Starting April 3, 2026, new Polish regulations implementing the EU’s NIS 2 directive will impact tens of thousands of businesses, significantly altering their approach to data and digital infrastructure protection.
New Regulations Impacting Thousands of Firms
New regulations will impact thousands of firms, marking a shift where cybersecurity is no longer optional. The amendment to the Act on the National Cybersecurity System (KSC), implementing the EU’s NIS 2 directive, comes into effect and is estimated to cover up to tens of thousands of entities.
This is one of the most significant legal changes for businesses in recent years, fundamentally changing the approach to data and digital infrastructure protection.
End of Legislative Uncertainty
The entry into force of the new regulations ends years of legislative disputes and regulatory uncertainty. Poland is aligning with EU standards resulting from the NIS 2 directive, which aims to increase the resilience of member states to cyber threats.
Geopolitical Context and Hybrid Warfare
The new regulations are part of the fight against threats arising from the current geopolitical situation. Like other countries in the region, Poland is in an area of intensive hybrid activities.
Attacks on critical infrastructure, disinformation campaigns, and attempts to destabilize IT systems are part of a broader strategy pursued by Russia and Belarus. In recent years, there has been an increase in cyber incidents targeting, among others, public administration, the energy sector, and the financial sector.
Key and Important Entities: Who Will Be Supervised?
The amendment to the Act introduces a division of enterprises into two main categories: key entities and important entities. The scope of obligations and the level of supervision depend on this classification.
Key entities include companies from sectors such as energy, transport, banking, and healthcare.
Important entities include, among others, digital infrastructure providers, search engines, and online marketplaces.
The scale of the regulations is unprecedented – it covers not only large corporations but also medium-sized enterprises that have not previously been subject to such restrictive requirements.
Implementation Timeline for KSC
The new regulations leave no doubt as to the schedule of actions. As of April 3, 2026, the countdown begins to key deadlines.
The first step is to analyze the activity and determine the status of the enterprise. Companies must then submit an application for registration in the register of entities covered by the Act – by October 3, 2026, at the latest, via the S46 system.
Entities that fail to do so may be registered automatically, which entails a risk of increased supervision and potential sanctions.
Another important deadline is April 3, 2027 – by this time, all key and important entities must implement the statutory requirements. By April 3, 2028, key entities will be obliged to conduct their first cybersecurity audit. Subsequent audits will be carried out at least once every three years.
It is worth emphasizing that only after this date will authorities be able to impose most administrative penalties, giving companies a limited but real time to adapt.
Cybersecurity Obligations for Firms: New Requirements and Procedures
The amendment to the KSC Act significantly expands the catalog of obligations. Enterprises must adopt a comprehensive approach to information security management.
The most important requirements include risk analysis and management, incident reporting, supply chain security, and basic cybersecurity hygiene measures.
A particularly important element is the mechanism for recognizing suppliers as high-risk entities. In practice, this may mean the need to replace equipment and software, generating huge costs for enterprises.
Costs of Implementing Cybersecurity: Billions of Zlotys for the Sector
The introduction of new regulations is associated with serious financial consequences. According to estimates from the telecommunications industry, the cost of replacing ICT infrastructure for a single operator may amount to as much as PLN 4.3 million over five years.
Experts emphasize, however, that the costs of inaction may be even higher. Ransomware attacks, data breaches, or paralysis of critical infrastructure generate losses amounting to millions, and in extreme cases, may threaten the continuity of the enterprise.
Firm Readiness: A Race Against Time
Despite the fact that the NIS 2 directive was adopted as early as 2022, many firms have not used the time to prepare. Paweł Kulpa, a cybersecurity architect, points out that some organizations postponed actions, citing the lack of national regulations.
There is also a shortage of specialists. The cybersecurity market has been struggling with a lack of qualified personnel for years, which may significantly hinder the implementation of new requirements.
On the other hand, some organizations – especially those operating in regulated sectors – had already implemented security standards earlier. For them, the new regulations mean rather a formalization of existing procedures than a revolution.
Cybersecurity in Poland: Growing Threats and Regulatory Pressure
The legislative changes are not accidental. Poland is one of the countries particularly exposed to cyberattacks. According to reports from institutions dealing with digital security, the number of incidents is growing year by year, and their character is becoming increasingly sophisticated.
Attacks are increasingly organized and are part of state actions or groups associated with the state apparatus. They concern not only data theft but also attempts to disrupt the functioning of the economy and public institutions.
In this context, the new regulations have not only a regulatory but also a strategic dimension. The state is focusing on increasing the resilience of the entire system – from administration to the private sector.
