15.04.2026
NIS2: The Register of Essential and Important Entities Is Now Live. For Some Companies, Failure to Register Could Be a Costly Mistake
The launch of the register of essential and important entities – into which entities covered by the provisions of the Polish Act on the National Cybersecurity System will be entered – is not merely a technical add-on to the implementation of NIS2 in Poland. It marks the point at which, for many organizations, compliance becomes very concrete: it is necessary to determine whether an entity falls within the scope of the Act, whether it should be included in the register, when an application must be submitted, and how quickly new obligations must be implemented.
This is also where mistakes are most likely to occur. Some companies assume that if they have not received any official notification, the rules do not apply to them. That assumption can be risky.
The register is live – and it sets the pace for compliance
According to the Ministry of Digital Affairs, the register of essential and important entities was launched on 13 April 2026. Between 13 April and 6 May 2026, entries are being made ex officio. From 7 May to 3 October 2026, entities not automatically included are expected to self-register.
For new entities, access to the S46 system is scheduled for 12 June 2026. Meanwhile, entities that already met the criteria on the date the law entered into force have until 3 April 2027 to fully comply with the new requirements.
Importantly, inclusion in the register is neither discretionary nor constitutive. The law makes it clear that entries, updates, and removals are declaratory in nature, and that an entry is effective upon submission of the application via the ICT system.
In other words, the register does not create the obligation to comply. It merely formalizes a status that already arises from the law itself.
This is not just another register
The law explicitly defines three purposes of the register: identifying essential and important entities, enabling information exchange in the field of cybersecurity, and supporting supervisory activities.
In practice, this means the register is far more than a simple list of entities. It includes, among other things, contact details, sectors and types of activity, domain names, public IP address ranges, information on account administrators, and details on the use of managed security service providers (MSSPs).
Notably, these data are excluded from standard public access regimes. The provisions on access to public information and open data do not apply. Only aggregated data – such as the number of entities by sector or subsector – will be made public.
This is a clear signal: the register is designed as an operational and supervisory tool, not a public directory.
Who does this apply to? Not every company – but far more than before
The key practical challenge is that the answer to “does this apply to us?” rarely comes from a single provision.
The scope of the law is determined by a combination of factors: sector, type of activity, size thresholds, and specific exclusions. Entities listed in Annexes I and II may qualify as essential or important, often depending on whether they meet the threshold of a medium-sized enterprise. In some cases, special rules apply or entities are covered regardless of size.
The law also applies to entities operating in Poland, including through branches or cross-border activity. For certain digital service providers, additional rules apply regarding the main establishment and the appointment of an EU representative.
First classification, then registration – and immediately after, implementation
As a general rule, essential and important entities have six months from the moment they meet the criteria to apply for entry in the register. Any changes must be reported within 14 days.
Registration, however, is only the beginning.
Entities are required to implement an information security management system covering systems used in service delivery, establish internal cybersecurity structures or engage a managed service provider, and comply with incident reporting obligations.
These timelines are tight:
- 24 hours for an early warning,
- 72 hours for reporting a significant incident,
- and, as a rule, one month for the final report.
Entities that already met the criteria when the law entered into force benefit from a transitional period: 12 months to implement the required measures, and for essential entities, 24 months to conduct the first audit.
Failure to register is not a minor formality
The most important practical takeaway is that failing to apply for entry in the register is explicitly linked to financial penalties.
The competent authority may impose fines on entities that fail to submit an application within the statutory deadline. For essential entities, penalties may reach up to EUR 10 million or 2% of annual turnover. For important entities, up to EUR 7 million or 1.4% of annual turnover.
In particularly serious cases – where a violation leads to a direct and significant cyber threat or risks substantial financial damage – penalties may reach up to PLN 100 million.
The law goes further. Managers themselves may also be fined, including for failing to ensure that the registration obligation is fulfilled. These fines may reach up to 300% of the individual’s remuneration.
If an entity fails to act, the authority may register it ex officio and require completion of missing information – under the threat of further sanctions.
At the same time, the law provides that administrative fines may only be imposed after two years from its entry into force. This does not mean, however, that the issue can be postponed. On the contrary, this period is intended for classification, registration, and implementation – not passive waiting.
Now is the time to assess your status – not to guess
In practice, the greatest risk today is not that an organization has failed to implement measures. The greater risk is that it has incorrectly assumed that the law does not apply.
Determining whether an entity qualifies often requires a multi-layered analysis: the actual business model, sector classification, size thresholds, relationships with affiliated entities, the scope of IT systems, and the role within the supply chain.
This is where legal support brings the most value.
We support clients in:
- assessing whether an entity qualifies as essential or important,
- determining whether and when registration is required,
- preparing registration documentation and processes,
- structuring internal compliance responsibilities,
- translating statutory requirements into policies, procedures, and contractual arrangements with service providers.
If you are not certain whether your organization should be included in the register, now is the right moment to verify it. In many cases, the challenge is not a lack of diligence – but the fact that the answer is simply not obvious at first glance.