NIS 2 Status Polen

NIS 2 status in Poland

What the directive requires, how Poland transposes it, and where the Ministry of Digital Affairs and the three CSIRTs sit inside the picture.

Simon OrzelSimon Orzel·

Overview

The NIS 2 directive is the EU layer. It binds every member state, including Poland, with one cybersecurity floor for essential and important entities. Poland must put that floor into Polish law and run a supervision regime under it.

Poland transposes NIS 2 through an amendment to its existing Act on the National Cybersecurity System (Ustawa o krajowym systemie cyberbezpieczeństwa, UKSC) from 2018. The Sejm adopted the amendment on 23 January 2026, the President signed it on 19 February 2026, it was published in the Journal of Laws on 2 March 2026 (Dz.U. 2026 poz. 252) and it entered into force on 3 April 2026. Poland missed the directive's 17 October 2024 deadline; the European Commission opened an infringement procedure with a reasoned opinion on 7 May 2025.

The lead competent authority and national Single Point of Contact is the Ministry of Digital Affairs (Ministerstwo Cyfryzacji). At operational level, three national CSIRTs work in parallel: CSIRT NASK for the private sector and digital services, CSIRT GOV for public administration and critical infrastructure, CSIRT MON for the military domain. Sector regulators such as KNF in the financial sector keep their competence where DORA acts as lex specialis.

Where the rules live
Three layers anyone reading the Polish version of NIS 2 needs to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.

EU implementation

Commission Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Poland without national transposition.

Polish transposition

Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa oraz niektórych innych ustaw (Dz.U. 2026 poz. 252)

The Polish NIS 2 transposition, structured as an amendment to the existing UKSC of 5 July 2018. Published in the Journal of Laws on 2 March 2026, in force from 3 April 2026. Implementing regulations from the Ministry of Digital Affairs fill in the operational detail.

Three things to know
What changes for entities operating in Poland.
Transposition

UKSC amendment 2026

Carries the NIS 2 obligations into Polish law. Defines essential and important entities (podmioty kluczowe i ważne), the supervisory powers of the Ministry of Digital Affairs, incident reporting duties to the relevant CSIRT, and sanctions. Sectoral CSIRTs for strategic industries are a new feature introduced by the amendment.

Authority

Ministry of Digital Affairs and three CSIRTs

The Ministry of Digital Affairs is the lead competent authority and national Single Point of Contact toward the EU and other member states. Three CSIRTs operate in parallel: CSIRT NASK (private sector, digital services), CSIRT GOV (public administration, critical infrastructure, run by the Internal Security Agency ABW), and CSIRT MON (military).

Deadlines

Registration and implementation

The amendment entered into force on 3 April 2026. Entities meeting the criteria as of that date must register on the official list of essential and important entities. Twelve months to implement all Chapter 3 security measures, i.e. until 3 April 2027. Incident reporting follows the directive: 24-hour early warning, 72-hour notification, one-month final report, transmitted through the national S46 system to the relevant CSIRT.

Two principles that decide every edge case
Use these before reading any Polish commentary on NIS 2.

Local law applies inside Poland

Operations on Polish territory follow the Polish transposition. A German Geschäftsführer running a Polish subsidiary reads the UKSC as amended on 23 January 2026 for that subsidiary, not the German BSIG. The directive obligations are identical; the procedure, the authorities and the sanctions live in Polish law.

Poland cannot drop below the EU floor

The directive is a minimum harmonisation instrument. Poland can go stricter and in places does, on sectoral structures and supply chain controls. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.

Who does what in Poland
Three actors that show up in almost every NIS 2 question in Poland.
PL

Ministry of Digital Affairs

The Ministerstwo Cyfryzacji is the lead competent authority under the UKSC and the national Single Point of Contact toward the EU and the Cooperation Group. It maintains the official list of essential and important entities, issues implementing regulations, and coordinates the three national CSIRTs and the new sectoral CSIRTs.

PL

CSIRT NASK, CSIRT GOV, CSIRT MON

Poland runs three national CSIRTs in parallel. CSIRT NASK (hosted at the Research and Academic Computer Network NASK) covers the private sector and digital services and acts as operational point of contact for most companies. CSIRT GOV (hosted at the Internal Security Agency ABW) covers public administration and critical infrastructure. CSIRT MON covers the military domain. Which CSIRT is competent follows from sector and ownership, not from the entity's choice.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Polish entities; the Ministry of Digital Affairs and the three CSIRTs are.

Pitfalls
Mistakes we see when Polish entities first read NIS 2.

  • We just follow the German NIS2UmsuCG, that saves time.

    The directive obligations are the same in DE and PL, but the national procedure is not. Poland registers through the Ministry of Digital Affairs, reports incidents to CSIRT NASK, CSIRT GOV or CSIRT MON depending on sector, and uses the S46 system. A Polish subsidiary of a German group documents its compliance against the UKSC as amended on 23 January 2026, not against the German BSIG.

  • Poland has no official register yet, so we can wait.

    The UKSC amendment entered into force on 3 April 2026. Entities meeting the criteria must register on the official list of essential and important entities and have until 3 April 2027 to implement all Chapter 3 security measures. Waiting is not the same as grace: the duties apply from entry into force; only the sanction practice is staged.

  • We are in the financial sector under KNF supervision, NIS 2 does not concern us.

    For banks, payment service providers and other financial actors, DORA is lex specialis for ICT security, enforced by KNF. The NIS 2 registration duty with the Ministry of Digital Affairs still stands. Even those following DORA substantively must formally be identified and registered as NIS 2 entities. This is a common applicability check error.

Practitioner view

Poland was one of the seven member states the European Commission targeted with a reasoned opinion on 7 May 2025 for failing to notify NIS 2 transposition. The UKSC amendment of 23 January 2026, in force from 3 April 2026, closes that gap. Practically: the obligation space is sharp now, while sanction practice is still in its first months.

The practical move is the same as everywhere else in the EU: confirm scope under the directive, register with the Ministry of Digital Affairs, set up the four continuous obligations (registration upkeep, incident reporting to the relevant CSIRT, supply chain risk, management body oversight), and document the minimum. Polish entities owned by German parents should clarify which CSIRT is competent for them before the first incident happens.

How the platform helps

We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Polish subsidiary under the UKSC, a German parent under BSIG, and a Dutch sister under the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.

For Polish scope you start with the applicability check, then move to incident reporting cadence with the right CSIRT, supply chain clauses and management body sign-off. Where the Ministry of Digital Affairs or the CSIRTs publish sector guidance, we reference it; we do not duplicate it.

Sources
  • Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
  • Commission Implementing Regulation (EU) 2024/2690
  • Ustawa z dnia 5 lipca 2018 r. o krajowym systemie cyberbezpieczeństwa (Dz.U. 2018 poz. 1560) — ISAP Sejm
  • Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa oraz niektórych innych ustaw (Dz.U. 2026 poz. 252) — ISAP Sejm
  • Ministry of Digital Affairs (Ministerstwo Cyfryzacji) — official site, gov.pl/web/cyfryzacja
  • CSIRT NASK — csirt.nask.pl
  • CSIRT GOV (Internal Security Agency ABW) — csirt.gov.pl
  • European Commission, reasoned opinion on failure to notify NIS 2 transposition, 7 May 2025
  • KNF / Polish Financial Supervision Authority — competent authority for DORA in the financial sector
Check your Polish scope in under five minutes
The applicability check applies the directive's size and sector test. If your Polish subsidiary is in scope, the next step is registration with the Ministry of Digital Affairs.
Run the applicability check