accessibilityalertarrow-downarrow-leftarrow-rightarrow-upchevron-downchevron-leftchevron-rightchevron-upclosedigital-transformationdiversitydownloaddrivedropboxeventsexitexpandfacebookguideinstagramjob-pontingslanguage-selectorlanguagelinkedinlocationmailmenuminuspencilphonephotoplayplussearchsharesoundshottransactionstwitteruploadwebinarwp-searchwt-arrowyoutube
Client Alerts Client Alerts

NIS2 implemented in Poland: is your business ready for the new cybersecurity regime?

The NIS2 Directive has now been implemented in Poland through a comprehensive amendment to the Polish National Cybersecurity System Act (NCSA). The new regulations significantly expand the catalogue of entities subject to cybersecurity obligations and introduce stricter compliance, reporting and auditing requirements. The new NCSA will enter into force on 3 April 2026.

1. What is it all about?

New NCSA introduces a risk-based cybersecurity framework applicable to essential and important entities. Whether an organisation falls within scope depends primarily on the type of services it provides. The new regime captures a much broader set of industries compared to the pre‑NIS2 framework.

2. Who is in scope?

Apart from traditional businesses normally regarded as having strategic roles for national security, the new NCSA applies also to categories of businesses covering less obvious industries.

Traditional businesses

  • Energy
  • Transport
  • Banking and financial market infrastructure
  • Healthcare
  • Drinking water supply and distribution

New sectors and digital industries

  • Digital infrastructure providers (IXP, DNS, TLD registries)
  • Cloud computing providers
  • Data centre service providers
  • Content delivery networks
  • Trust service providers
  • Domain-name registration services Electronic communications service providers
  • ICT service management
  • Online platforms
  • Search engines
  • Social networks
  • Space sector
  • Production and manufacturing (medical devices, electronics, vehicles, machinery)
  • Scientific research entities
  • Postal services
  • Nuclear energy investments
  • Waste management
  • Wastewater
  • Chemicals production, manufacture and distribution
  • Food production, processing and distribution
  • Public entities

Additionally, businesses not directly in scope may still be affected contractually. Many in‑scope organisations will push NCSA‑related obligations downstream, for example to IT vendors and other suppliers.

3. Entities falling within the scope must adhere to the following obligations:

  • registering in the register of essential and important entities;
  • implementing an information security management system and the required technical and organisational measures;
  • reporting of serious incidents within statutory deadlines;
  • ensuring cybersecurity awareness across the organisation;
  • mandatory cybersecurity training; and
  • regular security audits.

4. The new framework introduces the following deadlines:

  • The new NCSA comes into force on 3 April 2026.
  • For entities already meeting the classification criteria on 3 April 2026:
    • Registration deadlines are to be announced by the Minister of Digital Affairs in a dedicated schedule.
    • Within 12 months from 3 April 2026, entities must ensure full implementation of the obligations stemming from the NCSA.
    • Within 24 months from 3 April 2026, essential entities must undergo their first security audit.
  • For entities that become in scope after 3 April 2026:
    • Within six months from meeting the classification criteria, entities must register in the register of essential or important entities maintained by the Minister for Digital Affairs.
    • Within 12 months from meeting the classification criteria, entities must ensure full implementation of the obligations stemming from the NCSA.
    • Within 24 months from meeting the classification criteria, essential entities must undergo their first security audit.

5. Sanctions

The new NCSA provides for substantial financial penalties for non-compliance, which may be imposed not only on in-scope entities, but also on their management.

The highest sanctions may reach up to PLN 100,000,000 (approx. EUR 23,500,000) in cases of serious violations posing a direct threat to national security, public order or public health and safety.

6. What to do next?

  • Assess your status – determine whether your organisation falls under the scope of the new NCSA.
  • Register – submit your application to the register maintained by the Minister of Digital Affairs.
  • Implement – build or update your information security management system and other technical and organisational measures required by the NCSA.
  • Train – take care of mandatory cybersecurity training.
  • Prepare for incidents – establish reporting procedures to meet the statutory deadlines.

7. Need assistance in preparing for the new cybersecurity obligations?

We are available to guide you and your business through the new regulations.

Download PDF

Contributors

Jakub Pietrasik

Jakub Pietrasik

Counsel
Poland
+48 22 3788 969
jakub.pietrasik@wolftheiss.com
V-card
Kinga Kluszczynska

Kinga Kluszczynska

Associate
Poland
+48 22 378 8993
kinga.kluszczynska@wolftheiss.com
V-card
Expertise
Data & Cybersecurity

Further insights

Client Alerts
17 March 2026

Defence, debt and discipline: navigating fiscal constraints in CEE/SEE

How constitutional debt brakes and EU rules are shaping defence spending strategies across the region Security demands and...

Read more
Client Alerts
16 March 2026

Securitisation of loans: advocate general opines that loan management services are not exempt from VAT

The opinion of advocate general Brkan in Case T‑184/25 (Veronsaajien oikeudenvalvontayksikkö v A Oy), delivered on 25 F...

Read more
Client Alerts
13 March 2026

New Slovenian Banking Act and new regime for banks from third countries

1. General The new Banking Act (ZBan 4) was published in the Official Gazette of the Republic of Slovenia on 25 February 2...

Read more
View all insights