Publication date: July 07, 2026
The Act amending the Act on the National Cybersecurity System aims to implement Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS Directive 2) and the partial application of Commission Delegated Regulation (EU) 2024/1366 of 11 March 2024 supplementing Regulation (EU) 2019/943 of the European Parliament and of the Council.
The amendment to the KSC Act significantly expands the scope of the regulations and introduces new obligations in the field of cybersecurity management. The changes include, among other things, the implementation of risk management systems and expanded incident reporting requirements. The new regulations also strengthen the powers of supervisory authorities and significantly increase the maximum amount of financial penalties. It also introduces liability for the management staff (manager) of an entity. In practice, this requires certain entities to take steps to comply with the new regulations.
The first experiences of entrepreneurs after the amendment came into force – practical conclusions
The few months that the amended Act on the National Cybersecurity System has been in effect demonstrate that the biggest challenge for businesses is no longer the analysis of the new regulations, but their practical implementation. For many organizations, the adaptation process began with a seemingly simple task: determining whether a given entity is even subject to the new regulations. In practice, this step proves to be one of the most problematic.
Under the previous legal framework, many businesses awaited a formal administrative decision confirming their status as an essential service operator. This approach is no longer appropriate. The status of a key or important entity stems directly from the Act, and obligations arise regardless of whether the business has already been entered on the register. This means that the responsibility for properly assessing their own situation rests primarily with the business itself.
Practice also shows that many companies focus solely on the issue of being entered into the register of key and important entities. However, entry itself is not the purpose of the regulation. The greatest challenges remain the actual implementation of an information security management system, conducting a risk analysis, developing incident response procedures, and adequately documenting the actions taken. In the future, supervisory authorities will primarily assess an organization’s actual level of compliance with the Act, not merely the formal fulfillment of registration obligations.
Another significant change is the significant increase in management responsibility. Management can no longer treat cybersecurity as a matter solely within the purview of IT departments. The Act requires active management involvement in the organization of the cybersecurity management system, oversight of its operation, and provision of adequate organizational and financial resources. In practice, this requires regular reporting on cybersecurity issues at the management level and documentation of decisions made.
Supply chain security is also becoming increasingly important. Businesses are required not only to secure their own IT systems but also to consider the risks arising from collaboration with IT service providers, cloud computing operators, software vendors, and outsourcing providers. In practice, this means reviewing supplier contracts, verifying the security measures in place, and implementing appropriate provisions for incident management and crisis cooperation.
It’s also noticeable that a growing number of businesses are choosing to conduct internal compliance audits before the statutory deadlines expire. This approach allows for early identification of organizational and technical gaps, reducing the risk of subsequent violations and costly remedial actions.
In practice, the best solution is to treat the implementation of the Act’s requirements not as a one-time project, but rather as a process encompassing regular risk analysis, procedure updates, employee training, and ongoing oversight of the organization’s security. This approach not only increases compliance but also significantly reduces the risk of cybersecurity incidents.
It’s worth emphasizing that the current transition period should be used to calmly prepare organizations for the full application of the new regulations. Postponing implementation until the final months before the statutory deadlines expire can be risky, especially for large organizations where implementing information security management systems requires the involvement of multiple departments and adequate time to prepare procedures and documentation.
Under the previous wording of the Act, an administrative decision was required to recognize an entity as an essential service operator (Article 5 of the Act before the amendment). Currently, the group of key and important entities is determined automatically (ex lege). The criteria for qualifying an entity as essential are found in Article 5, Section 1, and as an important entity in Article 5, Section 2 of the Act. It is possible that an entity meets the criteria for both key and important entities; such an entity is considered a key entity under Article 5, Section 4. When attempting to qualify entities, the Act also refers to EU regulations, particularly Regulation 651/2014/EU, which defines SMEs. Therefore, the primary criteria taken into account will be the number of employees and annual turnover. It is also necessary to refer to Annexes 1 and 2 of the Act, which precisely define the categories of entrepreneurs in specific sectors and subsectors.
The added Article 5a in paragraph 1 provides that key and important entities are subject to the obligations arising from the Act if they reside in the territory of the Republic of Poland or conduct their business in the territory of the Republic of Poland.
Articles 7 et seq. regulate matters related to the list of key and important entities. Before the amendment, the list contained only operators of essential services; now it includes key and important entities. Unlike the previous legal status, in which entry was made at the request of the authority responsible for cybersecurity (former wording of Article 7, paragraph 3 of the Act), entry is now made at the request of a key or important entity within six months of the occurrence of the conditions (Article 7c, paragraph 1 of the Act). Ex officio entry will generally only apply to existing operators of essential services, trust service providers, telecommunications companies, and public entities. This means that for entities meeting the conditions on the date the amendment comes into force, the deadline for submitting an application is October 3, 2026. Pursuant to the Announcement of the Minister of Digitization of April 8, 2026, regarding the schedule for submitting applications for entry in the register of key and important entities and for key or important entities to commence using the ICT system , self-registration on the list is possible from May 7, 2026, to October 3, 2026. The platform operating in the S46 system is available at https://wykaz-ksc.gov.pl/ . By April 3, 2027, key and important entities are required to commence using the ICT system specified in Art. 46 sec. 1 of the Act. This deadline begins depending on whether the entities were parties to agreements regarding the use of the ICT system referred to in Art. 46 sec. 1 of the Act concluded before April 3, 2026. For the former, the possibility of using the system was opened on April 8, 2026, and for the latter, this possibility will be available from June 12, 2026 (point 2 of the Communication of the Minister of Digital Affairs).
If an entity that meets the criteria for being considered a key or important entity fails to submit an application for entry, the authority responsible for cybersecurity may enter the entity on the list ex officio (Article 7j, paragraph 1 of the Act). Failure to comply with certain obligations related to the list (failure to timely complete missing data on the list or failure to correct data despite a request or failure to submit an application for entry) may result in the imposition of a substantial fine (Article 73, paragraph 1, point 1 and Article 73, paragraph 1a, point 1 of the Act). The catalogue of data to be included on the list has also been changed (expanded) (Article 7, paragraph 2).
In practice: The expansion of the scope of entities and the shift from administrative decision-making to automatic regulation mean that many entities may be subject to the Act without formal confirmation of this status. In practice, independent qualification analysis and continuous monitoring of compliance with statutory criteria become crucial. An incorrect assessment (or failure to comply) may result in exposure to sanctions (severe fines).
Chapter 3, which governs the obligations of key and important entities, has been expanded, and Chapters 3a and 3b have been added, addressing domain name registration service providers and public entities. Article 8 of the Act governs obligations related to the implementation of an information security management system. Compared to the previous legal framework, numerous obligations have been added. The responsibility of the manager of a key or important entity for the performance of its cybersecurity obligations has been introduced (Article 8c of the Act), and the manager’s responsibilities have also been defined (Articles 8d–8f of the Act).
The regulations regarding incident reporting have also changed. A key or important entity classifies a given incident as serious (after meeting the requirements of Article 2, Section 7 of the Act), then issues an early warning, reports the incident, and finally submits a final report on the handling of the serious incident to the CSIRT (a three-step reporting model instead of the previous one-step model – Article 11 of the Act).
Pursuant to Article 15 of the Act, key entities must conduct a security audit of the information system used in the service provision process at least once every three years. For key entities that were not previously classified as key service operators, the first audit should be conducted within 24 months of the date the conditions are met (Article 16, point 2, therefore, for these entities, the deadline for conducting the audit is April 3, 2028).
The Act amending the KSC Act establishes a 12-month transition period during which key and important entities have time to fulfill the obligations specified in Chapter 3 of the Act (except for the obligation to conduct the first audit, which entities have 24 months to conduct). Therefore, with respect to obligations such as implementing an information security management system, risk assessment, implementing technical and organizational measures, reporting and managing incidents, and verifying personnel’s criminal records, the deadline for compliance with these regulations expires on April 3, 2027.
In practice: The imposed obligations require the implementation of an information security management system. Furthermore, the single-tier incident reporting system has been changed, replaced by a more complex three-tier system. Essential entities will be required to conduct audits. Importantly, entities that were not previously considered essential service operators will be required to conduct an audit within two years of the amendment’s entry into force. However, most of the new obligations will have to be implemented by April 3, 2027. Failure to comply with these obligations will result in the manager of the relevant entity being held liable.
Until April 2, 2026, the maximum amount of the fine imposed on entities (only for the most serious violations) was PLN 1 million (former wording of Article 73, paragraph 5 in fine). Currently, the maximum amount of the fine is, as a rule, EUR 10 million (Article 73, paragraph 3 of the Act), and for the most serious violations, up to PLN 100 million (Article 73, paragraph 5 in fine of the Act).
With the imposition of a large number of obligations on key and important entities, the list of violations for which a fine may be imposed has also been expanded (Article 73 of the Act).
The new provisions on fines come into force only two years after the entry into force of the Act (i.e. from April 3, 2028).
In practice: Increasing the amount of fines disciplines key entities and important entities to take their cybersecurity obligations very seriously. It is worth emphasizing, however, that the amended regulations on fines will not enter into force until April 3, 2028.
Chapter 11 of the Act, which deals with the supervision and control of key and important entities, has been significantly expanded. Some provisions remain unchanged (the requirement to apply the provisions of the Entrepreneurs’ Law or the Act on Audit in Government Administration, the powers of the person conducting the audit, most of the obligations of audited entities, and provisions regarding audit protocols and post-audit recommendations).
The most important changes in the scope of supervision include a significant expansion of Article 53, which describes the powers of the authority responsible for cybersecurity regarding supervision and oversight of key entities. It empowers the competent authority to issue various types of administrative decisions aimed at enforcing the provisions of the Act. This article also contains a number of procedural provisions defining the nature of the proceedings. Generally, the regulations contained in this article apply only to key entities, but as stated in Article 53, paragraph 17, certain provisions also apply to inspections of important entities. Article 53, paragraph 3 states that supervision of key entities is both post-empty and preventive, while for important entities, supervision is only post-empty.
A new obligation for both key and important entities is the information obligation specified in Article 53c, which requires a key or important entity to provide certain data at the request of the authority responsible for cybersecurity.
A new institution is the ad hoc review added in Article 59c, which may be carried out only if the conditions specified in the cited Article are met.
In practice: Strengthening the powers of supervisory authorities and introducing ad hoc inspections means increased risk of inspections and the need to maintain constant readiness to demonstrate compliance with regulations. Entities should also prepare for more frequent requests for information from authorized bodies.
Chapter 10 has been amended and Chapters 10a – 10c have been added, but they do not contain any standards addressed to entities and are therefore not relevant from a practical point of view.
Several changes concern Chapter 12 concerning the Government Plenipotentiary for Cybersecurity and the Cybersecurity Board, but these changes do not have any significant impact on the entities.
Article 12a has been added, addressing specific measures to ensure cybersecurity at the national level. It primarily contains provisions on recommendations from the Government Plenipotentiary for Cybersecurity (Article 67a), the procedure for designating a supplier as a high-risk supplier (Articles 67b–67f), and a safeguarding order in the event of a critical incident (Articles 67g–67i).
Minor changes also apply to the Cybersecurity Strategy of the Republic of Poland (Articles 68–72). The changes primarily concern the content and method of developing the strategy, as well as the frequency of strategy reviews (2.5 years instead of the previous 2 years).
The amendment to the Act on the National Emergency Response Plan creates the basis for the adoption of the National Emergency Response Plan (Articles 72a – 72f of the Act).
In light of the amendments to the Commercial Companies Code, entities subject to the new regulations should take steps to ensure their operations are in compliance with the law. It is recommended that:
1) Self-identification in order to determine whether a given entity qualifies as a key or important entity within the meaning of the Act.
2) Implementation or update of an information security management system.
3) Development of procedures for identifying and reporting incidents, taking into account the new procedure.
4) Ensuring the involvement of management staff, e.g. the manager’s implementation of the obligations under Article 8d or 8e.
5) Preparing the organization for potential supervisory activities, e.g. inspections.
ex officio entries carried out by the Minister of Digital Affairs (current key service operators, trust service providers, telecommunications companies and public entities)
April 13 – May 6, 2026
self-registration in the list of key and important entities
May 7 – October 3, 2026
launching the possibility of using the S46 system for new entities
June 12, 2026
end of the deadline for starting to use the S46 system and implementing obligations (end of the adjustment period)
April 3, 2027
the first ISMS audit (for key entities that were not key service operators) and the beginning of the application of the provisions on penalties
April 3, 2028