NIS2 Poland Compliance Guide: Ustawa o Cyberbezpieczeństwie and NCSA Requirements for 2026

Poland is among the EU Member States actively transposing NIS2 into national law through amendments to its existing Ustawa o krajowym systemie cyberbezpieczeństwa (Act on the National Cybersecurity System, or UKSC). The Polish approach builds on an existing cybersecurity framework that predates NIS2, which means Polish entities already have some compliance infrastructure — but significant gaps remain between the current law and what NIS2 demands.

This guide covers Poland’s NIS2 transposition status, the role of the Narodowe Centrum Bezpieczeństwa Cyberprzestrzeni (NCSA — National Cybersecurity Centre), which entities are affected, sector-specific requirements, penalties under Polish law, and practical steps for compliance.

Poland’s NIS2 Transposition: Where Things Stand

The Legal Framework

Poland’s NIS2 implementation comes through amendments to the UKSC rather than an entirely new law. This approach leverages Poland’s existing cybersecurity infrastructure:

• Original UKSC (2018): Implemented the original NIS Directive (NIS1), establishing the national cybersecurity system, CSIRT structures, and operator obligations
• Amended UKSC (NIS2 transposition): Expands scope to cover NIS2 sectors, strengthens incident reporting, introduces personal liability for management, and increases penalties

Key Dates and Timeline

Milestone	Status
NIS2 Directive adopted	January 2023
NIS2 transposition deadline	October 17, 2024
Polish draft amendments published	2024
Parliamentary process	In progress (early 2026)
Expected entry into force	Mid-2026
Full enforcement begins	12 months after entry into force

Important: While Poland missed the October 2024 EU transposition deadline (like several Member States), the European Commission has initiated infringement proceedings against late transposers. Polish entities should not wait for final legislation — the NIS2 Directive itself creates obligations that national law will enforce retroactively in many areas.

Comparison with Other EU Countries

Poland’s approach is comparable to other major EU states already covered in our country guide series:

• France (ANSSI): Used ordonnance fast-track transposition, already enforcing
• Germany (BSI): Amended BSI Gesetz, conducting supervisory visits
• Italy (ACN): Established AgID/ACN framework, sector-specific decrees
• Spain (INCIBE): Amended Ley de Ciberseguridad, designated INCIBE as coordinator
• Netherlands (NCSC-NL): Uitvoeringswet framework, MIDO designation

The NCSA: Poland’s National Cybersecurity Authority

Role and Mandate

The Narodowe Centrum Bezpieczeństwa Cyberprzestrzeni (NCSA) serves as Poland’s primary cybersecurity authority under NIS2. Its expanded mandate includes:

• Supervision and enforcement of NIS2 compliance across essential and important entities
• Risk assessment and threat intelligence sharing with obligated entities
• Incident coordination — receiving and managing incident reports from obligated entities
• Audits and inspections — conducting on-site and remote compliance assessments
• Policy development — issuing binding guidelines and best practices
• International cooperation — coordinating with EU CSIRT network and ENISA

Organizational Structure

The NCSA operates under the Ministry of Digital Affairs (Ministerstwo Cyfryzacji) and coordinates with:

• CSIRT NASK: National CSIRT operated by NASK (Research and Academic Computer Network), handling incident response for government and critical infrastructure
• CSIRT GOV: Government CSIRT under ABW (Internal Security Agency), handling national security incidents
• CSIRT MON: Military CSIRT under the Ministry of National Defence
• Sector-specific competent authorities: Designated for energy (URE), financial services (KNF), transport (UTK/UG), and health (MZ)

Entity Classification Under Polish NIS2

Essential Entities (Podmioty Kluczowe)

Under the amended UKSC, essential entities in Poland include organizations meeting size thresholds (250+ employees AND €50M turnover OR €43M balance sheet) in these sectors:

Sector	Examples of Covered Entities	Sector Authority
Energy	PGE, Tauron, Enea, Orlen, Gaz-System, PSE (transmission system operator)	URE (Energy Regulatory Office)
Transport	PKP (rail), LOT (air), Gdańsk/Gdynia ports, PKS (road)	UTK, UG
Banking	PKO BP, Pekao, mBank, Santander Bank Polska, ING Bank Śląski	KNF (Financial Supervision Authority)
Financial market infrastructure	Warsaw Stock Exchange (GPW), KDPW (clearing house)	KNF
Health	Large hospitals, e-health system operators (CeZ), NFZ systems	MZ (Ministry of Health)
Drinking water	Large water utilities serving 100,000+ population	—
Digital infrastructure	Research networks, root DNS servers, TLD operators (.pl domain — NASK)	NCSA
ICT service management	Major cloud providers, managed security services, data centers operating in Poland	NCSA
Public administration	Key government ministries, central agencies, e-government platforms (ePUAP, gov.pl)	NCSA

Important Entities (Podmioty Ważne)

Important entities meet lower size thresholds (50–249 employees OR €10M–€50M turnover) and cover additional sectors:

Sector	Examples
Postal services	Poczta Polska
Waste management	Major waste processing companies
Chemicals	Chemical production and distribution facilities
Food production	Large food processing companies
Medical devices	In-vitro diagnostic companies
Manufacturing	Pharmaceutical manufacturers, automotive, semiconductor producers
Digital providers	Online marketplaces, search engines, social networks operating in Poland

Size Thresholds Summary

Factor	Essential Entity	Important Entity
Employees	250+	50–249
Turnover	€50M+	€10M–€50M
Balance sheet	€43M+	€10M–€43M
Designation	Automatic (by sector + size)	Automatic or by designation

For the complete EU-level classification framework, see our NIS2 Essential vs Important Entities Guide.

Key Compliance Requirements for Polish Entities

Article 21 Security Measures

All obligated entities must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. The Polish amendments adopt Article 21 requirements directly:

1. Risk analysis and information system security policies
2. Incident handling — processes for detection, analysis, and response
3. Business continuity — crisis management, backup procedures, disaster recovery
4. Supply chain security — assessing and managing third-party risks (see our NIS2 Supply Chain Security Guide)
5. Security in acquisition and development — secure SDLC practices
6. Vulnerability handling and disclosure — processes for identifying and patching vulnerabilities
7. Cryptography — encryption for data at rest and in transit
8. Access control — identity management, MFA, least privilege
9. Asset management — inventory of all IT/OT systems and data
10. Employee training — cybersecurity awareness and role-specific training

For detailed technical requirements, see our NIS2 Article 21 Technical Measures Guide.

Incident Reporting Obligations

The amended UKSC adopts NIS2’s three-tier reporting structure:

Reporting Tier	Deadline	Report Content
Early warning	24 hours	Initial assessment, whether incident is suspected of being significant or having cross-border impact
Incident notification	72 hours	Update on initial assessment, severity indicators, signs of cross-border impact
Final report	1 month	Detailed description of the incident, severity, impact, type of threat, applied measures, cross-border impact assessment

Reports are submitted to the NCSA (or the relevant sector CSIRT), which coordinates with CSIRT NASK for technical handling.

Dual reporting note: Some Polish entities may need to report under both NIS2 (to NCSA) and GDPR (to PUODO — Personal Data Protection Office) when incidents involve personal data. The timelines differ: GDPR requires 72-hour notification to PUODO, while NIS2 requires 24-hour early warning to NCSA.

Management Body Responsibilities

NIS2 introduces personal liability for management bodies — a significant change for Polish corporate governance:

• Management must approve cybersecurity risk management measures
• Management must undergo cybersecurity training
• Management can be held personally liable for failures to comply
• Natural persons can face fines of up to €1,190,000 or equivalent in PLN

This aligns with the broader EU trend we documented in our NIS2 Board Liability Guide.

Penalties Under Polish NIS2 Law

Administrative Fines

The amended UKSC aligns with NIS2’s maximum penalty thresholds:

Entity Type	Maximum Fine	Basis
Essential entities	Up to €10,000,000 or 2% of global annual turnover (whichever is higher)	Maximum penalty for most serious violations
Important entities	Up to €7,000,000 or 1.4% of global annual turnover (whichever is higher)	Maximum penalty for most serious violations
Management persons	Up to €1,190,000	Personal fines for management failures

Enforcement Approach

The NCSA is expected to follow a graduated enforcement approach:

1. Advisory notices — informal guidance for first-time, minor non-compliance
2. Formal warnings — written notice requiring remediation within a specified timeframe
3. Binding instructions — legally binding orders to implement specific measures
4. Administrative fines — monetary penalties for serious or persistent non-compliance
5. Operational bans — in extreme cases, restriction of operations

Essential entities face proactive, unannounced inspections, while important entities are subject to evidence-based supervision (investigated only when there are indications of non-compliance).

For the full penalty breakdown across EU Member States, see NIS2 Penalties and Fines Explained.

Sector-Specific Considerations for Poland

Energy Sector

Poland’s energy sector is particularly significant given the country’s energy transition away from coal toward renewables and nuclear. Key obligated entities include:

• PSE (Polskie Sieci Elektroenergetyczne): Transmission system operator
• Gaz-System: Gas transmission operator
• Major generators: PGE, Tauron, Enea, Orlen
• LNG terminal operator: Gaz-System (Świnoujście terminal)

Energy entities must comply with both NIS2 and sector-specific regulations from URE. The intersection of NIS2 with Poland’s critical energy infrastructure creates additional complexity for cyber insurance coverage (see our Critical Infrastructure Underwriting Guide).

Financial Services

The Komisja Nadzoru Finansowego (KNF) supervises financial institutions for cybersecurity. Banks and financial market infrastructure must comply with:

• NIS2 (via amended UKSC)
• DORA (Digital Operational Resilience Act) — applicable from January 2025
• KNF cybersecurity recommendations (Rekomendacja KNF)
• PSD2 security requirements

Financial institutions face triple regulatory oversight: NCSA (NIS2), KNF (sector), and ESAs/ECB (EU level). This creates a complex but comprehensive compliance framework.

Healthcare

Poland’s healthcare digitization is accelerating with the Internetowe Konto Pacjenta (IKP — Internet Patient Account) and e-Zdrowie platform. Key obligations include:

• Hospital information systems (Szpitalne Systemy Informacyjne)
• Electronic health record systems
• E-prescription infrastructure (e-Recepta)
• NFZ (National Health Fund) IT systems

Healthcare entities face particular challenges: limited cybersecurity budgets, legacy medical devices with outdated software, and high sensitivity of patient data.

Practical Compliance Roadmap for Polish Entities

Step 1: Determine Your Classification (Week 1)

Assess whether your organization qualifies as an essential or important entity based on:

• Sector of activity (mapped against Annex I and II of NIS2)
• Size thresholds (employees, turnover, balance sheet)
• Whether you provide services across borders

Step 2: Conduct a Gap Analysis (Weeks 2–4)

Compare your current cybersecurity posture against NIS2 Article 21 requirements. Use our NIS2 Gap Analysis Guide for the complete methodology.

Step 3: Establish Incident Reporting Procedures (Weeks 3–6)

• Designate a contact point for NCSA reporting
• Create internal incident escalation procedures aligned with the 24h/72h/1-month timeline
• Test reporting procedures with tabletop exercises
• Register with the NCSA reporting portal

Step 4: Implement Technical Measures (Weeks 4–12)

Prioritize the controls that close the most significant gaps identified in Step 2. Common priorities for Polish entities:

1. Multi-factor authentication on all remote access and privileged accounts
2. Endpoint detection and response (EDR) across all endpoints
3. Network segmentation to limit lateral movement
4. Backup and recovery with offline, immutable copies
5. Vulnerability management with defined patching SLAs
6. Supply chain assessment of critical vendors

Step 5: Establish Governance (Weeks 6–10)

• Brief management board on NIS2 obligations and personal liability
• Conduct management cybersecurity training (required by Article 20)
• Approve cybersecurity risk management policy at board level
• Designate a CISO or equivalent function

Step 6: Document and Prepare for Audits (Weeks 10–16)

• Maintain documentation of all security measures implemented
• Conduct internal audit of NIS2 compliance
• Prepare for potential NCSA inspection (essential entities)
• Engage external auditor if required

Budget Considerations

NIS2 compliance costs vary significantly by entity size and current maturity. Based on our analysis of NIS2 compliance costs, Polish entities should budget:

Entity Size	Estimated Compliance Cost (PLN)	Annual Maintenance
Large essential entity (1,000+ employees)	2–5M PLN	500K–1.5M PLN
Mid-size essential entity (250–999 employees)	500K–2M PLN	200K–500K PLN
Important entity (50–249 employees)	150K–500K PLN	50K–200K PLN

Cyber Insurance Implications for Polish Entities

NIS2 compliance in Poland directly affects cyber insurance availability and pricing:

• Compliant entities are more likely to secure coverage and receive favorable premiums (15–40% reduction potential)
• Non-compliant entities may face coverage exclusions or declinations, particularly for incidents arising from known, unaddressed gaps
• NCSA enforcement actions could trigger policy conditions or reputational impacts
• The intersection of NIS2, GDPR, and DORA creates complex notification obligations that cyber policies must address

For insurance professionals assessing Polish risks, see our NIS2 Underwriting Questions for Brokers.

Key Resources for Polish Entities

• NCSA website: ncsa.gov.pl — official guidance, reporting portal, threat advisories
• CSIRT NASK: cert.pl — incident reporting, vulnerability disclosure, threat intelligence
• Ministry of Digital Affairs: gov.pl/web/cyfryzacja — policy documents, legislation drafts
• ENISA NIS2 resources: enisa.europa.eu/topics/nis-directive — EU-level guidance
• KNF cybersecurity guidance: For financial sector entities

The Bottom Line

Poland’s NIS2 transposition through the amended Ustawa o cyberbezpieczeństwie creates substantial new obligations for Polish entities across energy, finance, transport, health, and digital sectors. The NCSA will serve as the primary supervisory authority with significant enforcement powers, including fines of up to €10M for essential entities and personal liability for management.

Polish organizations that begin compliance preparation now — before the amended law enters into force — will avoid the enforcement crunch that inevitably follows transposition. The roadmap is clear: classify your entity, run a gap analysis, implement Article 21 measures, establish incident reporting, and prepare for NCSA inspections.

For a broader NIS2 compliance framework applicable across all EU Member States, start with our NIS2 Compliance Guide and IT Manager Action Plan.

---

Resiliently provides cyber insurance intelligence for EU risk professionals. Explore our tools for compliance cost assessment and coverage comparison to make informed decisions about your cybersecurity investments.