Poland’s amendment to the National Cybersecurity System Act has been signed by the President

A new classification of entities

From a business perspective, the most important change is not a single obligation, but who will be covered by the new requirements, and to what extent. Classification depends primarily on the sector of activity and the size/scale of the organisation, including its role in sectors of strategic importance to the state (e.g., energy or banking).

• Essential entities — higher criticality, more intensive supervision, and additional obligations, including audit requirements.
• Important entities — obligations related to risk management and incident handling remain extensive, but in principle the supervisory regime is lighter than for essential entities.

What should you pay particular attention to?

1. “Risk-appropriate” measures: security must be operational and measurable

The new requirements must work in practice and be demonstrable during inspections. The rules explicitly require technical and organisational measures tailored to the organisation’s size and the nature of its services. In practice, this includes, among other things, asset inventory, threat identification, review of procedures, and training.

2. Faster incident response and reporting: S46 and strengthened CSIRTs

The amendment is intended to streamline incident reporting — information is to be submitted to CSIRT teams via the S46 system. In addition, a network of sectoral CSIRTs is to be developed to support organisations in incident response, threat intelligence sharing, and training.

3. High-risk supplier: supply chain implications

The minister responsible for digital affairs, with the involvement of the advisory body to the Council of Ministers on cybersecurity matters, may - in a transparent procedure - recognise a supplier as “high risk.” In practice, this means a ban on deploying that supplier’s solutions, and for technology already in use, an obligation to phase it out within specified timeframes (generally up to 7 years, and 4 years indicated for the largest telecommunications operators).

4. New sanctions

Financial penalties and “daily penalties” are likely to be among the most tangible elements of the new regime. Essential entities may face fines from PLN 20,000 to EUR 10 million or 2% of turnover, while important entities— from PLN 15,000 to EUR 7 million or 1.4% of turnover. In addition, failure to comply with an authority’s order (e.g., actions in response to a major incident or conducting an audit) may result in a periodic penalty of PLN 500–100,000 for each day of delay. In extreme cases involving serious risk to the state, life and health, or continuity of services, sanctions may reach up to PLN 100 million.
At the same time, a so-called sanctions buffer means that administrative fines for failure to meet obligations are to be imposed only after two years from the date the Act enters into force - but implementation duties and operational risk arise earlier.

EU Digital Compliance at Osborne Clarke

We support companies in building an integrated EU digital compliance programme based on shared governance, consistent policies, clear RACI, and shared processes where regulations overlap (e.g., NIS2, DORA, GDPR, and others).

We can help, among other things, with:

• assessing whether — and to what extent — your organisation is subject to the new obligations,
• designing and implementing an end-to-end NIS2/KSC programme,
• preparing your organisation for incidents, reporting and audits (including practical “evidence packs”),
• structuring the work into a realistic implementation plan — so that solutions are operational, measurable and inspection-ready.