Poland

(a) What is the NIS2 implementation status?

The Council of Ministers adopted a draft bill amending the Act on the National Cybersecurity System and certain other acts, submitted by the Minister of Digital Affairs.

Latest key changes:

1. Sectoral CSIRT teams and external SOCs will replace the existing structures
2. Telecommunications operators and ISAC information exchange centres will join the KSC system
3. The Cybersecurity Plenipotentiary will gain new powers, including the ability to issue warnings and recommendations
4. A National Cybersecurity Certification System will be established
5. A procedure for assessing so-called high-risk suppliers will be introduced

(b) What is the envisaged NIS2 implementation timeline?

The draft was submitted to Parliament on 7th November 2025, and its adoption is planned for 2026.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The statutory regulations are aimed at adapting Polish law to the increased requirements imposed by the NIS2 itself, as well as correcting the inconveniences observed in the application of the earlier laws. For instance, it is argued that the powers of the Government Representative for Cyber Security are insufficient. The Representative lacks effective means of influencing entities in the national cyber security system. In addition, only two sector cyber security teams have been established so far – other sectors of the economy lack teams to support businesses in responding to incidents.

Furthermore, as the justification for the Draft Law indicates, due to references in the NIS2 itself, hereby the Draft Law will be subject to changes, mainly in the area of conceptual framework, aimed at adapting the draft to the regulations transposing the DORA Regulation and the CER Directive.

Another of the impacts of NIS2 on legislation will be the inclusion of a statutory delegation. The Council of Ministers will be able to establish, via regulation, separately for the type of activities performed by essential entities or important entities, detailed requirements for the information security management system.

From the necessity of compliance of sub-statutory acts with the statutory acts, the amendment will imply changes in regulations such as the Regulation of the Council of Ministers of 12 April 2012 on the National Interoperability Framework, minimum requirements for public registers and exchange of information in electronic form and minimum requirements for ICT systems.

(d) Who will be the supervisory authority and how are they preparing the market?

The authorities responsible for cyber security will be:

1. for the energy sector - the minister responsible for energy;
2. for the nuclear energy investment sector, the minister responsible for energy;';
3. for the transport sector, excluding the water transport subsector, the minister responsible for transport;
4. for the waterborne transport subsector - the minister responsible for maritime economy and the minister responsible for inland navigation;
5. for the banking sector and financial market infrastructures - the Polish Financial Supervision Authority;
6. for the health care sector, with the exception of entities referred to in Article 26(5) - the minister responsible for health;
7. for the health care sector including entities referred to in Article 26(5) – the Minister of National Defence;
8. for the drinking water supply and distribution sector - the minister responsible for water management;
9. for the digital infrastructure sector, the minister responsible for computerisation;';
10. for the electronic communications subsector, the President of the Office of Electronic Communications;',
11. for the digital infrastructure sector including entities referred to in Article 26(5) – the Minister of National Defence;
12. for the collective sewage disposal sector – the minister responsible for water management
13. for the ICT services management sector – the minister responsible for computerisation;
14. for the space sector, the minister responsible for the economy;
15. for the sector of production, manufacture and distribution of chemicals – the minister responsible for the economy;
16. for the food production, processing and distribution sector – the minister responsible for agriculture;
17. for the manufacturing sector, excluding the subsector manufacture of medical devices and medical devices for in vitro diagnostics – the minister responsible for the economy;
18. for the sub-sector of production of medical devices and medical devices for in vitro diagnostics – the minister responsible for health;
19. for the postal services sector – the President of the Office of Electronic Communications;
20. for the waste management sector – the minister responsible for climate affairs;
21. for the digital service providers sector, the minister responsible for computerisation;

Coordination of incident management will be conducted by CSIRT teams. CSIRT MON, CSIRT NASK and CSIRT GOV will be responsible for implementing corrective actions.

In addition, there is an obligation for the cybersecurity authority to appoint a sector-specific or subsector-specific CSIRT to support the sector’s essential entities and important entities in the area of incident response. Essential and important entities will report major incidents to those teams and then the information will be forwarded to the relevant CSIRT (CSIRT MON, CSIRT NASK or CSIRT GOV).

Authorities responsible for cyber security will submit reports on the functioning of sectoral CSIRTs to the Government Representative for Cyber Security once a year, by 31 January.

In order to provide all the information necessary for effective supervision of entities, the minister responsible for digitalization will keep a register of essential and important entities. This authority will also be responsible for incident management and crisis management in large-scale cybersecurity in the civil sector.

(e) What should you be doing/on the lookout for?

It should be noted that NIS2 uses the concept of services in a comprehensive sense. In the Polish legal system, public entities carry out public tasks, therefore, for the avoidance of doubt, the general provisions explicitly indicate that in the case of a public entity, the term service is understood to include the public task carried out by the entity.

Until now, key service providers (essential entities) have been designated through an administrative decision by the authority responsible for cyber security. A major problem, however, has been the identification of digital service providers within the meaning of the NIS1. To simplify the identification of essential and important entities, self-registration of these entities has been made mandatory. Registration will take place in the register of essential and important entities, which will be maintained by the minister responsible for digitalization. Entities that meet the requirements for essential and important entities will be required to register in this register within two months of meeting the requirements for recognition as either an essential entity or an important entity.

Considering the large potential number of entities subject to registration, the registration action will not have the form of an administrative decision. There will be applied a formula of another public administration action, and the subject will be able to complain about such an action to an administrative court. A new legal institution included in the draft is a protective order issued by the Minister of Digitalization in the form of a general decision. It will be possible to order a given group of entities to perform a certain act to prevent a critical incident.