Cybersecurity

The pace of development, the increasing complexity of IT technologies and their widespread use are closely linked to cybersecurity. In response, new cybersecurity regulations have been introduced, covering an ever-growing number of economic sectors – from energy, transport and healthcare to food production and the manufacturing of electronic devices. Failure to implement cybersecurity requirements exposes organisations to real risks, not only legal but, above all, business-related (such as the inability to provide services or reputational damage resulting from data breaches).

We provide full legal support in implementing cybersecurity requirements. We map regulatory obligations and practical solutions, negotiate contracts with ICT service providers, assist in introducing internal policies and procedures, and deliver training for management boards and employees.

On 3 April 2026, new cybersecurity regulations implementing the NIS2 Directive in Poland will enter into force.

The new cyber requirements apply to as many as 18 sectors of the economy, including: energy, transport, banking and financial markets, healthcare, drinking water, wastewater, digital infrastructure, digital services, ICT services, postal services, waste management, food, chemicals and manufacturing (in particular, medical devices, electronic equipment and vehicles).

Timeline of actions

  • By 3 October 2026 – self‑identification and registration as an essential or important entity
  • By 3 April 2027 – implementation of an information security management system and delivery of training within the organisation
  • By 3 April 2028 – first cybersecurity audit for essential entities

Failure to implement NIS2 in your organisation carries the risk of, i.a.:

  • financial penalties – fines of up to EUR 10 million or 2% of annual turnover (essential entities) and up to EUR 7 million or 1.4% of annual turnover (important entities), with the higher amount applying,
  • personal liability for management – financial penalties for management board members of up to 300% of remuneration and the possibility of being banned from performing management functions until non‑compliance is remedied or violations cease (for essential entities),
  • loss of reputation – public disclosure of an incident or an obligation to notify customers,
  • high operational costs – the costs of system downtime or recovery after an incident often exceed the cost of implementing an information security management system.

How can we help?

Related news

Poland implements NIS2: Amendment to the Act on the National Cybersecurity System signed by the President
New info
Draft implementation of Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services
News

Download

Together on NIS2
Download PDF

Our experts

Jakub Kubalski Partner
Agnieszka Witaszek Partner

Related services

LegalTech Desk przekierowanie do produktu Technology, media and telecommunications (TMT) przekierowanie do produktu General data protection regulation (GDPR) przekierowanie do produktu

Go to

Knowledge baseprzekierowanie Teamprzekierowanie Specialisationsprzekierowanie