← Back to Reglyze
Transposed & Enforced

NIS2 in Poland

Everything you need to know about the NIS2 directive in Polska: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.

Poland transposed NIS2 through the amended National Cybersecurity System Act (UKSC), Dz.U. 2026 poz. 252, in force from 3 April 2026. The Minister of Digital Affairs is the competent authority and incidents go to the relevant national CSIRT (CSIRT NASK for the general and private sector). The core obligation is art. 8(1) UKSC, an information-security-management system across five measure areas, with the NIST-based Narodowe Standardy Cyberbezpieczeństwa as the practical layer and detailed requirements to follow in an implementing regulation. Enforcement is phased: registration via the S46 System is due by 3 October 2026, measures within 12 months, and administrative fines cannot be imposed until two years after entry into force.

Key facts at a glance

Transposition Law

Act of 23 January 2026 amending the National Cybersecurity System Act (UKSC), published as Dz.U. 2026 poz. 252

Adopted / in force: 2026-03-02

Competent Authority

Minister of Digital Affairs (Ministry of Digital Affairs) (MC)

https://www.gov.pl/web/cyfryzacja
Fines — Essential

Up to EUR 10 million or 2% of annual turnover (whichever is higher); minimum PLN 20,000

Fines — Important

Up to EUR 7 million or 1.4% of annual turnover (whichever is higher); minimum PLN 15,000; up to PLN 100 million in special cases threatening defence, state security, life or health

These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.

Priority sectors for NIS2 in Poland

NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Poland's transposition and MC supervision focus most.

Public administration and local government

Public-sector and municipal bodies delivering services to citizens are frequently in scope. Government administration reports incidents to CSIRT GOV, while other public entities are generally served by CSIRT NASK.

Energy, water, transport and health

High-criticality Annex I sectors place large operators in the essential-entity tier, with more proactive supervision and the higher fine ceiling.

ICT providers and supply chain

Managed service providers, cloud providers, data centres and ICT operators are caught directly, and increasingly indirectly through the supply-chain due-diligence demands of large clients (art. 8(1)(2)(e) UKSC).

Key deadlines

2026-04-03

The UKSC amendment (Dz.U. 2026 poz. 252) entered into force, one month after its 2 March 2026 publication.

2026-10-03

Deadline for essential and important entities to apply for entry in the register via the S46 System, six months after entry into force.

2027-04-03

End of the 12-month window to implement the art. 8 information-security-management measures (approximate, from entry into force).

Is your company in scope? Common Poland scenarios

Two worked examples of how NIS2 scoping plays out in Poland. Not sure where you land? Run the free NIS2 scope checker.

A 300-person Polish energy distribution operator
In scope — essential entity (podmiot kluczowy)

Energy is a high-criticality sector and an operator of this size is an essential entity under the UKSC. It must apply for entry in the S46 register by 3 October 2026, implement the art. 8 measures within 12 months, and report significant incidents to CSIRT NASK on the 24h/72h/1-month cadence.

A 90-employee Warsaw SaaS provider (PLN 60M turnover)
In scope — important entity (podmiot ważny)

Digital service provision brings the company into scope; above the size thresholds it is an important entity. It registers via the S46 System, implements the art. 8 information-security-management measures, and faces reactive supervision triggered by incidents.

What Poland businesses need to know

  • Poland's NIS2 transposition is the amended National Cybersecurity System Act (UKSC), Dz.U. 2026 poz. 252, published 2 March 2026 and in force from 3 April 2026.

  • The competent authority is the Minister of Digital Affairs; the national CSIRTs are CSIRT NASK (general/private sector), CSIRT GOV (government) and CSIRT MON (military).

  • The core duty is art. 8(1) UKSC: an information-security-management system across five areas of technical and organisational measures, proportionate to assessed risk, with the NIST-based Narodowe Standardy Cyberbezpieczeństwa (NSC) as the methodological layer.

  • Essential and important entities must apply for entry in the register (the S46 System) by 3 October 2026 and implement the risk-management measures within 12 months.

  • Significant incidents follow the 24-hour early warning, 72-hour notification and one-month final-report cadence, filed to the relevant CSIRT via incydent.cert.pl.

How MC enforces NIS2 in Poland

The Minister of Digital Affairs is the competent authority for the national cybersecurity system, with CSIRT NASK / GOV / MON handling incident reports by sector. The core obligation is art. 8(1) UKSC, an information-security-management system across five measure areas, supported by the NIST-based Narodowe Standardy Cyberbezpieczeństwa. Fines mirror the directive: up to EUR 10M / 2% for essential and EUR 7M / 1.4% for important entities (minimums of PLN 20,000 and PLN 15,000, and up to PLN 100M in special cases). Enforcement is phased: registration via the S46 System is due by 3 October 2026, measures within 12 months, and administrative fines cannot be imposed until two years after entry into force.

NIS2 in Poland: frequently asked questions

Is NIS2 in force in Poland?
Yes. Poland transposed NIS2 through the amended National Cybersecurity System Act (UKSC), Dz.U. 2026 poz. 252, in force from 3 April 2026. Entities must apply for entry in the S46 register by 3 October 2026.
Which law transposes NIS2 in Poland and who enforces it?
The National Cybersecurity System Act (UKSC) as amended on 23 January 2026 (Dz.U. 2026 poz. 252). The competent authority is the Minister of Digital Affairs, and incidents are reported to the relevant national CSIRT (CSIRT NASK for the general and private sector).
What are the penalties in Poland?
Up to EUR 10 million or 2% of annual turnover for essential entities (minimum PLN 20,000) and EUR 7 million or 1.4% for important entities (minimum PLN 15,000), with up to PLN 100 million in special cases threatening defence, state security, life or health. Fines cannot be imposed until two years after entry into force.
How are incidents reported in Poland?
Significant incidents are reported to the relevant CSIRT via the incydent.cert.pl portal: an early warning within 24 hours, an incident notification within 72 hours and a final report within one month. CSIRT NASK is the CSIRT for the general and private sector.

Official sources

Primary references for NIS2 in Poland — verify the latest text and deadlines directly with the authority.

Ready to become NIS2 compliant in Poland?

Reglyze is the AI-powered NIS2 compliance platform built for European SMEs. Start free — scoping, gap assessment, and policy generation tailored to MC requirements.