Beyond compliance: Poland’s NIS2 implementation
by Bartosz Jankowski
Poland is on the verge of a major overhaul of its cybersecurity framework through the amendment to the National Cybersecurity System Act (NCSA), implementing the European Union’s Network and Information Security 2 Directive (NIS2).
The new legislation significantly expands the scope of regulated entities, introduces stricter governance and incident-reporting obligations, and increases potential financial exposure for non-compliance. While the President of Poland has signed the act, he has simultaneously referred it to the Constitutional Tribunal, thus creating a degree of legal uncertainty.
Fundamental expansion of scope
The implementation of NIS2 marks a shift from a relatively narrow cybersecurity regime to a far broader compliance ecosystem. Under the amended NCSA, the catalogue of “essential” and “important” entities has been substantially expanded.
In addition to traditionally critical sectors such as energy, transport, banking, financial market infrastructure, and health and digital infrastructure, the Polish framework now includes entities operating in areas such as waste management, manufacturing of critical products, food production, postal services, and certain digital service providers. Medium-sized and large enterprises in listed sectors will generally fall within this scope, even if they were not previously regulated.
For many businesses, this will be the first time they are directly subject to statutory cybersecurity obligations. The scale of onboarding is therefore unprecedented in the Polish market.
Key business obligations
The amended act introduces a comprehensive compliance architecture aligned with NIS2 standards. Core obligations include:
- Implementation of risk management measures proportionate to the entity’s risk profile;
- Incident detection and reporting within strict deadlines (early warning within 24 hours, followed by more detailed reports);
- Supply chain security management;
- Business continuity and crisis management procedures; and
- Regular risk assessments and internal governance oversight.
Management bodies are explicitly responsible for approving cybersecurity measures and supervising their implementation. They may also be subject to personal liability in cases of gross negligence. This represents a cultural shift, elevating cybersecurity from an IT issue to a board-level matter.
Sanctions and supervisory model
The amended NCSA increases administrative fines, and penalties may reach up to EUR 10 million or 2% of global annual turnover (for essential entities), mirroring NIS2’s upper thresholds. Additionally, the powers of supervisory authorities are strengthened, including the ability to conduct audits, issue binding recommendations, and impose corrective measures.
For businesses, the message is clear: enforcement risk is real, and compliance should not be treated as a formalistic exercise.
Poland goes further than NIS2
While the Polish amendment formally implements Directive (EU) 2022/2555, it introduces several elements that may be considered more rigorous than the directive’s minimum harmonisation framework.
The Polish model provides for detailed national qualification procedures and registration obligations. The designation process may in practice include entities in a more structured and centralised manner than the directive strictly requires, increasing regulatory visibility and compliance pressure. The NCSA amendment broadens the scope beyond NIS2, bringing more sectors under cybersecurity obligations as essential entities.
Furthermore, the Polish act applies this in a detailed way, linking governance failures more explicitly to potential sanctions. The level of formalisation expected in internal cybersecurity documentation and reporting structures may exceed what some EU member states adopt under minimum harmonisation.
Strategic implications for business
From a business perspective, the Polish implementation of NIS2 should be viewed as a structural change in operational risk management for entities which did not previously apply higher standards of cybersecurity compliance.
Companies operating cross-border within the EU should align their Polish compliance efforts with group-wide NIS2 strategies, ensuring consistency and avoiding duplication. At the same time, they should be aware and compliant with Polish-specific requirements.
Poland’s amended National Cybersecurity System Act represents the most significant cybersecurity reform in the country’s history.
For businesses, the prudent assumption is that the new regime will apply in full. The implementation process may not yet be politically settled, but operational and compliance preparations should already be well underway.
Bartosz Jankowski is a trusted advisor for his clients, supporting companies with know-how in new tech, intellectual property (IP), and cybersecurity together with his expertise in resolving disputes and business restructuring.
/https://storage.googleapis.com/ggi-backend-prod/public/media/7492/3e269cd3-233c-497b-89a9-2b204e91afc3.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/429/imageIfHECc.png)
/https://storage.googleapis.com/ggi-backend-prod/public/media/7100/0ebd3670-5e66-41ea-b216-8811a761b0b7.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/7134/cdf3ffcf-a435-4fe9-8985-a4be2a4da597.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/7135/338e99cd-bc21-4034-b146-02aefc86f3c0.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/5344/CTA---Michael-Rasor-square.jpg)