrepreneurs must independently determine whether they are subject to the new statutory obligations.
The fundamental duties of entrepreneurs covered by the NIS 2 regulation in Poland include, in particular:
- Registration in the S46 system,
- Implementation of an Information Security Management System,
- Reporting of serious cyber incidents,
- Conducting compliance audits — in cases provided for by the law.
Given that the statutory implementation periods are now in progress, entrepreneurs should promptly conduct a risk analysis of their regulatory status, determine the scope of applicable obligations, and align their internal cybersecurity measures for network and information systems with the stringent security requirements introduced by the new regulations to ensure compliance.
Does Your Company Need to Register?
Watch the video below to find out which companies may fall under NIS-2 in Poland, why businesses may need to assess and register themselves, and what new obligations could follow – from risk management to incident reporting and audits.
Key NIS2 Implementation Deadlines in Poland
| Date | Compliance Stage | Business Action |
| April 3, 2026 | Entry into force of the amendment to the KSC Act | Companies operating in sectors of strategic importance for the economy should assess whether they are subject to the new obligations under the KSC Act as essential entities or important entities, including entities operating in areas relevant to vital societal functions. |
| October 3, 2026 | Final deadline for self-identification and registration in the S46 System | Companies should perform self-identification and submit an electronic application for entry into the registry of essential and important entities. |
| April 3, 2027 | Deadline for full implementation of the Information Security Management System | Companies must possess a functioning Information Security Management System (ISMS), complete security documentation, and technical readiness to report incidents to relevant authorities and security teams. |
| April 3, 2028 | Deadline for the first external compliance audit | Essential entities should conduct their first mandatory external security audit of their information system. |
Who Is Affected by the NIS2 Directive and the KSC Act?
Both the NIS2 directive and the KSC Act divide the regulated entities into two categories: essential entities and important entities. An entrepreneur’s status depends primarily on the type of business activity they conduct and their operational scale.
Business Activity Criteria – Is Your Company Operating in a NIS2-Covered Sector?
The obligations resulting from the NIS2 directive and the KSC Act apply to entrepreneurs operating in areas considered particularly vital for the functioning of the state, the economy, and digital infrastructure.
The new provisions significantly expand the subjective scope of the regulation compared to the previous NIS1 directive. Currently, they cover 18 sectors of strategic importance for the continuity of service provision and the economy’s resilience against cybersecurity incidents.
The regulations distinguish two basic categories of sectors: sectors of high criticality and other critical sectors.
Sectors of High Criticality under NIS2 directive
Sectors of high criticality include industries of fundamental importance to the functioning of the state and critical infrastructure sectors , including:
- Energy: including electricity, gas, district heating and cooling, oil,
- Transport: including air, rail, water, and road transport,
- Banking and financial market infrastructure,
- Healthcare,
- Drinking water supply and distribution,
- Waste water,
- Digital infrastructure: including DNS service providers, top-level domain (TLD) name registries, cloud computing service providers, data centers,
- ICT service management: including managed service providers,
- Space.
Other Critical Sectors under NIS2
The category of important sectors covers activities significant from the perspective of economic stability and supply chain security, in particular:
- Postal and courier services,
- Nuclear energy investments,
- Waste management,
- Manufacture, production and distribution of chemicals,
- Production, processing and distribution of food,
- Manufacturing: including computers, electronic and optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, and semi-trailers,
- Digital service providers,
- Scientific research.
It should be noted that the KSC Act does not provide a closed list of entities excluded from the regulation. Instead, the mechanism of the rules relies on a precise definition of industries and organizational thresholds, the fulfillment of which results in the entrepreneur being covered by statutory duties.
In practice, this means that entrepreneurs operating outside the specified sectors or not meeting the scale-of-activity criteria will, as a rule, not be subject to the obligations of the KSC Act.
Conversely, determining whether an entrepreneur is subject to the NIS2 framework requires an individual assessment of the actual business activities conducted, the nature of the services provided, and the organization’s role within the supply chain and digital infrastructure.
Company Size Criteria – Medium and Large Enterprises under NIS2 directive
The second key criterion for being subject to the regulation is the size of the undertaking. As a rule, NIS2 covers medium and large enterprises operating in the sectors specified in the directive. In practice, this usually means organizations where:
| Enterprise Status | Number of employees | Financial criteria |
| Large entrepreneur | >250 employees | Annual turnover equal to or greater than EUR 50 million or a balance sheet total equal to or greater than EUR 43 million |
| Medium entrepreneur | 50 – 249 employees | Annual turnover below EUR 50 million or a balance sheet total below EUR 43 million |
For the purposes of determining the status of an undertaking, the headcount includes not only individuals employed under employment contracts, but also persons performing work under civil law contracts (including mandate contracts and contracts for specific work), owner-managers, and partners who regularly participate in the undertaking’s activities and derive financial benefit from it.
When establishing whether an entity is subject to NIS2 as an important entity, linked and partner enterprises must also be taken into account, factoring in their revenues, balance sheet totals, and employee counts. However, this does not automatically mean that every entity formally reaching medium-enterprise status within a corporate group should be classified as an important entity.
The actual independence of its information systems and whether the linked entities provide the same service covered by the cybersecurity regulations carry significant weight.
Furthermore, in specific cases, requirements may also encompass smaller entities. The exception to the size criterion applies to organizations providing services of particular importance for digital security, including specifically DNS service providers, top-level domain (TLD) registries, qualified trust service providers, and electronic communications entrepreneurs.
In practice, this means that even small technology entities can be subject to the full regime of obligations arising from the NIS2 directive and the KSC Act.
| Category of Entity | Size of Entity | Sector |
| Essential Entity | Large entrepreneur |
|
| Medium or large entrepreneur | Electronic communications entrepreneurs | |
| Small, medium, or large entrepreneur | Managed cybersecurity service providers | |
| Regardless of size |
|
|
| Important Entity | Medium entrepreneur |
|
| Medium or large entrepreneur |
|
|
| Regardless of size | Investor of a nuclear energy facility | |
| Small or micro-entrepreneur | Electronic communications entrepreneur |
S46 Registration in Poland – Self-Identification Obligation for Businesses
In the previous legal framework, public administration authorities identified the key players in the market. The status of an operator of an essential service was granted by way of an official, individual administrative decision.
The amended Act completely reverses this logic, introducing the principle of self-identification by entrepreneurs. This means that the responsibility for determining whether an organization holds the status of an essential or important entity has been shifted directly onto the entrepreneurs themselves, which has raised concerns among some businesses regarding the scope of internal verification required.
In practice, management boards must independently conduct an analysis of the company’s activities regarding compliance with the sectoral and organizational criteria provided in the Act. This applies to both the nature of the services provided and the scale of the enterprise’s operations.
Entities covered by the regulation will be required to register in the registry of essential entities and important entities maintained in the S46 system. Registration constitutes one of the fundamental formal obligations arising from the new regulations and will condition further communication with the authorities competent for cybersecurity.
An entrepreneur should register within 6 months from the date of obtaining the status of an essential or important entity. For organizations meeting the criteria on the day the new regulations entered into force, the final, non-negotiable deadline for entry into the S46 system is October 3, 2026.
From a compliance perspective, it is particularly important that failure to carry out proper self-identification does not exempt an undertaking from liability. Supervisory authorities will be entitled to independently assess the organization’s status and verify compliance with statutory obligations, including the imposition of administrative fines. Failure to submit an application for entry into the register within the prescribed deadline may result in a fine of up to EUR 10 million (or 2% of annual revenue) for an essential entity, and up to EUR 7 million (or 1.4% of annual revenue) for an important entity
In addition, the supervisory authority may impose personal financial liability on a member of the management board by levying a fine of up to 300% of the remuneration received by such person.
Core Cybersecurity Obligations under NIS2 and the KSC Act
The new cybersecurity rules impose organizational, technical, and reporting duties on essential and important entities. The objective of the regulation is to ensure business continuity for organizations and increase resilience to cybersecurity incidents.
Cybersecurity Risk Management and Security Measures
One of the primary obligations arising from article 8 of the KSC Act is the implementation of adequate risk management measures in the field of cybersecurity. Entrepreneurs will be obliged, among other things, to:
- Systematically assess risk and manage cyber threats, including periodic risk assessments,
- Ensure information system security for systems used to provide services,
- Implement business continuity plans and disaster recovery procedures, including backup management and crisis management arrangements,
- Monitor incidents and respond to security breaches,
- Secure the supply chain of ICT products and services, including the security-related aspects of cooperation with direct suppliers and other service providers,
- Apply appropriate access control mechanisms and cryptographic protections, including multi-factor authentication and, where appropriate, encryption,
- Regularly test the effectiveness of implemented security measures,
- Conduct cybersecurity training and promote basic cyber hygiene practices among personnel as part of internal awareness-building measures.
The regulation requires continuous monitoring of risks and adapting security measures to current threats and the nature of the entrepreneur’s business.
Incident Reporting and Cybersecurity Notification Obligations
Entities covered by the regulation will be obliged to report serious incidents to the competent CSIRT teams within statutory deadlines. The reporting system via the S46 system generally includes:
- Early warning: without delay, no later than within 24 hours from the moment the incident is detected,
- Notification of a serious incident: without delay, no later than within 72 hours from the moment of detection,
- Final report: submitted no later than within one month from the day of the serious incident notification (containing, among other things, a description of the incident’s impact and the corrective measures applied).
In practice, this means it is mandatory to implement internal procedures for identifying, classifying, and handling cybersecurity incidents, as well as communication pathways with competent authorities and relevant authorities.
NIS2 Fines and Management Board Liability in Poland
The KSC Act provides for significant administrative sanctions for breaching cybersecurity duties.
However, the regulation goes beyond the liability of the entrepreneur itself, strengthening the accountability of senior management for supervising the organization’s compliance with the requirements of NIS2 and the KSC Act.
Fines may be imposed for, among other things:
- Failure to implement required security measures,
- Failure to fulfill the registration obligation in the S46 system,
- Failure to report an incident within the statutory timeframe,
- Failure to conduct a mandatory audit,
- Non-compliance with a decision issued by the authority competent for cybersecurity,
- Providing false information during supervisory proceedings.
The provisions of the KSC Act introduce high administrative fines for violating duties stemming from NIS2. For essential entities, the fine may amount to up to EUR 10 million or 2% of the global annual revenue achieved in the previous financial year, whereas for important entities – up to EUR 7 million or 1.4% of the global annual revenue achieved in the previous financial year.
The obligation of self-identification and timely registration in the S46 system holds particular practical significance. The legislator has provided enforcement mechanisms against entities that fail to register despite meeting the statutory conditions. Such enforcement measures are intended to ensure compliance with the new cybersecurity framework.
In the event of a lack of registration, the authority competent for cybersecurity will be entitled to perform an ex officio entry based on data from public registers and available information. Such actions may lead to the immediate initiation of supervisory activities and heightened risk for the organization.
The amendment to the KSC Act also reinforces the personal liability of board members and individuals managing the organization for executing cybersecurity duties. The head of an entity can face financial liability for failing to perform registration, reporting, or supervisory duties. Crucially, the authority competent for cybersecurity will be empowered to impose a personal financial penalty of up to 300% of the monthly salary of the entity’s head.
How Should Companies Prepare for NIS2 Compliance?
Companies operating in sectors covered by the KSC Act should not wait until the statutory deadlines are close. The schedule for implementing these obligations is phased, but the first key deadline, self-assessment and registration in the S46 System, falls on October 3, 2026.
At this stage, companies should focus on the following key areas::
- Check whether their business activities fall within the scope of the amended KSC Act;
- Assess whether they qualify as an essential or important entity;
- Prepare for self-identification and registration in the S46 System;
- Verify their current approach to cybersecurity risk management;
- Plan the implementation of an Information Security Management System (ISMS);
- Review data protection, access control and internal reporting procedures.
- Prepare security documentation, incident reporting procedures, and – where applicable – audit readiness.
In practice, implementing these new obligations will require more than just technical actions. Companies must also ensure a proper division of responsibility, procedures, and reporting pathways before the key deadlines arrive.
Legal and Compliance Support for NIS2 Implementation
The KSC Act creates a practical compliance challenge for companies that may fall under the new cybersecurity regime. Entrepreneurs should verify their status, determine the scope of applicable obligations, and prepare for the upcoming statutory deadlines.
Dudkowiak & Putyra can support companies in the fields of:
- Assessing whether a company qualifies as an essential or important entity under the amended KSC Act;
- Analyzing the scope of cybersecurity compliance obligations applicable to a given enterprise;
- Supporting the self-identification process and preparing for registration in the S46 System;
- Assisting in the implementation of required normative documentation and ISMS/SZBI procedures;
- Providing support regarding incident reporting procedures and audit readiness;
- Preparing a customized compliance roadmap for the KSC Act / NIS2.
Don’t wait! The statutory deadlines are already set. If the amended KSC Act or the NIS2 directive might impact your company’s current or planned operations, please contact our experts to assess your obligations and prepare a tailored compliance roadmap.
