NIS2 in Poland

1. Quick SME Applicability Snapshot in Poland

Does NIS2 apply to SMEs in Poland?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Poland and, in certain cases, foreign digital providers serving the Polish market.

SMEs should assess qualification under Poland's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Poland

Poland has transposed NIS2 through an amendment to the Act on the National Cybersecurity System (UKSC / Krajowy System Cyberbezpieczeństwa — KSC), adopted by the Sejm on 23 January 2026, signed by the President on 19 February 2026, and in force since 3 April 2026 following a one-month vacatio legis. The amendment expands the number of regulated entities from a few hundred under the prior NIS1 framework to potentially tens of thousands. Poland missed the 17 October 2024 transposition deadline and received an EC reasoned opinion in May 2025.

The amended UKSC introduces several significant national specifics: mandatory implementation of a comprehensive Information Security Management System (ISMS), with the law explicitly referencing PN-EN ISO/IEC 27001 and ISO 22301 as satisfying requirements; a mandatory biennial ISMS audit with results submitted to the competent authority; a cross-sector high-risk vendor assessment and restriction mechanism (the President has referred these provisions to the Constitutional Tribunal for secondary review); mandatory non-delegable management board training with direct personal liability; and an elevated national penalty tier — fines of up to PLN 100 million (~€24 million) where violations create a direct threat to national security, human life, or cause serious service disruption.

Phased compliance applies: registration by 3 October 2026, full ISMS / UKSC obligations by 3 April 2027, and the first mandatory biennial ISMS audit by 3 April 2028 for entities in scope on entry into force.

3. Scope of Application in Poland

Poland's scope broadly follows the Directive but includes national expansions. The energy sector is extended to cover mineral extraction (coal mining) and oil and fuel (replacing the Directive's narrower "oil" subsector). Additional manufacturing subsectors are included, and some sectors in the Polish scope are broader in definition than the Directive's minimum.

4. Size Thresholds and SME Applicability in Poland

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Polish authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Poland

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Poland follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Poland

Poland's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Poland risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Polish cybersecurity guidance is encouraged.

7. Management Liability and Governance in Poland

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Poland's framework:

• Boards are accountable for compliance oversight. The amended UKSC expressly excludes the possibility of shifting cybersecurity responsibility to lower organisational levels — management bears direct, non-delegable accountability.
• Senior management must ensure sufficient cybersecurity competence. The UKSC introduces a mandatory documented training obligation for management board members.
• Administrative sanctions may address governance failures. Under the UKSC, management board members face personal financial penalties for breaches of obligations under the Act, in addition to corporate-level fines.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Poland expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Poland

9. Supervisory Authorities and Enforcement Model in Poland

Lead authority: Ministry of Digital Affairs — leads NIS2 implementation, maintains the official register of essential and important entities, and oversees civil-sector crisis management. Sector-specific competent authorities (typically the relevant sectoral ministry — e.g., Ministry of Health for healthcare, Ministry of Infrastructure for transport) carry out supervision and enforcement in their sectors. Three national CSIRTs (CSIRT GOV, CSIRT NASK, CSIRT MON) handle incident response.

Poland operates a multi-authority supervisory model: the Ministry of Digital Affairs leads, sectoral ministries supervise within their sectors, and sectoral CSIRTs appointed by each competent authority complement the three national CSIRTs.

Supervisory powers include:

• Requests for documentation and information
• Security audits — including a mandatory biennial ISMS audit with results submitted to the competent authority; competent authorities may order additional assessments
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Poland

Poland applies Directive-aligned administrative penalties.

NIS2 fines Poland enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers
• Personal financial penalties on management board members for breaches under the UKSC
• Elevated national penalty tier — fines up to PLN 100 million (~€24 million) and daily fines of PLN 500–100,000 where violations create direct threats to national security, human life or health, or significant service disruption

Up to €7 million or 1.4% of total global annual turnover (whichever is higher)

11. NIS2 Supply Chain and Vendor Security in Poland

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Poland's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Poland

Entities within scope must:

• Self-assess and register with the Ministry of Digital Affairs (which maintains the official register); entities in scope on 3 April 2026 must register by 3 October 2026; entities qualifying after 3 April 2026 have six months from identification
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts — changes to registered information must be reported within two weeks

The amended UKSC requires implementation of a comprehensive ISMS aligned with PN-EN ISO/IEC 27001 and ISO 22301, plus a biennial ISMS audit submitted to the competent authority. Full UKSC Chapter 3 obligations apply by 3 April 2027; the first mandatory ISMS audit is due by 3 April 2028 for entities in scope on entry into force.

Self-identification is mandatory where entities meet statutory thresholds. Criminal background checks are required for employees performing ISMS implementation tasks. Use the Ministry of Digital Affairs' ISMS standards mapping for guidance.

13. Interaction With GDPR and Other Laws in Poland

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Polish cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Poland are supervised by Polish authorities for cross-border services.

Foreign digital providers offering services in Poland may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Polish market.

15. Implementation Timeline in Poland

• Directive adoption: 2022
• Directive adoption (EU level): 2022
• National legislative process: draft submitted 7 November 2025; EC reasoned opinion 7 May 2025; adopted by the Sejm on 23 January 2026; signed by the President on 19 February 2026
• Entry into force: 3 April 2026 (one-month vacatio legis)
• Commission notification: infringement proceedings resolved on transposition completion (3 April 2026)
• Compliance milestones: registration by 3 October 2026; full ISMS / UKSC obligations by 3 April 2027; first biennial ISMS audit by 3 April 2028

Poland completed transposition on 3 April 2026, ~18 months after the EU deadline. Upcoming key milestones are registration by 3 October 2026 and full ISMS compliance by 3 April 2027 — entities should begin self-assessment immediately.

16. Key Takeaways for SMEs in Poland

• Medium-sized entities in covered sectors are automatically within scope. The amended UKSC is in force as of 3 April 2026 — begin scope self-assessment now. Polish scope is broader than the Directive minimum (e.g., energy expanded to coal mining).
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory — direct personal liability, non-delegable, with mandatory documented training.
• Incident reporting follows 24h / 72h / 1 month deadlines, submitted to the relevant sectoral CSIRT which forwards to the national CSIRT (CSIRT GOV / NASK / MON).
• Financial penalties can reach €10 million or 2% of global turnover; under Polish law, fines up to PLN 100 million (~€24 million) for serious national-security or life-threatening violations, plus daily fines PLN 500–100,000 and separate personal financial penalties on board members.
• Vendor risk management is required, including a cross-sector high-risk vendor assessment and restriction mechanism — once a vendor is designated high-risk, all regulated entities must cease using affected ICT products/services (provisions currently under Constitutional Tribunal review).
• Key deadlines: registration by 3 October 2026; full ISMS by 3 April 2027; first biennial audit by 3 April 2028. Begin self-assessment and ISMS implementation now using the PN-EN ISO/IEC 27001 / ISO 22301 framework.

FAQ: NIS2 Poland SME Guide