Poland: New cybersecurity rules in Poland – implementation of NIS2

On 3 April 2026, the amended Polish Act on the National Cybersecurity System (UKSC) came into force, implementing the EU NIS2 Directive into national law after more than a year's delay from the original transposition deadline. The Act establishes a new national framework for cybersecurity governance.
The new rules expand the range of organisations subject to statutory cybersecurity obligations. The Act primarily applies to medium and large enterprises operating in the sectors listed in the Act's annex. In exceptional cases, it also covers small and micro-enterprises. This ensures that the largest entities, as well as certain smaller, strategically important organisations, critical to national cybersecurity, are included. Under the UKSC, entities are classified as either "essential" or "important", a distinction that is particularly relevant for government oversight and audits.

Poland's legislation affects a slightly broader set of entities than the NIS2 Directive itself. Sectors primarily impacted include energy, healthcare, transport, water and food supply, digital infrastructure, wastewater and waste management, ICT service management, the space sector, certain public bodies, postal services, chemical and manufacturing industries, digital service providers, and scientific research organisations.
Entities that already meet the criteria under the Act as of 3 April 2026 must be registered in the official list of essential and important entities according to a schedule to be published shortly. Organisations that qualify after this date have six months from identification to register.

The Act requires, among other things, enterprises to implement and maintain a comprehensive Information Security Management System (ISMS), which should include:

•    incident response; 
•    business continuity planning; 
•    supply chain security; 
•    employee training; 
•    and other measures enhancing overall cybersecurity. 

Members of governing bodies are explicitly responsible for approving and overseeing these measures, ensuring accountability at the highest level. The amendment also strengthens enforcement, introducing higher administrative penalties for organisations and personal liability for governing body members.
Incident reporting follows strict timelines, with early warnings, formal notifications and final reports required within defined periods.

Although detailed secondary regulations are still forthcoming, organisations should begin taking action immediately. Early preparation will help ensure smooth implementation of all requirements and reduce the risk of non-compliance. While most obligations must be met by 3 March 2027, the implementation process can be complex and time-consuming.

Paweł Baran | Senior Attorney at law | Schoenherr Poland
T: +48 606 790 923 | E: pa.baran@schoenherr.eu