Skip to main content
In progressNIS2

NIS2 in Poland

Poland is updating its national cybersecurity act (UKSC) to transpose NIS2. The draft NIS2 law is in final legislative stages with enforcement expected mid-2025.

Transposition law
Ustawa o Krajowym Systemie Cyberbezpieczeństwa (UKSC) - amendment in progress
In force
Pending
Competent authority
CERT Polska / CSIRT GOV
Max fine (Essential)
PLN 15 million (~€3.5 million) or 2% of global annual turnover (draft)
Max fine (Important)
PLN 8 million (~€1.9 million) or 1.4% of global annual turnover (draft)
Full enforcement
July 2025

Key Deadlines

UKSC amendment expected
1 June 2025
Enforcement target
1 July 2025

Competent Authority

CERT Polska / CSIRT GOV
National CSIRT; sector supervisors to be designated by UKSC amendment
https://www.cert.pl

Poland's UKSC amendment will designate sector-specific competent authorities. CERT Polska and CSIRT GOV handle incident coordination. The draft law mirrors EU Article 21 closely with Polish-specific penalty structures.

Registration Process

The registration process is pending finalisation of the UKSC amendment. Entities should monitor cert.pl and mc.gov.pl for updates. Pre-registration notifications may open in Q2 2025.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Key Requirements

  • 1Incident notification to the appropriate CSIRT within 24 hours (early warning) and 72 hours
  • 2Implementation of Article 21 security measures as specified in the UKSC amendment
  • 3Annual risk assessment (Ocena Ryzyka) mandatory for kluczowe and ważne podmioty
  • 4Registration with sector supervisor once designated
  • 5Management accountability provisions similar to NIS2 Article 20
  • 6Polish public administration entities are explicitly included

National Additions

Poland is proposing national cybersecurity certification requirements for high-risk ICT products used by Essential Entities
The UKSC amendment includes provisions for a national cybersecurity incident response centre (CSIRT level 3)
Polish defence sector entities have additional obligations under separate cybersecurity legislation

FAQ: NIS2 in Poland

Can Polish entities start preparing before the UKSC amendment passes?
Yes, and they should. The UKSC amendment will closely mirror EU NIS2 Article 21 obligations. Organisations can already conduct gap assessments, define their sector classification, and draft security policies aligned with NIS2. This minimises the sprint required when the law takes effect.
What is Poland's CSIRT GOV vs CERT Polska?
CERT Polska (CSIRT NASK) handles cybersecurity for the commercial/private sector. CSIRT GOV (handled by ABW, the internal security agency) covers government and public administration. CSIRT MON covers the military. Under NIS2, each handles incident notifications for its respective constituency.

Ready to assess your NIS2 compliance?

Use our free tools to check your NIS2 scope and run a gap assessment.

🎯 Scope Checker📊 Gap Assessment