The draft amendment to the Act on the National Cybersecurity System, covering the implementation of the NIS2 Directive and a significant extension of obligations in the field of risk management and digital security, was submitted to the parliament on November 7, marking the beginning of the legislative process for one of the key cybersecurity regulations in Poland. The document, prepared by the Ministry of Digital Affairs, is a response to the challenges posed by growing threats in cyberspace and the need to implement the NIS 2 Directive, adopted by the European Parliament and the Council of the European Union. The amendment aims to bring the Polish cybersecurity system into line with EU standards.

The draft law is a direct implementation of Directive 2022/2555 of the European Parliament and of the Council (EU), known as the NIS 2 Directive. The aim of this directive is to establish uniform, high cybersecurity standards in the European Union to ensure greater protection of key economic sectors against cyber threats.

In implementing NIS 2, the draft amendment introduces a number of changes aimed at strengthening the security of networks and information systems in both the public and private sectors. This includes, among other things, extending cybersecurity obligations to new sectors, improving crisis management mechanisms, and increasing the responsibility of public and private entities for protection against attacks.

According to the draft amendment, the circle of entities covered by the provisions of the Act on the National Cybersecurity System is being expanded. The Act introduces a division into key entities and important entities, i.e., organizations operating in sectors considered essential to the functioning of the state and the economy. Key entities are those whose disruption could have serious consequences for security or public order, while important entities are companies which, although they have less systemic impact, still play an important role in ensuring the continuity of sensitive services.

In addition to traditionally sensitive sectors such as energy, transport, health, and banking, the project also covers new areas such as:

• Water management and sewage,
• Waste management,
• Chemical production and distribution,
• Food production and distribution,
• Postal industry,
• Space.

Each entity in these sectors will be required to implement appropriate security measures and procedures for responding to cybersecurity incidents.

Each entity operating in these sectors—if it meets the criteria for being considered a critical or important entity—will be required to implement appropriate security measures and procedures for responding to cybersecurity incidents.

The draft law imposes a wide range of obligations on these entities, such as implementing an information security management system, regular risk assessment, incident reporting, ensuring the security of the ICT supply chain, mandatory audits, and specific responsibility of management for cybersecurity oversight. Technical and organizational measures must be adequate to the scale and type of activity and the estimated risk.

At the same time, the regulations may apply not only to key and important entities, but also to companies participating in their supply chains – in particular, cloud service providers, data centers, managed service providers (including cybersecurity), ICT solution providers, and digital service operators. Although these entities do not belong to key sectors, they can significantly affect the security of the functioning of organizations covered by the Act and are therefore also subject to specific requirements.

The draft provides that the amendment to the Act will enter into force one month after its publication in the Journal of Laws, with a six-month adjustment period for key and important entities. This will give companies and institutions time to implement new obligations related to, among other things, reporting cybersecurity incidents and ensuring appropriate crisis management procedures.

Strengthening cybersecurity in Poland

The amendment to the Act on the National Cybersecurity System is a milestone in the process of strengthening the Polish system of protection against cyber threats. According to the provisions, entities responsible for key services, such as hospitals, power plants, banks, and public administration institutions, will be required to comply with new requirements for protection against cyber attacks.

This project is also in line with the objectives set out in the National Recovery and Resilience Plan (C3.1), which aims to improve the resilience of critical infrastructure to digital threats.

The adoption of the amendment to the Act on the National Cybersecurity System is an important step towards increasing Poland’s cyber resilience and adapting national regulations to the requirements of the European Union. It will further strengthen its mechanisms for protection against cyber threats, while ensuring greater security for critical infrastructure and key services.

If you are wondering whether the obligations under NIS2 also apply to your organization, please contact us—we will help you assess this and prepare appropriate measures.