Companies will face new obligations. Failure to comply will result in millions in fines.

• The government has adopted an amendment to the National Security System Act (NSS). The bill has been submitted to the Sejm.
• The new regulations could cover up to 80,000 entities. The existing list of sectors has been expanded to include new areas: sewage disposal, postal services, space, and the production and distribution of chemicals and food.
• Entities covered by these regulations will have to implement a number of costly and labor-intensive solutions.
• Violations of the regulations will be punishable by very severe penalties. For key entities, they can reach up to €10 million or 2% of annual turnover (whichever is higher), with a minimum of PLN 20,000.

The cybersecurity revolution in Poland is gaining momentum. On October 21, 2025, the Council of Ministers adopted an amendment to the Act on the National Cybersecurity System , implementing the EU NIS2 directive .

The bill, which will now go to parliament, introduces changes on an unprecedented scale that will affect tens of thousands of companies, local governments and public institutions.

The new regulations will affect up to 80,000 entities

The most important change is the drastic expansion of the list of entities covered by regulation.

The amendment replaces the existing nomenclature of essential service operators and digital service providers with two new categories: essential entities and important entities. It is estimated that the new regulations will cover between 40,000 and 80,000 entities in Poland – a two-order increase compared to the current situation.

The category of key entities includes the largest companies from sectors of fundamental importance to the economy and society, such as energy, transport, finance, health and digital infrastructure.

The catalogue of sectors has been expanded to include new areas: wastewater disposal, postal services, space, production and distribution of chemicals and food .

Particularly controversial is the coverage of the entire public administration sector, including local governments and their organizational units.

This means that even schools, social welfare centers, and cultural institutions run by municipalities will have to meet the KSC requirements. This presents a significant challenge for many small local governments struggling with budget shortfalls and staffing shortages.

The basic principle is that the NIS2 Directive applies to entities that qualify at least as medium-sized enterprises – i.e. employing at least 50 people and achieving an annual turnover exceeding EUR 10 million .

Micro and small businesses will generally not be subject to the requirements unless they are designated as critical entities or provide specific services, such as domain name registration.

Risk management systems, three-step incident reporting model

The amendment introduces a number of specific obligations. The foundation is the implementation of a comprehensive risk management system within the organization, based on ICT risk analysis, which considers not only digital threats but also physical, human, and environmental ones.

Organisations will be required to conduct regular risk analyses and, based on the results, implement appropriate technical and organisational measures.

The list of minimum security measures includes access control policies, encryption, incident management, business continuity (business continuity and disaster recovery plans), and supply chain security.

Entities must also establish incident response procedures and provide regular training for employees, including management.

The three-tiered incident reporting model is particularly demanding. An early warning must be submitted within 24 hours of detecting a serious incident, a detailed report within 72 hours, and a final report no later than one month after reporting. This requirement requires organizations to have an effective incident detection and classification system.

It's not just the IT department anymore. Responsibility at the highest levels of the organization.

A significant new element is the direct responsibility of management for cybersecurity . The amendment requires boards and management to make strategic decisions regarding information security, financial planning, and oversee the implementation of responsibilities.

This is a paradigm shift – cybersecurity is no longer the exclusive domain of IT departments, but is becoming a strategic priority at the management board level.

Executives will be held personally financially and legally liable for regulatory violations. This significantly raises the stakes for decision-makers at the highest levels of the organization.

Draconian sanctions: fines could reach tens of millions of zlotys

The Act provides for a system of deterrent fines. For key entities, fines can reach up to €10 million or 2 percent of annual turnover (whichever is higher), with a minimum fine of PLN 20,000. For important entities, fines can reach up to €7 million or 1.4 percent of turnover , with a minimum fine of PLN 15,000.

The harshest sanctions apply to failure to fulfill obligations related to high-risk suppliers and situations where the violation poses a serious threat to national security or public order. Penalties for each day of delay in fulfilling the order can range from 50,000 to 100,000 PLN.

New obligations mean costs amounting to hundreds of thousands of zlotys.

Implementing the Act's requirements involves significant financial outlays. Estimates for the first phase of implementation (audit, risk analysis, documentation) for a medium-sized manufacturing company range from tens to hundreds of thousands of zlotys.

The next phase with technology implementation is PLN 150-300 thousand, and advanced monitoring (SIEM/SOC) is another PLN 200-500 thousand or more.

An equally serious challenge is the shortage of specialists. According to the Polish Chamber of Information Technology and Telecommunications, Poland currently lacks over 10,000 cybersecurity experts . This skills gap has intensified following Russia's aggression against Ukraine, and demand will grow rapidly with the implementation of the NIS2 directive.

In response to these challenges, the Ministry of Digital Affairs, together with the Ministry of National Defense, initiated training programs for entities within the national cybersecurity system, which began in the fall of 2025. The training was divided into three categories: for all employees (cyber hygiene), for management staff and IT departments, and specialized workshops.

Time to adapt is time to act

The draft amendment provides for a six-month adjustment period following the bill's adoption. If we don't take preparatory steps before then, this will be too short a time to prepare.

Entities face a dilemma: to start now, despite the lack of final legal certainty, or to wait for the publication of the law, risking a lack of time for proper implementation.

There are five actions that can be implemented regardless of the final shape of the regulations:

1. organizing a cybersecurity department (internal or external),
2. designation of persons responsible for contacts with supervisory authorities, including CSIRT,
3. detailed inventory of processes, hardware and software,
4. conducting risk analysis and defining priorities,
5. development of an incident management process.

Local governments in a special situation. Special program

The public sector, and local governments in particular, face particular challenges. Local government units often struggle with budget shortfalls and a lack of local cybersecurity experts.

The scale of obligations is comparable to the implementation of the GDPR, but with a greater emphasis on ICT elements.

To help local governments, the government launched the "Cybersafe Local Government" program, which provides PLN 1.5 billion to local government units. Of this amount, PLN 1.2 billion has been allocated for hardware and software infrastructure, PLN 183 million for procedure development, certification, and audits, and PLN 105 million for employee training.

The funds must be used by the end of June 2026 .

Cyberattacks are on the rise, with Poland among the top victims.

The scale of cyber threats in Poland continues to grow. Over 600,000 security incidents were reported in 2024 – 60 percent more than the previous year.

More than 100,000 actual breaches were confirmed, an increase of 23 percent.

Particularly alarming are the figures for serious attacks, which increased by 57 percent, and breaches in the public sector by 58 percent.

Poland is the third most frequently attacked country in Europe by APT groups sponsored by foreign states, primarily Russia. Critical infrastructure and public services—transportation, energy, water, and healthcare—are most frequently attacked.

The future is Zero Trust and AI. Not just a requirement, but a necessity.

The new regulations set the direction for the development of Polish cybersecurity in the coming years. The dominant trends will include security automation using artificial intelligence, the development of real-time intrusion detection and prevention systems, the widespread adoption of multi-factor authentication, and Zero Trust architecture—which assumes that no user or device should be trusted without verification.

The Act on the National Cybersecurity System is not only a legal obligation, but above all an investment in the organization's resilience to 21st century threats.

In the era of digital transformation, cybersecurity is a business necessity and a strategic priority for every organization that wants to operate in a secure and responsible manner.