President Karol Nawrocki on Thursday signed the bill amending Poland’s National Cybersecurity System (KSC) and referred it for ex post review to the Constitutional Tribunal. The new regulations transpose the EU’s NIS2 Directive into Polish law and are intended to strengthen the resilience of companies and public institutions to cyber threats. As experts stress, this is a crucial missing piece of the broader cybersecurity ecosystem—its absence has limited the level of protection for both private and public entities.
“Until now, the area of cyber protection has not been subject to far-reaching regulation. Recently, however, we have seen rules emerging both at the European Union level and domestically, which I hope will soon form an ecosystem,” Dr. hab. Eng. Agnieszka Gryszczyńska, Director of the Department for Cybercrime and Digitalization at the National Prosecutor’s Office, told Newseria.
As she notes, at the EU level these include, among others, the NIS2 Directive on network and information systems, the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act (CRA).
“On the national level, we have the Act on combating abuses in electronic communications, provisions in the Criminal Code, and, finally, the Act on providing services by electronic means,” Gryszczyńska lists. “If we want, first, to impose certain obligations on entities responsible for strengthening cybersecurity, then to enforce them, and to punish perpetrators of violations both administratively and under criminal law, we need to adopt specific regulations.”
On Thursday, 19 February, the President signed the amendment to the KSC Act intended to implement the EU’s NIS2 Directive into Polish law. The changes include replacing the previous division into operators of essential services and digital service providers with a new classification: essential entities and important entities. The law introduces definitions for essential entities—those whose operations are critical to the functioning of the state and the economy—and important entities which, despite their smaller scale, must still meet cybersecurity obligations, including incident reporting and applying basic procedures to protect information systems. The act also strengthens incident-response arrangements and clarifies the roles of authorities responsible for cybersecurity.
The catalogue of entities covered by the national cybersecurity system will be expanded to include new sectors of the economy, with the aim of improving digital security in particularly sensitive areas. New CSIRT teams (Computer Security Incident Response Teams) will be established to support incident handling in specific sectors.
“The main risk related to implementing the directive is time—we want it to happen as quickly as possible. The act that has been developed fully delivers the directive’s objectives, adapting them to local conditions,” says Mikołaj Śniatała, an attorney at Andersen Tax & Legal. “It reflects a consensus among all stakeholders involved in drafting it and supports the goal of strengthening cybersecurity.”
A number of organizations representing companies operating in key sectors and experts from the digital industry urged the President to sign the KSC legislation. In their appeal, they argued that the regulation should be seen not only as part of the national security system, but also as a key instrument of economic policy, providing businesses with stable and predictable operating conditions. The signatories emphasized that effective tools for eliminating cyber threats are necessary for the economy to function continuously, safely, and resiliently in the face of external shocks. This is particularly important given that a country’s level of digital security increasingly determines its attractiveness as an investment destination.
One of the most significant changes is the procedure for designating “high-risk suppliers.” As the government emphasizes, this mechanism is intended to remove dangerous equipment and services from the state’s critical systems. Decisions in this area will be taken by the Minister for Digital Affairs, with the involvement of the Cybersecurity College, through a transparent, multi-stage administrative process. Entities important to the functioning of the state will be prohibited from introducing products from a high-risk supplier into their systems—and if they already have such products, they will be required to withdraw them within seven years. A supplier that disagrees with the decision will be able to file a complaint with the administrative court.
“When it comes to the difficulty of implementing the act’s provisions, we should look at it through the lens of organizational readiness. An organization needs to understand what it is, where its vulnerabilities lie, and where it needs support. The act does not mandate specific solutions; it simply heightens awareness that the issue must be addressed—risk must be analyzed and, based on that, areas requiring improvement must be identified,” Śniatała explains.
This is a major change for a broad group of companies and institutions. Previously, the regulation covered around 400 operators of essential services; the amendment may now extend to more than 10,000 entities operating in essential and important sectors of the economy.
“It should be noted that this act does not impose specific obligations as such, but rather sets out the measures that need to be undertaken in order to determine those obligations. It is the entrepreneur who should carry out a self-assessment and indicate how to secure their cybersecurity,” the Andersen Tax & Legal attorney adds.
Entities covered by these regulations will be required to implement an information security management system. They will need to review their assets, identify cyber threats, analyze existing procedures, and train employees. The new sector-specific CSIRT teams are expected to support businesses in these tasks—so as to protect data and infrastructure against cyber threats.
“If we talk about challenges, they may arise in access to auditors who can properly identify and conduct an appropriate risk analysis and provide entrepreneurs with recommendations that are truly adequate. The act does not require spending large sums on solutions that are disproportionate to the threat, so the biggest challenge for entrepreneurs and public administration will be the correct identification of risk,” Śniatała says.
By signing the act, the President simultaneously decided to refer it for ex post review by the Constitutional Tribunal.
“Concerns are raised by the fact that the act covers as many as 18 economic sectors grouped into essential and important entities. This expansion does not stem from European provisions, but is an independent initiative of the government. It is also justified to raise objections to the provisions regulating the rules for recognizing entities as high-risk suppliers (DWR), as well as the rules for issuing so-called protective orders. These provisions interfere with entrepreneurs’ operational autonomy, including by imposing an obligation to replace equipment and software—without compensation and without securing financial resources for this purpose. Moreover, the decision-making system by cybersecurity authorities vis-à-vis essential and important entities is flawed from the perspective of procedural guarantees and judicial protection. The system of administrative penalties provided for in the act is restrictive, and the level of possible fines has, in fact, the character of standalone punitive measures,” the Presidential Chancellery explained in a statement published on its website. “The President therefore decided to refer the act to the Constitutional Tribunal in order to verify the allegations raised regarding violations of the Constitution of the Republic of Poland.”
