Poland implements NIS2: Amendment to the Act on the National Cybersecurity System signed by the President

The President of Poland has signed an amendment to the Act on the National Cybersecurity System, marking a key step in the implementation of the EU’s NIS2 Directive and the 5G Toolbox (in its extended version).

The new regulations respond to the rapidly evolving technological landscape and introduce far‑reaching changes to the Polish cybersecurity framework. Most notably, they significantly expand the catalogue of entities subject to cybersecurity obligations and substantially increase the level of liability – including personal liability of members of management bodies.

Following the President’s signature, the amendment is expected to be published shortly in the Journal of Laws. The new provisions will enter into force one month after publication. From that moment, the key statutory deadlines will begin to run, including:

• 6 months – deadline to submit an application for entry in the register of essential and important entities;
• 12 months – deadline to implement risk management measures and to start using the S46 system for incident reporting and handling;
• 24 months – deadline to carry out the first compliance audit;
• 2 years – possibility of imposing the first financial penalties for non‑compliance.

Importantly, the amended Act introduces a self‑identification mechanism that applies to a very broad group of entities operating in 18 different sectors listed in the annexes to the legislation. Failure to comply with the new cybersecurity obligations within the statutory time limits may result in fines amounting to millions of euros. Additional sanctions may include the suspension of licences or permits to conduct business activity and, in the case of management personnel, a ban on performing managerial functions.

If you are unsure whether the new regulations apply to your organisation or how to prepare for the upcoming obligations, we encourage you to contact us. At SSW, we provide comprehensive support – from self‑identification and training, through contractual arrangements, to incident response – as well as advice on personal data protection, which remains closely linked to cybersecurity compliance.