Amendment to the Act on the National Cybersecurity System Submitted for First Reading

On 17 November 2025, the government submitted a draft amendment to the Act on the National Cybersecurity System¹ (“Draft Act”) for its first reading. This is the result of 18 months of work on implementing the NIS2 Directive into Polish law.

The deadline for implementing NIS2 expired on 17 October 2024, and Poland missed the transposition date. The Draft Act provides for a short vacatio legis - only one month from publication in the Journal of Laws. This means that entities covered by the amendment will have three months to register in the official register and six months to implement cybersecurity risk-management measures from the date the Act enters into force.

According to the explanatory memorandum, CSIRT NASK data illustrates the scale of cybersecurity challenges². In 2022, the team recorded 39,000 reported incidents, in 2023 this number rose to 75,000, and in 2024 reached 103,000 reports - a 164% increase in just two years.

Expanded Sectors and New Areas

The amendment divides entities into essential entities and important entities, based on size and significance for the functioning of the state. It also significantly expands the list of regulated sectors - from 6 to 14.

Essential sectors include:

• Energy
• Transport
• Banking and financial market infrastructure
• Health
• Drinking water supply and distribution
• Digital infrastructure
• ICT service management
• Space
• Waste water
• Public administration

Important sectors include:

• Postal services
• Nuclear energy investment
• Waste management
• Manufacturing
• Production and distribution of chemicals
• Food production and processing
• Research
• Public administration

Cybersecurity Risk-Management Measures

Both essential and important entities will be required to implement cybersecurity risk-management measures as required by Article 21 of NIS2.

Under the Polish Draft Act (Article 8), entities must establish an information security management system (Polish: "system zarządzania bezpieczeństwem informacji" or SZBI) that includes a range of elements, including but not limited to:

• Risk analysis and risk management
• Security policies for information systems
• Business continuity and crisis management
• Supply chain security
• Procedures for assessing the effectiveness of risk management measures
• Cryptography and encryption practices

The Polish Act provides detailed requirements for these measures, including incident handling, vulnerability management, continuous monitoring, staff training, and access controls.

A key novelty is the explicit accountability of management. The management body of the entity will be responsible for approving and overseeing cybersecurity risk-management measures and can be held liable for non-compliance.

Incident Reporting

Essential and important entities must report significant incidents to CSIRT in three stages:

• Early warning – immediately, no later than 24 hours
• Incident notification - within 72 hours
• Final report - within one month of the incident notification

The amendment also introduces sectoral CSIRT teams to support entities in incident response tailored to sector-specific needs.

What This Means in Practice

Entities operating in the covered sectors should conduct a self-assessment to determine whether they qualify as essential or important entities.

Entities meeting these criteria on the date the Act enters into force will be required to:

• Submit an application for entry in the register of essential and important entities maintained by the Minister of Digital Affairs - within the timeframe set in the official schedule (Art. 33(3) in conjunction with Art. 34(3)(1) of the Draft Act)
• Implement cybersecurity risk-management measures within six months of the Act’s entry into force (Art. 33(1) of the Draft Act)