The Polish government has announced that its legislative work on amending the National Cybersecurity System Act will conclude this quarter. The revised law will align Polish regulations with the NIS2 directive, the European Union’s key cybersecurity legislation. The change will significantly impact the cybersecurity policies of large and medium-sized organizations classified as essential and important entities. While some critics argue the regulation is overly burdensome, cybersecurity experts insist that it offers long-term benefits—especially in today’s evolving geopolitical landscape.
A Wake-Up Call for Polish Businesses
According to KPMG’s Cybersecurity Barometer 2025, 83% of Polish companies experienced at least one cybersecurity incident in 2024, a sharp rise of 16 percentage points compared to the previous year. Over 50% of company representatives believe that AI technologies will intensify cyber risks.
“The NIS directive is one of the EU’s cornerstone regulations aimed at improving cybersecurity across multiple levels,” says Joanna Świątkowska, Deputy Secretary General at the European Cyber Security Organisation (ECSO).
“It not only affects specific industries—particularly critical infrastructure—but also requires systemic solutions at the national level and fosters cooperation between EU member states.”
NIS2 in Poland: What’s Changing?
Although NIS2 took effect across the EU in 2023, Poland is still finalizing its domestic implementation. The process has involved numerous revisions due to the complexity and scope of the proposed law. According to Poland’s Ministry of Digital Affairs, the government’s work will conclude in Q2 2025. The legislation is expected to apply to around 38,000 entities.
The new directive replaces the previous classification of operators of essential services, digital service providers, and public entities with two categories:
- Essential entities – Organizations critical to the economy and society, including those in energy, finance, healthcare, and digital infrastructure.
- Important entities – Those in telecommunications, postal and courier services, and waste management.
All covered organizations must implement cyber risk mitigation strategies tailored to modern threat environments, including threats stemming from complex supply chains.
“Hospitals, power plants, or telecom providers all depend on multiple vendors and partners. These digital interdependencies introduce new risks that must be addressed,” Świątkowska explains.
“For the first time, the directive requires organizations to consider supply chain cybersecurity as a formal part of their risk management strategy.”
Awareness Still Lags Behind Risk
KPMG’s data shows that only 5% of companies currently view supply chain attacks as a major risk, though that figure is five times higher than a year earlier. Meanwhile, the share of companies that believe no such risk exists fell to 20%, down from 38%. NIS2 may be helping raise awareness.
Who Will Be Affected?
NIS2 applies to:
- Essential entities: Companies with 250+ employees and €50M+ in annual turnover.
- Important entities: Companies with 50+ employees and €10M+ in turnover.
- Certain small and micro enterprises: Those deemed crucial to specific sectors (e.g., trust service providers, DNS providers, top-level domain registries).
These organizations will be required to:
- Conduct regular risk assessments
- Implement advanced security measures
- Report security incidents to the Computer Security Incident Response Team (CERT)
From Regulation to Implementation
While some voices across the EU are calling for deregulation, Świątkowska argues that cybersecurity is one area where regulation brings clear benefits, including greater awareness, investment, and engagement.
“The debate is less about the existence of regulation and more about how it’s implemented. Implementation should be user-friendly and effective, not overly complex,” she says.
Poland has taken a leadership role in these discussions during its EU Council presidency, emphasizing the need for harmonized and coordinated rollout across all member states.
Responding to a Surge in Threats
NIS2 comes at a time of heightened cyber risk across Europe. The EU Agency for Cybersecurity (ENISA) reported over 11,000 cybersecurity incidents in 2023, including 322 cross-border attacks affecting at least two member states. Nearly 20,000 vulnerabilities were identified—over 9% of which were in the “essential” category and 22% in the “important” category.
“Success won’t come from merely drafting new laws—it will depend on effective, real-world application,” Świątkowska concludes.
“Cybersecurity policy should not create unnecessary barriers but enable organizations to protect themselves and the wider economy.”
