The amendment to the Act on the National Cybersecurity System has been signed by the President!
On Thursday, February 19, 2026, the President of the Republic of Poland signed the Act of January 23, 2026, amending the Act on the National Cybersecurity System and certain other acts (“the Act”), which implements the EU’s NIS2 Directive into Polish law. Below we describe the changes related to the amendment.
Key changes related to the Act
The Act aims to bring the national cybersecurity system in line with modern standards, and the changes it introduces concern, among other things:
- expanding the list of entities within the national cybersecurity system to include new economic sectors: ICT, space, postal services, manufacturing, food, and wastewater management,
- imposing on key entities and important entities in cybersecurity obligations regarding risk management concerning the implementation of proportionate technical, operational, and organizational measures,
- regulating the rules of liability of the manager of a key entity or an important entity for the performance of cybersecurity tasks,
- introducing the ability for key entities and important entities to report incidents via an ICT system,
- establishing sectoral CSIRTs to support incident response in specific sectors of the economy within 18 months of the Act’s entry into force.
- strengthening the supervisory powers of the competent cybersecurity authorities,
- introducing financial penalties for failure by critical entities or important entities to fulfill their statutory obligations, including, among others, failure to implement an information security management system or failure to register in the list of critical entities and important entities,
- the introduction of a national response plan for large-scale cybersecurity incidents and crises,
- the expansion of the Minister for Digitalization’s powers,
- the strengthening of the position of the Government Plenipotentiary for Cybersecurity,
- the expansion of the powers of national-level CSIRT teams,
- the development of the Minister’s powers in the field of cybersecurity education.
The Future of the Act
The amendment signed by the President of the Republic of Poland will be published in the Journal of Laws and will enter into force one month after its publication.
Regardless of the bill’s signing, the President of Poland decided to refer it to the Constitutional Tribunal for subsequent review to verify whether it violates the provisions of the Polish Constitution.
The following reasons were cited for referring the bill for subsequent review:
- doubts regarding the bill’s coverage of as many as 18 economic sectors, divided into key and important entities, as this expansion does not stem from EU regulations and is an independent initiative of the government,
- reservations regarding the rules for designating entities as high-risk suppliers and issuing “security orders” that interfere with the autonomy of businesses, including through the obligation to replace hardware and software without compensation,
- and flaws in the decision-making system of cybersecurity authorities regarding key and important entities.
In light of the above, the Constitutional Tribunal is tasked with examining the constitutionality of the already signed act.
What does this mean for your organization?
The signing of the law in its current form is good news for obligated entities. During the legislative process, among other things, deadlines were extended, providing more time to prepare and implement the required solutions, and a two-year deferral of the imposition of penalties reduces time pressure. However, it is important to remember that the adopted solutions should be fully operational once the 12-month period for implementing risk management measures has elapsed, and this requires time for your employees to learn how to operate within the new cybersecurity system.
Therefore, it is worth starting preparatory activities now, such as:
- Conduct an analysis to determine whether your organization is subject to the new regulations and to what extent.
- Plan an assessment of the requirements set forth in the UKSC/NIS2 that must be implemented within the organization.
- Begin building a risk management system compliant with UKSC requirements.
- Prepare management staff for their new responsibilities through specialized training.
Summary
The signing of the Act is an important step in the process of implementing the NIS2 Directive in Poland. We will keep you informed about the obligations associated with the Act.
You can find more information regarding the amendment in our previous legal alert
If you have any questions or need assistance in preparing for the UKSC (NIS2) requirements, we remain at your disposal.
KONTAKT
E: magdalena.patryas@pl.Andersen.com
T: +48 32 731 68 84
M: +48 502 392 419
