Category: No category

The launch of the register of essential and important entities – into which entities covered by the provisions of the Polish Act on the National Cybersecurity System will be entered – is not merely a technical add-on to the implementation of NIS2 in Poland. It marks the point at which, for many organizations, compliance becomes very concrete: it is necessary to determine whether an entity falls within the scope of the Act, whether it should be included in the register, when an application must be submitted, and how quickly new obligations must be implemented.

This is also where mistakes are most likely to occur. Some companies assume that if they have not received any official notification, the rules do not apply to them. That assumption can be risky.

---

The register is live – and it sets the pace for compliance

According to the Ministry of Digital Affairs, the register of essential and important entities was launched on 13 April 2026. Between 13 April and 6 May 2026, entries are being made ex officio. From 7 May to 3 October 2026, entities not automatically included are expected to self-register.

For new entities, access to the S46 system is scheduled for 12 June 2026. Meanwhile, entities that already met the criteria on the date the law entered into force have until 3 April 2027 to fully comply with the new requirements.

Importantly, inclusion in the register is neither discretionary nor constitutive. The law makes it clear that entries, updates, and removals are declaratory in nature, and that an entry is effective upon submission of the application via the ICT system.

In other words, the register does not create the obligation to comply. It merely formalizes a status that already arises from the law itself.

---

This is not just another register

The law explicitly defines three purposes of the register: identifying essential and important entities, enabling information exchange in the field of cybersecurity, and supporting supervisory activities.

In practice, this means the register is far more than a simple list of entities. It includes, among other things, contact details, sectors and types of activity, domain names, public IP address ranges, information on account administrators, and details on the use of managed security service providers (MSSPs).

Notably, these data are excluded from standard public access regimes. The provisions on access to public information and open data do not apply. Only aggregated data – such as the number of entities by sector or subsector – will be made public.

This is a clear signal: the register is designed as an operational and supervisory tool, not a public directory.

---

Who does this apply to? Not every company – but far more than before

The key practical challenge is that the answer to “does this apply to us?” rarely comes from a single provision.

The scope of the law is determined by a combination of factors: sector, type of activity, size thresholds, and specific exclusions. Entities listed in Annexes I and II may qualify as essential or important, often depending on whether they meet the threshold of a medium-sized enterprise. In some cases, special rules apply or entities are covered regardless of size.

The law also applies to entities operating in Poland, including through branches or cross-border activity. For certain digital service providers, additional rules apply regarding the main establishment and the appointment of an EU representative.

---

First classification, then registration – and immediately after, implementation

As a general rule, essential and important entities have six months from the moment they meet the criteria to apply for entry in the register. Any changes must be reported within 14 days.

Registration, however, is only the beginning.

Entities are required to implement an information security management system covering systems used in service delivery, establish internal cybersecurity structures or engage a managed service provider, and comply with incident reporting obligations.

These timelines are tight:

• 24 hours for an early warning,
• 72 hours for reporting a significant incident,
• and, as a rule, one month for the final report.

Entities that already met the criteria when the law entered into force benefit from a transitional period: 12 months to implement the required measures, and for essential entities, 24 months to conduct the first audit.

---

Failure to register is not a minor formality

The most important practical takeaway is that failing to apply for entry in the register is explicitly linked to financial penalties.

The competent authority may impose fines on entities that fail to submit an application within the statutory deadline. For essential entities, penalties may reach up to EUR 10 million or 2% of annual turnover. For important entities, up to EUR 7 million or 1.4% of annual turnover.

In particularly serious cases – where a violation leads to a direct and significant cyber threat or risks substantial financial damage – penalties may reach up to PLN 100 million.

The law goes further. Managers themselves may also be fined, including for failing to ensure that the registration obligation is fulfilled. These fines may reach up to 300% of the individual’s remuneration.

If an entity fails to act, the authority may register it ex officio and require completion of missing information – under the threat of further sanctions.

At the same time, the law provides that administrative fines may only be imposed after two years from its entry into force. This does not mean, however, that the issue can be postponed. On the contrary, this period is intended for classification, registration, and implementation – not passive waiting.

---

Now is the time to assess your status – not to guess

In practice, the greatest risk today is not that an organization has failed to implement measures. The greater risk is that it has incorrectly assumed that the law does not apply.

Determining whether an entity qualifies often requires a multi-layered analysis: the actual business model, sector classification, size thresholds, relationships with affiliated entities, the scope of IT systems, and the role within the supply chain.

This is where legal support brings the most value.

We support clients in:

• assessing whether an entity qualifies as essential or important,
• determining whether and when registration is required,
• preparing registration documentation and processes,
• structuring internal compliance responsibilities,
• translating statutory requirements into policies, procedures, and contractual arrangements with service providers.

If you are not certain whether your organization should be included in the register, now is the right moment to verify it. In many cases, the challenge is not a lack of diligence – but the fact that the answer is simply not obvious at first glance.

Madrid, great conversations, and people who genuinely understand how cross-border cooperation works – that’s probably the most accurate short summary of this year’s Legal Netlink Alliance meeting.

A few intensive days were enough to exchange experiences (and doubts), reflect on where our profession is heading, and once again confirm that in cross-border work, trust and relationships still matter more than theory and polished slides.
This is exactly what we value about LNA: substance without pretence, strategic discussions without unnecessary buzzwords, and a community of professionals you actually want to work with.

In the background, the LNA Board’s concrete initiatives – including the NextWave project – shows that the alliance is thinking well beyond the next date in the calendar and investing in its future.

Many thanks to everyone we had the pleasure of speaking with, and especially to Fourlaw Abogados for the excellent organisation and true Madrid spirit.

See you at the next LNA meeting.

.

Forbes Diamonds 2026 reflect the strength of our chosen direction and our approach to work.

Everything begins with people – a Team that takes responsibility, values precision, and approaches each matter with full commitment. Thank you for your professionalism, consistency, and everyday focus.

We thank our Clients for the opportunity to support their growth and success.

Steady course.
We move forward.

Forbes Diamonds 2026 💎

The draft amendment to the Act on the National Cybersecurity System, covering the implementation of the NIS2 Directive and a significant extension of obligations in the field of risk management and digital security, was submitted to the parliament on November 7, marking the beginning of the legislative process for one of the key cybersecurity regulations in Poland. The document, prepared by the Ministry of Digital Affairs, is a response to the challenges posed by growing threats in cyberspace and the need to implement the NIS 2 Directive, adopted by the European Parliament and the Council of the European Union. The amendment aims to bring the Polish cybersecurity system into line with EU standards.

The draft law is a direct implementation of Directive 2022/2555 of the European Parliament and of the Council (EU), known as the NIS 2 Directive. The aim of this directive is to establish uniform, high cybersecurity standards in the European Union to ensure greater protection of key economic sectors against cyber threats.

In implementing NIS 2, the draft amendment introduces a number of changes aimed at strengthening the security of networks and information systems in both the public and private sectors. This includes, among other things, extending cybersecurity obligations to new sectors, improving crisis management mechanisms, and increasing the responsibility of public and private entities for protection against attacks.

According to the draft amendment, the circle of entities covered by the provisions of the Act on the National Cybersecurity System is being expanded. The Act introduces a division into key entities and important entities, i.e., organizations operating in sectors considered essential to the functioning of the state and the economy. Key entities are those whose disruption could have serious consequences for security or public order, while important entities are companies which, although they have less systemic impact, still play an important role in ensuring the continuity of sensitive services.

In addition to traditionally sensitive sectors such as energy, transport, health, and banking, the project also covers new areas such as:

• Water management and sewage,
• Waste management,
• Chemical production and distribution,
• Food production and distribution,
• Postal industry,
• Space.

Each entity in these sectors will be required to implement appropriate security measures and procedures for responding to cybersecurity incidents.

Each entity operating in these sectors—if it meets the criteria for being considered a critical or important entity—will be required to implement appropriate security measures and procedures for responding to cybersecurity incidents.

The draft law imposes a wide range of obligations on these entities, such as implementing an information security management system, regular risk assessment, incident reporting, ensuring the security of the ICT supply chain, mandatory audits, and specific responsibility of management for cybersecurity oversight. Technical and organizational measures must be adequate to the scale and type of activity and the estimated risk.

At the same time, the regulations may apply not only to key and important entities, but also to companies participating in their supply chains – in particular, cloud service providers, data centers, managed service providers (including cybersecurity), ICT solution providers, and digital service operators. Although these entities do not belong to key sectors, they can significantly affect the security of the functioning of organizations covered by the Act and are therefore also subject to specific requirements.

The draft provides that the amendment to the Act will enter into force one month after its publication in the Journal of Laws, with a six-month adjustment period for key and important entities. This will give companies and institutions time to implement new obligations related to, among other things, reporting cybersecurity incidents and ensuring appropriate crisis management procedures.

Strengthening cybersecurity in Poland

The amendment to the Act on the National Cybersecurity System is a milestone in the process of strengthening the Polish system of protection against cyber threats. According to the provisions, entities responsible for key services, such as hospitals, power plants, banks, and public administration institutions, will be required to comply with new requirements for protection against cyber attacks.

This project is also in line with the objectives set out in the National Recovery and Resilience Plan (C3.1), which aims to improve the resilience of critical infrastructure to digital threats.

The adoption of the amendment to the Act on the National Cybersecurity System is an important step towards increasing Poland’s cyber resilience and adapting national regulations to the requirements of the European Union. It will further strengthen its mechanisms for protection against cyber threats, while ensuring greater security for critical infrastructure and key services.

If you are wondering whether the obligations under NIS2 also apply to your organization, please contact us—we will help you assess this and prepare appropriate measures.

Every startup begins with an idea. For that idea to grow, it needs a solid legal framework.
That was the case with Remotly—a platform that helps companies manage remote work and supports gamers in their passion for online gaming.

Our role: we prepared the documentation that enables Remotly to operate and scale safely and transparently, including to:

• clearly define licensing and service terms,

• protect intellectual property,

• provide users with transparent privacy information in line with GDPR,

• give business clients robust data-processing frameworks.

Today, Remotly is moving forward—enhancing the product, winning customers, and scaling its business.
We’re pleased to have laid the legal foundations that make this growth possible.

Although the family foundation was introduced only two years ago as a modern tool to support family businesses, the government is already announcing changes to its taxation. This is surprising not only because the regulations themselves have been in force for a relatively short period of time, but also because they have previously declared their stability and announced possible adjustments only after three years of the provisions of the Family Foundation Act of 26 January 2023. Today, the Ministry of Finance is back with the announcement of a draft amendment that could change the situation for entrepreneurs using foundations.

 

Announced changes

In the list of legislative and programme works of the Council of Ministers, there was an announcement of a draft amendment to the Act on PIT, CIT and certain other acts (list no. UD116), which is expected to be adopted by the Council of Ministers in the second quarter of 2025 and which provides for, among other things:

sealing the taxation rules for family foundations – although it is not yet clear what this would consist of, it was previously announced that a 19% tax on the sale of assets would be introduced if the sale took place before the expiry of 15 years from their contribution to the foundation,
subjecting the benefits paid to the foundation’s beneficiaries to a solidarity levy,
including family foundations in the regulation on foreign controlled companies (CFCs) – which could mean imposing additional tax and reporting obligations on family foundations related to foreign assets, and this would generate additional costs for foundations.

What does it mean that distributions from family foundations will be subject to solidarity levy?

A family foundation is a tool for families to better manage their assets and pass them on to the next generation in an orderly and secure manner. One of its tasks is to pay benefits – that is, money or other advantages – to its beneficiaries. Until now, such payments have been favourably taxed or even tax-free in the case of the immediate family.

The government’s new proposals are that these payments are to be subject to an additional charge – the so-called solidarity levy. This is a 4 per cent tax levied on individuals whose annual income exceeds PLN 1 million. And here is the key change: if a family member received e.g. PLN 1.5 million from the foundation, he or she would have to pay 4 per cent tax on the surplus above PLN 1 million (i.e. on PLN 500,000) – in this case PLN 20,000.

 

Why are the potential changes incompatible with the provisions of the Act?

The Family Foundation Act contains a provision to review its operation only after three years in force, i.e. at the end of May 2026 at the earliest. The announcement of the changes is already perceived as a rupture of the “social contract” concluded between the state and citizens who, due to the certainty of their legal situation guaranteed by the Family Foundation Act, decided to establish family foundations.

Family foundations were originally intended to be a stable legal instrument to support long-term investment and the building of multi-generational businesses. Introducing the above changes before the provisions of the law in question have been in force for three years may be considered to undermine these assumptions.

 

What steps should be taken in the current situation?

In the current situation, we recommend ongoing monitoring of legislative progress and consideration of legal and tax safeguards in the event that the new legislation potentially comes into force.

If you use the institution of a family foundation or are considering setting one up – we invite you to contact our law firm. We will monitor the course of possible changes for you and, in the event of their introduction, we will help you take measures to minimise their negative effects.

 

Author: Marta Marciniak

author: mec. Joanna Żemojtel