LEGAL ALERT: NIS2 implementation already in the Polish Parliament!
Last month, the Council of Ministers adopted a draft amendment to the Act on the National Cybersecurity System, which was then submitted to the Sejm. The draft implements the EU’s NIS2 Directive (i.e., Directive 2022/2555 of December 14, 2022, on measures for a high common level of cybersecurity across the Union). Below, we describe what to expect from the amendment and what actions to take now and plan for next year.
Who does the amendment apply to?
The proposed regulations significantly expand the list of entities covered by the national cybersecurity system. While the regulation has so far covered around 400 operators of essential services, the amendment may cover more than 10,000 entities operating in key and important sectors of the economy. Importantly, the obligation to comply with the new regulations will not result from an administrative decision – entities covered by them will have to self-identify and register in a special ICT system.
The sectors that will be covered by the new regulations include energy, transport, banking, financial market infrastructure, healthcare, digital infrastructure and ICT service management, postal services, waste management, the chemical industry, food production and processing, manufacturing, and scientific research. In addition to the industry criterion, the size of the organization is also important. We encourage you to contact our specialists to determine whether your organization may be subject to these requirements.
The amendment also applies to suppliers of products and services to key entities and important entities that may be subject to supply chain security requirements. The right approach to the new regulations can therefore be a competitive advantage and, in some cases, a prerequisite for winning customers.
What obligations does the amendment impose?
The proposed regulations impose a number of new obligations aimed at strengthening their resilience to cyber threats. Entities covered by these regulations will be required to implement an information security management system that includes regular risk assessments, the introduction of adequate technical and organizational measures, incident management, and ensuring the continuity of information systems, as well as conducting regular audits.
The key obligations introduced by the amendment are the implementation of a comprehensive information security risk management system, mandatory reporting of security incidents to the competent authorities, and ensuring the security of the supply chain through the verification of suppliers and contractors. Entities will have to introduce effective risk assessment procedures and mechanisms for rapid response to cyber threats.
The amendment also introduces personal responsibility of managers for supervising the implementation of cybersecurity requirements and the obligation for them to undergo specialized training in this area.
When might the new regulations come into force?
The draft amendment has been submitted to the Sejm and, according to the chairman of the Sejm’s Digitalization Committee, should be discussed at a meeting in the second half of November 2025. The Ministry of Digitalization has announced that the bill is to be adopted by the Sejm and Senate before the end of 2025.
The bill provides for a one-month vacatio legis, which means that it will come into force one month after its publication in the Journal of Laws. Entities will then have six months to comply with the basic obligations, including registration in the national cybersecurity system and implementation of risk management systems. This means that, assuming the bill is passed by the end of 2025, the full requirements will come into force in approximately the second half of 2026.
Summary
In view of the imminent entry into force of the amendment, we recommend that you conduct a comprehensive assessment of whether your organization may be subject to the obligations under the new regulations. The analysis should include determining whether the entity will be required to apply the Act and to what extent, as early identification of its status will allow it to prepare properly for the statutory requirements.
CONTACT
KONTAKT
E: magdalena.patryas@pl.Andersen.com
T: +48 32 731 68 84
M: +48 502 392 419
