🔐 NIS2 becomes reality in Poland

The President has signed the amendment to the National Cybersecurity System Act implementing the NIS2 Directive into Polish law. The new regulations significantly expand cybersecurity obligations for many organisations – as well as the responsibilities of management boards.

What does this mean in practice? Among other things, organisations may be required to:

• implement appropriate cybersecurity risk-management measures
• establish and maintain an information security management system
• organise incident handling and report serious incidents
• ensure adequate governance and oversight at the management level

The new regime also introduces significant administrative fines – up to EUR 10 million or 2% of global turnover, and in specific cases even up to PLN 100 million. The regulations also provide for the possibility of personal liability of management board members.

📅 Key dates:
• 2 April 2026 – the Act enters into force
• 2 May 2026 – publication of the list of key and important entities
• 2 April 2027 – deadline to implement the statutory obligations
• 2 April 2028 – first audit for key entities

❓ Will your organisation fall within the scope of the new regulations?
❓ What legal obligations will this create for your company and its management?

Contact us – We would be happy to help identify whether the new regulations apply to your organisation and clarify the legal obligations resulting from the new cybersecurity framework.