President Karol Nawrocki has signed the amendment to the Act on the National Cybersecurity System (KSC), implementing the EU’s NIS2 Directive. The new regulations significantly expand the scope of entities subject to cybersecurity obligations and impose real liability on corporate board members. Simultaneously, a motion has been filed with the Constitutional Tribunal to review provisions regarding “high-risk vendors.”
The amendment represents a breakthrough step toward increasing the digital security of the state’s strategic sectors. For businesses, it signals the need for rapid preparation to meet new requirements.
Expanded Scope of Entities Under KSC
The new regulations cover not only traditional critical infrastructure sectors but also industries previously less scrutinized, including:
- Wastewater management
- Postal and courier services
- The space industry
- The production and distribution of chemicals and food
In practice, this means an increasing number of enterprises must analyze their position within the context of KSC and NIS2 to assess their obligations regarding the implementation of appropriate security measures.
Management Liability
Key changes in the Act include:
- Classification into “Essential” and “Important” Entities:
A requirement to implement effective technical and organizational measures, coupled with the personal liability of managers for regulatory compliance. - Expanded Powers for State Authorities:
Increased oversight by the Government Plenipotentiary for Cybersecurity and broader enforcement capabilities. - Implementation of Sectoral and National CSIRTs:
Enhanced support for incident response and the centralization of threat intelligence. - Sanctions for Non-compliance:
Penalties ranging from heavy financial fines to criminal liability for board members.
“The amendment to the KSC Act is a step toward increasing digital security in the state’s strategic sectors. At the same time, it imposes significant obligations on entrepreneurs. Particular attention should be paid to the procedure for designating high-risk vendors and the board’s responsibility for ensuring internal processes comply with NIS2 requirements,” emphasizes Attorney Anna Kobylińska, owner of the Legal Eagles Law Firm.
Significance for Business
For enterprises, the amendment necessitates:
- Reviewing and updating security policies.
- Implementing appropriate data protection procedures and technologies.
- Preparing the organization for audits and inspections by state authorities.
- Increasing leadership awareness and accountability in the area of cybersecurity.
Companies that ignore these new requirements risk severe financial and legal consequences.
