Poland

(a) What is the NIS2 implementation status?

The Act was adopted and published in Official Journal (2.03.2026). The Act shall enter into force one month after its publication

At the same time, it was referred to the Constitutional Tribunal for ex post constitutional review.

(b) What is the envisaged NIS2 implementation timeline?

The draft was submitted to Parliament on 7th November 2025, and its adoption is planned for 2026.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The statutory regulations aim to adapt Polish law to the increased requirements introduced by the NIS2 Directive and to improve the functioning of the national cybersecurity framework established under the previous legislation.

The amendment to the Act on the National Cybersecurity System (KSC) significantly updates the national cybersecurity framework by expanding the scope of entities covered, introducing the categories of essential entities and important entities, and strengthening the institutional structure responsible for cybersecurity governance.

The reform also reinforces the role of the Government Plenipotentiary for Cybersecurity, who is responsible for coordinating cybersecurity policy and cooperation within the national cybersecurity system.

Furthermore, the new legislation introduces mechanisms related to the operation of sector-specific incident response structures, including the establishment of sectoral CSIRT teams to support entities operating in critical sectors in incident prevention and response.

The implementation of NIS2 also requires alignment with other European regulatory frameworks affecting cybersecurity and resilience, particularly the DORA Regulation (Digital Operational Resilience Act) and the CER Directive (Critical Entities Resilience Directive). As a result, the Polish legal framework must ensure consistency between cybersecurity, operational resilience and critical infrastructure protection requirements.

Another consequence of the reform is the introduction of statutory delegations enabling the adoption of implementing regulations, which allow for the definition of detailed technical and organisational cybersecurity requirements for entities covered by the national cybersecurity system.

Finally, the amendment implies adjustments to existing secondary legislation related to digital administration and ICT systems, including regulations concerning interoperability, public registers and minimum requirements for ICT systems used by public authorities.

(d) Who will be the supervisory authority and how are they preparing the market?

The authorities responsible for cyber security will be:

1. for the energy sector - the minister responsible for energy;
2. for the nuclear energy investment sector, the minister responsible for energy;
3. for the transport sector, excluding the water transport subsector, the minister responsible for transport;
4. for the waterborne transport subsector - the minister responsible for maritime economy and the minister responsible for inland navigation;
5. for the banking sector and financial market infrastructures - the Polish Financial Supervision Authority;
6. for the health care sector, with the exception of entities referred to in Article 26(5)(1) - the minister responsible for health;
7. for the health care sector including entities referred to in Article 26(5)(1) – the Minister of National Defence;
8. for the drinking water supply and distribution sector - the minister responsible for water management;
9. for the digital infrastructure sector, excluding entities referred to in Article 26(5)(1) and excluding the electronic communications subsector - the minister responsible for digitalization;
10. for the electronic communications subsector, excluding entities referred to in Article 26(5)(1) – the President of the Office of Electronic Communications;
11. for the digital infrastructure sector including entities referred to in Article 26(5)(1) – the Minister of National Defence;
12. for the collective sewage disposal sector – the minister responsible for water management
13. for the ICT services management sector – the minister responsible for digitalization;
14. for the space sector, the minister responsible for the economy;
15. for the sector of production, manufacture and distribution of chemicals – the minister responsible for the economy;
16. for the food production, processing and distribution sector – the minister responsible for agriculture;
17. for the manufacturing sector, excluding the subsector manufacture of medical devices and medical devices for in vitro diagnostics – the minister responsible for the economy;
18. for the subsector of production of medical devices and medical devices for in vitro diagnostics – the minister responsible for health;
19. for the postal services sector – the President of the Office of Electronic Communications;
20. for the waste management sector – the minister responsible for climate;
21. for the digital service providers sector, the minister responsible for digitalisation;
22. for the scientific research sector, with the exception of entities referred to in Article 26(5)(1) – the minister responsible for higher education and science;
23. for the scientific research sector including entities referred to in Article 26(5)(1) – the Minister of National Defence. Coordination of incident management will be conducted by CSIRT teams. CSIRT MON, CSIRT NASK and CSIRT GOV will be responsible for implementing corrective actions and coordinating incident response at the national level.

Coordination of incident management will be conducted by CSIRT teams. CSIRT MON, CSIRT NASK and CSIRT GOV will be responsible for implementing corrective actions and coordinating incident response at the national level.

In addition, sector-specific or subsector-specific CSIRTs are established by the competent cybersecurity authority to support the sector’s essential entities and important entities in the area of incident response and cooperate with the national CSIRT teams.

Essential and important entities will report major incidents through the national incident reporting system, and the information may be forwarded to the relevant CSIRT (CSIRT MON, CSIRT NASK or CSIRT GOV).

Competent cybersecurity authorities will submit annual reports on the functioning of sectoral CSIRTs to the Government Plenipotentiary for Cybersecurity by 31 January each year.

In order to enable supervision over entities covered by the national cybersecurity system, a national list of essential and important entities will be established.

(e) What should you be doing/on the lookout for?

The amendment to Poland's National Cybersecurity System Act shifts from administrative assessment to self-assessment, requiring organizations to independently determine whether they qualify as key or important entities and submit electronic registration applications accordingly. Organizations already meeting the criteria when the amendment takes effect must register according to a timeline set by the Minister of Digital Affairs, while others have six months from the date they meet the criteria. Registration requires extensive data including sectors of activity, IP addresses, contact details, enterprise size, and information about cybersecurity service providers, with any changes to this information needing to be reported within 14 days.

The deadline for complying with the obligations under the new regulations is 12 months. The deadline for conducting the first security audit (applies only to key entities) is 24 months.