Poland NIS2: Which Sector Ministry Supervises Your Business — and Which of 3 CSIRTs Takes Your Incident Report
When Germany implemented NIS2, it kept things simple: the BSI handles cybersecurity supervision for virtually every in-scope sector. France did the same — ANSSI is the single competent authority for almost every sector (see our France NIS2 competent authority guide). Poland took a fundamentally different path.
Under the amended Act on the National Cybersecurity System (the KSC Act), which entered into force on 3 April 2026, Poland distributes NIS2 oversight across its existing sector ministries. Energy entities report to the minister responsible for energy. Healthcare entities report to the minister responsible for health. Banking entities report to the Polish Financial Supervision Authority. The list continues across more than a dozen sectors — each with its own supervisory body and, in many cases, its own sector-level CSIRT.
Understanding Poland’s structure is not optional — it determines who audits you, who can impose penalties, and which of Poland’s three national CSIRTs receives your incident reports. This article maps the complete authority structure so you can route your compliance obligations correctly.
Why Poland Chose Multiple Sector Authorities Instead of One
NIS2 Directive Article 8(1) explicitly permits member states to designate one or more competent authorities responsible for cybersecurity and supervisory tasks. Article 8 does not require centralisation — it leaves the architecture to each member state. Germany and France chose single-authority models. Poland chose maximum distribution.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
The rationale is rooted in Poland’s pre-existing regulatory tradition. Each sector already had an established ministerial supervisory chain: the Financial Supervision Authority (KNF) supervised banks; the Ministry of Health supervised healthcare entities; the Ministry of Infrastructure supervised transport operators. Rather than create a new central cybersecurity body and transfer supervisory jurisdiction away from sector ministries, Poland extended existing competence to cover NIS2 obligations.
The practical consequence is significant. In Germany, a logistics company and a water utility operator both engage with the BSI. In Poland, the logistics company engages with the Ministry of Infrastructure while the water utility engages with the Ministry of Marine Economy and Inland Navigation. Each sector authority sets its own supervision priorities, inspection schedules, and guidance documents — there is no single point of escalation for cross-sector compliance questions outside the Government Plenipotentiary for Cybersecurity, who coordinates national cybersecurity policy across all sector authorities.
For organisations operating in Poland, this means your first compliance action is sector identification, not a universal registration. The authority that supervises you depends entirely on which NIS2 sector — or primary sector, if you span more than one — describes your operations.
For a detailed comparison with Germany’s single-authority model, see our Germany NIS2 competent authority guide.
The Complete Authority Map: Your Sector, Your Supervising Ministry
The European Commission’s official NIS2 designation register and the Eversheds Sutherland implementation tracker confirm the following sector-authority assignments for Poland. Entities in the defence sphere fall under the Ministry of National Defence regardless of their primary commercial sector.
| NIS2 Sector | Competent Authority | Classification |
|---|---|---|
| Energy (electricity, oil, gas, hydrogen, heating/cooling) | Minister responsible for energy (Ministry of State Assets — Department of Security and Crisis Management) | Essential |
| Transport — road, rail, air (excl. waterways) | Minister responsible for transport (Ministry of Infrastructure) | Essential |
| Transport — maritime and inland waterways | Minister responsible for maritime economy (Ministry of Marine Economy and Inland Navigation) | Essential |
| Banking and financial market infrastructure | Polish Financial Supervision Authority (KNF) | Essential |
| Healthcare | Minister responsible for health (Ministry of Health) | Essential |
| Drinking water supply and distribution | Minister responsible for water management (Ministry of Marine Economy and Inland Navigation) | Essential |
| Digital infrastructure (DNS, TLD registries, cloud, data centres, CDN, CSPs) | Minister responsible for digitalisation (Ministry of Digital Affairs, Department of Cybersecurity) | Essential |
| ICT service management (MSPs, MSSPs) | Minister responsible for digitalisation (Ministry of Digital Affairs) | Essential |
| Public administration | Ministry of Digital Affairs (central government); sector minister for subordinate bodies | Essential |
| Space | Minister responsible for economy | Essential |
| Postal and courier services | President of the Office of Electronic Communications (UKE) | Important |
| Waste management | Minister responsible for climate and environment | Important |
| Chemicals (manufacture, production, distribution) | Minister responsible for economy | Important |
| Food production and distribution | Minister responsible for agriculture | Important |
| Manufacturing (medical devices, electronics, machinery, vehicles) | Minister responsible for economy | Important |
| Digital service providers (online marketplaces, search engines, social platforms) | Minister responsible for digitalisation (Ministry of Digital Affairs) | Important |
| Research organisations | Minister responsible for higher education and science | Important |
| Defence-related entities (any sector) | Ministry of National Defence | Essential or Important by size |
Single Point of Contact (SPOC): Poland’s NIS2 SPOC — the body responsible for cross-border liaison with other EU member states under Article 8(4) — is the Ministry of Digital Affairs, Department of Cybersecurity (ppk_ksc@mc.gov.pl, +48 22 245 59 22). The SPOC ensures that incidents with cross-border impact and joint investigations involving Polish authorities are coordinated at EU level through the NIS2 Cooperation Group and CSIRT Network.
Entities unsure of their essential or important classification should complete the self-assessment before the 3 October 2026 registration deadline to confirm which sector authority applies and at what obligation level.
The UKE Exception: Why Telecoms Entities Skip Self-Registration
Most organisations in scope for Poland’s NIS2 must register themselves via the S46 System, the national register accessible at wykaz-ksc.gov.pl. The self-registration window runs from 7 May to 3 October 2026. The Ministry of Digital Affairs made initial ex officio entries for existing operators of essential services and trust service providers between 13 April and 6 May 2026.
Telecommunications undertakings operate differently. The Mondaq/Dentons analysis confirms that telecom providers are entered into the NIS2 register automatically, based on the existing telecoms register held by UKE (Urząd Komunikacji Elektronicznej — the Office of Electronic Communications). Rather than requiring every ISP, mobile network operator, or electronic communications provider to navigate a new registration process, Poland’s implementation leverages UKE’s pre-existing licence and operator database.
UKE carries dual weight in Poland’s NIS2 framework. As the electronic communications sector regulator, it serves as the competent authority for digital infrastructure entities in the telecoms sub-sector — meaning UKE supervises compliance, can conduct audits, and can impose penalties against telecoms operators, independently from the Ministry of Digital Affairs. UKE also acts as the competent authority for the postal and courier services sector.
The practical implication for telecoms operators: your entry into the NIS2 register happens automatically, but you are still responsible for verifying that your registration data in the S46 System is accurate and complete. The auto-entry does not discharge your obligation to ensure correct sector classification, contact details, IP address ranges, and cybersecurity service provider information are on file. If your UKE licence data is outdated, your NIS2 registration will reflect that inaccuracy — and the change-reporting obligation (14 days for material changes) applies from the moment your entry exists, regardless of how it was created.
For the full obligations that apply once your registration is in place, see our NIS2 entity registration guide.
The Three-CSIRT Model: Which Team Handles Your Incidents
NIS2 Article 10(1) requires each member state to designate or establish one or more CSIRTs covering all sectors in Annexes I and II. Poland designated three national CSIRTs, each operating 24/7 and each with a distinct institutional home. The assignment logic follows the entity’s relationship to the state rather than its commercial sector.
CSIRT GOV is led by the Head of the Internal Security Agency (Agencja Bezpieczeństwa Wewnętrznego — ABW). It handles entities in the government and public administration sphere: central government bodies, ministries, and public administration entities. If your organisation is a public body or a government agency, CSIRT GOV is your primary CSIRT contact for incident coordination.
CSIRT MON is led by the Minister of National Defence. It handles defence-related entities — organisations in the defence industrial base, military contractors, and entities that the Ministry of National Defence has designated as falling within the defence sector regardless of their commercial description. Entities with significant defence contracts or classified activities may be assigned to CSIRT MON even if their primary commercial classification points elsewhere.
CSIRT NASK is led by NASK (Naukowa i Akademicka Sieć Komputerowa — the Research and Academic Computer Network). NASK operates CERT Polska, Poland’s longest-running computer emergency response team. CSIRT NASK handles all remaining entities: private-sector operators across energy, banking, healthcare, transport, digital infrastructure, manufacturing, and all other commercial sectors. For the overwhelming majority of private companies in scope under Poland’s NIS2, CSIRT NASK — via CERT Polska — is the national CSIRT contact.
Below the three national CSIRTs, sector competent authorities may establish sector-specific CSIRTs that provide specialised support to entities within their sector. A sector-specific CSIRT in the energy or banking sector, for example, can coordinate sector-wide threat intelligence and provide incident response support tailored to sector-specific systems and protocols. These sector CSIRTs report to their competent authority and submit annual reports to the Government Plenipotentiary for Cybersecurity by 31 January each year.
The incident reporting chain runs parallel to this CSIRT assignment. When a significant incident occurs, you notify both your competent sector authority and your assigned CSIRT — not just one or the other. The reporting timeline follows the standard NIS2 framework under Article 23: a 24-hour early warning, a 72-hour full notification, and a one-month final report. For more on the reporting obligations and what constitutes a significant incident in the Polish context, see our Article 23 incident notification guide.
Cross-Sector Entities: When More Than One Ministry Applies
NIS2 permits member states to have multiple competent authorities, which creates a practical challenge for organisations that span more than one sector. A company that operates both data centres (digital infrastructure, supervised by the Ministry of Digital Affairs) and a fleet of vehicles for distribution (transport, supervised by the Ministry of Infrastructure) theoretically falls under two different sector authorities.
Poland’s KSC Act resolves this through the principal sector rule: the competent authority of your primary business activity supervises your NIS2 compliance as a whole. When registering in the S46 System, you must identify your primary sector classification, which then determines your sector authority. If your business’s primary commercial activity is transport and your data centre operations are ancillary to that, the Ministry of Infrastructure is your competent authority — even though another ministry supervises pure data centre operators.
In practice, this means your sector classification decision in the S46 registration carries more weight than a simple tick-box exercise. Document the rationale for your primary sector choice at registration time. If a sector authority later disputes your classification, having a written self-assessment record — aligned with your revenue breakdown, employee headcount by activity, and operational criticality analysis — constitutes evidence of due diligence.
Entities that genuinely cannot determine a primary sector, or whose activities are so evenly split that no single sector dominates, should seek legal guidance before submitting their registration. The self-assessment obligation is yours, but the consequences of misclassification — including registration with the wrong authority and potentially missing sector-specific audit requirements — can extend well beyond the initial registration window.
Penalties: Who Imposes Them and How Much
Poland adopts the NIS2 penalty tiers directly. Each sector minister can issue fines, binding corrective instructions, and temporary management prohibitions within their sector.
| Entity type | Maximum fine | Alternative (applied if higher) |
|---|---|---|
| Essential entities | €10 million | 2% of total worldwide annual turnover |
| Important entities | €7 million | 1.4% of total worldwide annual turnover |
| Any entity — direct national security threat | PLN 100 million (~€23 million) | N/A — domestic Polish supplement to NIS2 tiers |
The PLN 100 million threshold applies only when a violation causes a direct, serious cybersecurity threat to national security, state security, public safety, or human life or health — not as a routine penalty for failing to implement security measures.
Enforcement authority is co-located with supervision. The Ministry of Digital Affairs does not have general enforcement jurisdiction over all NIS2 entities — it enforces only against digital infrastructure and ICT service management entities within its remit. The Ministry of Health enforces against healthcare entities. KNF enforces against banks and financial market infrastructure. In Poland’s sector-minister model, your competent authority is your enforcer.
Beyond financial penalties, competent authorities can order entities to publish information about violations and temporarily prohibit responsible managers or legal representatives from exercising management functions — creating personal exposure for directors and C-suite executives, not just the corporate entity. For how the eight-factor penalty calculation (seriousness, duration, prior violations, cooperation level) is applied in a comparable EU enforcement context, see our France NIS2 penalties and enforcement guide.
Frequently Asked Questions
When is the registration deadline for Polish NIS2 entities?
The self-registration window runs from 7 May to 3 October 2026 via the S46 System at wykaz-ksc.gov.pl. Telecoms entities are registered automatically from the UKE database. The full compliance deadline — implementing the required security measures — is 3 April 2027.
Does Poland’s sector-minister model change my incident reporting obligations?
No. The reporting timeline (24h early warning, 72h notification, 1-month final report) is set by Article 23 of the NIS2 Directive and applies uniformly. What changes is to whom you report: your sector competent authority plus your assigned national CSIRT (CSIRT NASK for most private-sector entities).
What if my organisation has no presence in Poland but provides services to Polish entities?
If your organisation provides in-scope services to recipients in Poland and you have no EU establishment, you may be required to designate a representative in an EU member state. For cross-border digital service providers, the Ministry of Digital Affairs acts as competent authority. Verify jurisdiction under Article 26 of the Directive before assuming no obligation applies.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS2 Directive 2022/2555, Articles 8 and 10 — nis-2-directive.com
- European Commission, “NIS2 Directive implementation in Poland” — digital-strategy.ec.europa.eu
- Eversheds Sutherland, “Poland — EU NIS2 Directive” — ezine.eversheds-sutherland.com
- Mondaq/Dentons, “Poland: Mandatory NIS2 Registration Launched” — mondaq.com
- OpenKRITIS, “EU NIS2 in Poland” — openkritis.de
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
