Everything you need to know about the NIS2 directive in Polska: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
Poland transposed NIS2 through the amended National Cybersecurity System Act (UKSC), Dz.U. 2026 poz. 252, in force from 3 April 2026. The Minister of Digital Affairs is the competent authority and incidents go to the relevant national CSIRT (CSIRT NASK for the general and private sector). The core obligation is art. 8(1) UKSC, an information-security-management system across five measure areas, with the NIST-based Narodowe Standardy Cyberbezpieczeństwa as the practical layer and detailed requirements to follow in an implementing regulation. Enforcement is phased: registration via the S46 System is due by 3 October 2026, measures within 12 months, and administrative fines cannot be imposed until two years after entry into force.
Act of 23 January 2026 amending the National Cybersecurity System Act (UKSC), published as Dz.U. 2026 poz. 252
Adopted / in force: 2026-03-02
Minister of Digital Affairs (Ministry of Digital Affairs) (MC)
https://www.gov.pl/web/cyfryzacjaUp to EUR 10 million or 2% of annual turnover (whichever is higher); minimum PLN 20,000
Up to EUR 7 million or 1.4% of annual turnover (whichever is higher); minimum PLN 15,000; up to PLN 100 million in special cases threatening defence, state security, life or health
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Poland's transposition and MC supervision focus most.
Public-sector and municipal bodies delivering services to citizens are frequently in scope. Government administration reports incidents to CSIRT GOV, while other public entities are generally served by CSIRT NASK.
High-criticality Annex I sectors place large operators in the essential-entity tier, with more proactive supervision and the higher fine ceiling.
Managed service providers, cloud providers, data centres and ICT operators are caught directly, and increasingly indirectly through the supply-chain due-diligence demands of large clients (art. 8(1)(2)(e) UKSC).
2026-04-03
The UKSC amendment (Dz.U. 2026 poz. 252) entered into force, one month after its 2 March 2026 publication.
2026-10-03
Deadline for essential and important entities to apply for entry in the register via the S46 System, six months after entry into force.
2027-04-03
End of the 12-month window to implement the art. 8 information-security-management measures (approximate, from entry into force).
Two worked examples of how NIS2 scoping plays out in Poland. Not sure where you land? Run the free NIS2 scope checker.
Energy is a high-criticality sector and an operator of this size is an essential entity under the UKSC. It must apply for entry in the S46 register by 3 October 2026, implement the art. 8 measures within 12 months, and report significant incidents to CSIRT NASK on the 24h/72h/1-month cadence.
Digital service provision brings the company into scope; above the size thresholds it is an important entity. It registers via the S46 System, implements the art. 8 information-security-management measures, and faces reactive supervision triggered by incidents.
Poland's NIS2 transposition is the amended National Cybersecurity System Act (UKSC), Dz.U. 2026 poz. 252, published 2 March 2026 and in force from 3 April 2026.
The competent authority is the Minister of Digital Affairs; the national CSIRTs are CSIRT NASK (general/private sector), CSIRT GOV (government) and CSIRT MON (military).
The core duty is art. 8(1) UKSC: an information-security-management system across five areas of technical and organisational measures, proportionate to assessed risk, with the NIST-based Narodowe Standardy Cyberbezpieczeństwa (NSC) as the methodological layer.
Essential and important entities must apply for entry in the register (the S46 System) by 3 October 2026 and implement the risk-management measures within 12 months.
Significant incidents follow the 24-hour early warning, 72-hour notification and one-month final-report cadence, filed to the relevant CSIRT via incydent.cert.pl.
The Minister of Digital Affairs is the competent authority for the national cybersecurity system, with CSIRT NASK / GOV / MON handling incident reports by sector. The core obligation is art. 8(1) UKSC, an information-security-management system across five measure areas, supported by the NIST-based Narodowe Standardy Cyberbezpieczeństwa. Fines mirror the directive: up to EUR 10M / 2% for essential and EUR 7M / 1.4% for important entities (minimums of PLN 20,000 and PLN 15,000, and up to PLN 100M in special cases). Enforcement is phased: registration via the S46 System is due by 3 October 2026, measures within 12 months, and administrative fines cannot be imposed until two years after entry into force.
Primary references for NIS2 in Poland — verify the latest text and deadlines directly with the authority.