President Andrzej Duda has signed an amendment to the National Cybersecurity System Act, transposing the EU's NIS2 directive into Polish law. The document has been published in the Journal of Laws. Enterprises and public administration entities from key sectors must now implement the required security measures within specified deadlines. Experts emphasize that for many organizations, this necessitates urgent adaptation actions and audits.

Implementation of the NIS2 Directive

The amendment to the act transposes the provisions of the EU's NIS2 directive into Polish law, significantly expanding the scope of entities obligated to comply with cybersecurity rigor and imposing new legal and reporting obligations on them.

Deadlines for Enterprises

Companies from sectors deemed essential or important have limited time to implement the required security measures. According to the directive's provisions, this process should be completed within the next few months, requiring immediate action.

Support Offer for Companies

The consulting firm Quantifier announced the start of a webinar series aimed at board members and cybersecurity leaders, designed to help understand the new obligations and prepare for their implementation.

Expanded Catalog of Entities

The NIS2 directive covers not only large critical infrastructure enterprises but also smaller entities from sectors such as energy, transport, banking, health, and drinking water, significantly increasing the number of organizations subject to regulation.

President Andrzej Duda has signed an amendment to the National Cybersecurity System Act, transposing the EU's NIS2 directive into Polish law. The act has been published in the Journal of Laws, marking the formal start of the implementation period for entities covered by the new regulations. The NIS2 directive significantly expands the scope of entities obligated to apply enhanced cybersecurity measures. It covers enterprises and public administration entities from sectors deemed essential or important, such as energy, transport, banking, public health, drinking water supply, and digital infrastructure. The new regulations impose a series of obligations on these entities, including the duty to implement appropriate technical and organizational measures, report incidents to the competent authorities, and designate contact points. Companies have limited time to adapt to the new requirements. The transition period is short, forcing management boards and IT departments to take immediate actions, such as conducting security audits, risk assessments, and updating internal policies. In response to these needs, the consulting firm Quantifier announced the launch of a series of educational webinars aimed at management staff and cybersecurity leaders, designed to help understand the complexity of the new regulations.The NIS2 directive is the successor to the first EU directive on the security of network and information systems (NIS) from 2016. Its goal is to strengthen cyber resilience across the European Union in response to the growing number and sophistication of cyberattacks, which pose a threat to the functioning of key services and the economy. The implementation of NIS2 also involves strengthening the competencies of national supervisory authorities, including the President of the Office of Electronic Communications (UKE) and the minister responsible for cybersecurity. These authorities will be responsible for overseeing compliance with the new regulations and will be able to impose financial sanctions on entities that fail to fulfill their obligations. The amendment represents a significant step towards unifying cybersecurity standards in Europe, although its practical effects for thousands of Polish enterprises will only become apparent in the coming months.

Mentioned People

  • Andrzej Duda — President of the Republic of Poland, who signed the amendment to the act.