Poland’s parliament adopted an amendment to the National Cybersecurity System Act implementing NIS2. The changes expand the covered sectors and impose concrete organisational and technical measures on essential and important entities. For boards, this translates into formal accountability and readiness for supervision and audits.
The scope is broadened to additional sectors, beyond traditional critical infrastructure. Supervisory powers are strengthened: authorities may issue warnings, appoint a monitoring official, and order security assessments or audits. Sectoral CSIRTs are introduced to support incident handling, provide threat information and training. Incident reporting is streamlined via the S46 system.
Essential and important entities must implement proportionate technical and organisational measures, including asset review, threat identification, procedure updates and staff training. The amendment also addresses “high-risk suppliers”, limiting the use of their products in key systems and requiring withdrawal under defined timelines.
A parliamentary amendment provides that administrative fines may be imposed for the first time only after two years from entry into force, to give entities time to prepare.
What this means for our clients?
– Confirm whether your Polish entity falls into essential/important scope.
– Set governance: ownership, board reporting, budget and decision-making for cybersecurity.
– Run a rapid cyber gap check (assets, procedures, training, incident readiness/reporting).
– Reassess supply chain exposure (IT/OT suppliers and contracts).
– Build evidence of compliance for potential assessments/audits.
NIS2 makes cybersecurity a supervised compliance area. We can support with scoping, gap assessment and a pragmatic implementation roadmap for your Polish entity.
Categories/Tags: IT, Compliance, Cybersecurity
#NIS2 #Cybersecurity #Governance