After years of delays and political wrangling, Poland's NIS2-implementing cybersecurity law is finally live. Here's what is going to change on April 3, and what comes next for tens of thousands of Polish businesses.
After roughly six years of consultations, multiple draft revisions, a change of government, and a formal warning from the European Commission, Poland's amended Act on the National Cybersecurity System — known as the KSC Act — officially entered into force on April 3, 2026. The clock is now ticking for an estimated 42,000 businesses and public entities across the country. Some of them don't even know it yet.
The amendment transposes the EU's NIS2 Directive (Directive (EU) 2022/2555) into Polish national law, replacing and vastly expanding the previous KSC framework that covered only around 400 entities. Published in the official Journal of Laws on March 2, 2026, following President Karol Nawrocki's signature on February 19, the law took effect after a one-month vacatio legis period. At the signing ceremony, Nawrocki used a phrase that neatly captures the current moment: "We live in an era where war doesn't always begin with a gunshot. Sometimes it begins with a click."
He signed it — but also immediately filed a motion with the Constitutional Tribunal for a post-hoc review, challenging, among other things, the law's extension of obligations to 18 economic sectors. The law entered into force regardless, and it remains effective in its current form until the Tribunal rules otherwise. For any business hoping that constitutional review provides a legal escape hatch: it doesn't.
The EU-wide deadline for NIS2 transposition was October 17, 2024. Poland missed that window, prompting the European Commission to escalate through its infringement track, including a formal reasoned opinion in May 2025. At that point, Warsaw was essentially one step away from referral to the European Court of Justice.
The main barrier to adoption was reportedly a dispute between the Ministry of Digital Affairs and the Ministry of Finance over a proposed PLN 250 million annual increase to the Cybersecurity Fund. There were also legal arguments about whether the high-risk vendor provisions required prior notification to the European Commission under a separate EU technical regulations directive — a dispute that some legal experts warned could have triggered an additional standstill period of up to 18 months.
In the end, the Sejm passed the law on January 23 with 407 votes in favor and just 10 against. The Senate followed on January 28, and the President signed shortly thereafter. Poland now joins the rest of the EU — albeit 15 months late.
This is the question keeping a lot of compliance and legal teams busy right now. Under the previous KSC framework, scope was narrow and entities were largely designated by administrative decision. Under the amended law, most organizations will have to figure out for themselves whether they qualify as an essential entity or an important entity.
The new rules significantly expand the scope of entities subject to cybersecurity obligations and impose real liability on corporate board members.
According to figures cited by legal experts at Traple Konarski Podrecki i Wspólnicy during a March 10 webinar for business owners, Poland's Ministry of Digital Affairs estimates the law will catch approximately 42,000 entities — including nearly 28,000 public sector bodies.
The definition of essential and important entities in Poland broadly follows the EU NIS2 Directive, which separates regulated sectors into two groups (Annex I and II). However, Poland has made some additions. The energy sector was expanded to include coal mining. Banking and financial market infrastructure picked up additional entity types. And sectors like food production, chemicals manufacturing, and water supply — previously outside the scope of national cybersecurity rules — are now firmly inside.
Classification isn't always obvious. Legal firm Traple Konarski Podrecki i Wspólnicy offered a telling example during the March webinar: furniture manufacturers are generally not covered by the amendment — unless they also produce adhesive bonding products, in which case they may well qualify as an essential or important entity. The boundaries of the law are genuinely nuanced, and getting the classification wrong carries real financial consequences.
Only a narrow category of entities — telecommunications operators, for instance — will be registered automatically. Everyone else has to self-assess.
There are three dates every affected organization needs to have on its calendar:
October 3, 2026 — the deadline to submit an application for entry into the official register of essential and important entities. This self-assessment may be complex and require an analysis of sector classification, size thresholds, and the nature of the services provided. Failing to register doesn't exempt an organization from its obligations — it just adds a potential compliance violation on top.
April 3, 2027 — the deadline by which essential and important entities must have implemented all obligations under Chapter 3 of the KSC Act. That means a functioning information security management system, incident handling processes, supply chain security policies, and the rest of the ten-point compliance checklist derived from NIS2.
April 3, 2028 — the date of the first mandatory cybersecurity audit for essential entities, and also the date when the moratorium on most financial penalties expires. Up until that point, regulators are largely limited in the fines they can impose — with one notable exception, covered below.
The substantive obligations under the amended KSC are extensive. At their core, they reflect the ten-pillar framework that NIS2 mandates across the EU, which Traple attorneys summarized during their March webinar as covering: risk analysis and information security policies; incident handling; business continuity; supply chain security; security of network and systems acquisition; policies and procedures for assessing risk management measures; cyberhygiene and training; cryptography and encryption policies; human resources security, access control, and asset management; and — where appropriate — multi-factor authentication.
Polish law explicitly references PN-EN ISO/IEC 27001 and ISO 22301 as relevant standards. Organizations that have implemented an ISMS based on these standards will be considered to meet the new KSC requirements. The Ministry of Digital Affairs has said it will publish a mapping of KSC obligations to those standards — useful for anyone already holding an ISO 27001 certification.
Essential entities also face an additional obligation: they must audit their information security management system at least every two years and submit the results to their relevant cybersecurity authority.
One of the most contentious elements of the Polish law goes beyond NIS2 itself. The high-risk vendor (HRV) mechanism — drawn from the EU's 5G Toolbox rather than NIS2 — gives the Minister of Digital Affairs the power to formally designate a supplier of ICT products, services, or processes as posing a threat to state security.
If the Minister determines a supplier is high-risk, a formal decision is issued specifying which ICT products, services, or processes are covered, published in the official journal and online, and it takes immediate effect.
From that moment, any covered entity using that supplier's products must stop introducing new deployments and begin removing existing ones. Products already on the market must be removed within up to four years for critical functions, or seven years for other equipment. Businesses must bear the replacement costs themselves. There is no compensation.
Critically, while the EU's 5G Toolbox was originally designed with telecommunications networks in mind, Poland has extended the HRV mechanism to all 18 sectors covered by NIS2, not just telecoms. That's a significant broadening of scope — and one that drew sharp criticism from industry groups during the legislative process.
The HRV provisions are also the specific sections that President Nawrocki flagged with the Constitutional Tribunal. Legal proceedings aside, affected organizations should treat those provisions as active law for planning purposes.
The fine structure under the amended KSC is steep:
And then there's the headline figure: if an entity violates the law and causes a direct and serious cybersecurity threat to Polish defense, state security, public safety, or human life and health, a fine of up to PLN 100,000,000 (approximately €23 million) may be imposed.
The good news, for most businesses, is that the majority of financial penalties won't be enforced until April 3, 2028 — two years after entry into force. That's the moratorium negotiated via a parliamentary amendment.
The bad news is the PLN 100 million "super-fine" is explicitly excluded from that moratorium. It can be imposed from day one. And regulatory supervision — inspections, demands for information, orders to conduct audits — is already active as of April 3, 2026.
As attorney Agnieszka Wachowska, co-managing partner at Traple Konarski Podrecki i Wspólnicy, put it during the March webinar: the moratorium does not cover supervisory measures. Inspectors can knock on your door now.
For companies operating in Poland, a regulatory sprint begins — the window to move from monitoring developments to concrete implementation actions is short.
The immediate priority is a scoping assessment: does your organization qualify as an essential or important entity under the amended KSC? If the sector classification is unclear — and for many organizations it genuinely will be — legal advice is worth the investment before October 2026. Getting this wrong isn't a technicality; it's a compliance failure.
Once scope is confirmed, the focus shifts to implementing an ISMS (ideally ISO 27001-aligned), building out incident response capabilities, and auditing third-party ICT relationships with the HRV framework in mind. That last point is easy to underestimate. Any supplier in your technology stack that's controlled by a non-EU, non-NATO state is a potential HRV candidate — which could mean mandatory replacement at your cost and on a fixed timeline.
Organizations that have been monitoring the legislative process over the past six years while simultaneously building capabilities are prepared today. Those that have been waiting for the "right moment" to act have run out of runway.
