NIS2 in Poland: Registration, CSIRT Reporting, and UKE Authority Under the Amended KSC
Poland was among the last EU member states to complete NIS2 transposition. After the European Commission issued a reasoned opinion against Poland on 7 May 2025 for failing to notify full transposition measures, the amended Act on the National Cybersecurity System — Ustawa o Krajowym Systemie Cyberbezpieczeństwa (KSC) — was signed into law on 19 February 2026 and entered into force on 3 April 2026.
The scale of the change is significant. The original 2018 KSC covered approximately 400 designated operators of essential services. The amended KSC covers an estimated 42,000 entities — roughly a hundredfold expansion — spanning 18 sectors and applying to any organisation with a Polish seat, branch, or qualifying cross-border activity. If your organisation falls in scope, obligations apply now: registration by 3 October 2026, full implementation (information security management system, supply chain policies, business continuity) by 3 April 2027.
This guide walks through the practical mechanics: which authority supervises your sector, which of Poland’s three CSIRTs receives your incident reports, how the S46 registration system works, what management board liability means in practice, and how ISACs fit into the KSC framework. It is written for both domestic Polish entities and multinationals operating in Poland.
For a foundation on the EU-wide NIS2 framework, see What Is the NIS2 Directive?. For scope thresholds and entity classification, see Who Must Comply with NIS2?
Does the Polish KSC Apply to Your Organisation?
The amended KSC applies to organisations that meet all three criteria below. Work through them in order — the first exclusion ends your analysis.
| Criterion | Essential Entity | Important Entity |
|---|---|---|
| 1. Established in Poland | Registered seat, branch, or qualifying activity in Poland. Non-EU organisations providing DNS, TLD, cloud, CDN, or trust services directed at Polish users are also in scope regardless of establishment location. | |
| 2. Operates in a covered sector | One of 18 NIS2 sectors: energy (incl. coal mining), transport, banking, financial market infrastructure, health, water supply, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemicals, food production, manufacturing, online platforms, DNS, and trust services. | |
| 3. Meets size threshold | 250+ employees OR €50M+ annual turnover AND €43M+ balance sheet total. Certain categories (DNS, TLD, cloud, CDN, trust services, telecoms) qualify regardless of size. | 50+ employees OR €10M+ annual turnover. Certain categories also qualify regardless of size. |
If you meet all three criteria, you must self-assess your classification (essential or important), self-register via the S46 system by 3 October 2026, and implement all Chapter 3 KSC obligations by 3 April 2027. The self-assessment you document before registering is your formal evidence of due diligence.
From KSC 1.0 to KSC 2.0: The Scale of Change
The original KSC Act of 2018 implemented the first NIS Directive using a designation-by-decision model: your organisation became regulated only if a ministry affirmatively designated you as an operator of essential services. The process was slow, centralised, and covered a narrow slice of the economy — approximately 400 entities across critical infrastructure sectors.
The amended KSC replaces designation-by-decision with automatic size-and-sector qualification, the standard model used across the EU under NIS2. No ministerial decision is required. If you meet the sector and size criteria, obligations attach automatically. This structural shift drives the expansion from roughly 400 to an estimated 42,000 covered entities, of which approximately 28,000 are public-sector bodies.
New sectors brought into scope include: food production and distribution, chemicals manufacturing, waste management, space infrastructure, and an expanded digital services category covering cloud computing, content delivery networks, and managed security services. Coal mining was added to the energy sector. The essential/important entity distinction replaces the former essential services operator classification, with different supervisory intensity, audit obligations, and penalty caps for each tier.
Competent Authorities: Who Supervises Your Sector
Poland uses a sector-specific model rather than a single national cybersecurity regulator. Each covered sector has a designated competent authority — typically the relevant sectoral ministry or an independent regulatory body — responsible for supervising cybersecurity compliance within that sector. The Ministry of Digital Affairs acts as Poland’s national single point of contact and coordinates with ENISA and other EU member states.
| Sector | Competent Authority |
|---|---|
| Energy (electricity, gas, oil, heating, coal) | Minister responsible for energy |
| Transport — road, rail, air | Minister responsible for infrastructure (transport) |
| Transport — waterborne | Minister responsible for maritime economy and inland navigation |
| Banking and credit institutions | Polish Financial Supervision Authority (KNF) |
| Financial market infrastructure | Polish Financial Supervision Authority (KNF) |
| Healthcare | Minister responsible for health |
| Healthcare — defence-related entities | Minister of National Defence |
| Drinking water supply | Minister responsible for water management |
| Digital infrastructure and ICT service management | Minister responsible for digitalization |
| Electronic communications (telecoms) | President of the Office of Electronic Communications (UKE) |
| Postal and courier services | President of the Office of Electronic Communications (UKE) |
| Space | Minister responsible for public administration |
| Public administration | Minister responsible for public administration |
UKE’s Role Under the Amended KSC
UKE — Urząd Komunikacji Elektronicznej, the Office of Electronic Communications — is the supervisory authority for electronic communications providers and postal services operators. This is operationally significant for one specific reason: UKE already maintains the national register of telecommunications entrepreneurs. Telecoms operators registered in that register were automatically entered into the NIS2 KSC entity register by the Minister of Digital Affairs, without requiring a separate S46 self-registration. The automatic registration window ran between 13 April and 6 May 2026 — if your organisation is a licensed telecoms provider, verify your entry at wykaz-ksc.gov.pl.
Beyond registration, UKE supervises telecoms entities’ compliance with the full range of KSC obligations: cybersecurity risk management, incident reporting, supply chain security, and board-level governance. UKE has authority to conduct audits, issue binding security decisions, and impose fines on entities in its supervised sectors.
Poland’s Three-CSIRT Model: Which Team You Report Incidents To
Poland operates three national-level Computer Security Incident Response Teams (CSIRTs). This decentralised architecture — embedded in the KSC since 2018 — means incident reports do not flow through a single national bottleneck. Each CSIRT serves a distinct segment of the regulated entity population.
CSIRT NASK (CERT Polska) is operated by NASK — Naukowa i Akademicka Sieć Komputerowa (Scientific and Academic Computer Network), a national research institute. CERT Polska is formally designated as CSIRT NASK under the KSC and covers the largest share of entities: most private-sector essential and important entities across digital infrastructure, ICT services, cloud computing, data centres, managed security services, online platforms, electronic communications, energy (non-state-critical), food production, chemicals, waste, and manufacturing. CSIRT NASK is the default reporting contact for any entity whose sector’s competent authority is not the Minister of National Defence or a government ministry with public-sector remit.
CSIRT GOV operates under the Head of the Internal Security Agency (Agencja Bezpieczeństwa Wewnętrznego — ABW). It covers public administration entities and government institutions. Public-sector bodies — government agencies, state entities supervised by central ministries, and local government bodies — report cybersecurity incidents to CSIRT GOV.
CSIRT MON operates under the Ministry of National Defence and handles incident response for defence-sector entities, including healthcare facilities supervised by the Minister of National Defence under specific provisions of the KSC Act.
The assignment rule follows your sector’s competent authority: Ministry of National Defence supervision → CSIRT MON. Public administration ministry oversight → CSIRT GOV. All others (the large majority of private-sector entities) → CSIRT NASK.
Competent authorities can also establish sector-specific CSIRTs that provide targeted support to entities in their sector, functioning as intelligence coordination hubs without replacing the national reporting obligation to one of the three main CSIRTs.
All three CSIRTs use the same three-stage incident reporting timeline: 24-hour early warning from the moment you become aware of a significant incident; 72-hour formal incident notification; and a final report within one month. The 24-hour early warning triggers on awareness, not on confirmed impact — do not wait to assess severity before submitting.
Registration Obligations: The S46 System
Registration in the national KSC entity register is mandatory. The registration portal is called S46, accessible at wykaz-ksc.gov.pl. Missing the registration deadline does not exempt your organisation from KSC obligations — it creates the additional exposure of operating as an unregistered but still-obligated entity.
| Window | Date Range | Who |
|---|---|---|
| Automatic entry (ex officio) | 13 April – 6 May 2026 | UKE-registered telecoms operators, entered by the Minister of Digital Affairs |
| S46 portal access opens | 12 June 2026 | All entities can begin self-registration |
| Self-registration deadline | 3 October 2026 | All other essential and important entities |
How to Register
Registration is fully digital — no paper submission is accepted. Applications are submitted using one of: a qualified electronic signature, a trusted signature, a personal signature via biometric ID card, or a qualified electronic seal. Ensure the designated signatory holds one of these credentials before the deadline.
What You Must Declare
The S46 system requires: company identification details (name, legal form, national registration number, registered address), sector classification and entity type (essential or important), internet domains and IP address ranges operated by the entity, details of external cybersecurity service providers, contact persons with identification numbers, and whether the entity has a sector-specific CSIRT it reports to. Any change to declared data must be reported within 14 days — this is an ongoing obligation for the lifetime of your registration.
Self-Assessment Before Registration
Before registering, produce a documented self-assessment confirming your sector, size thresholds, and entity classification. This document is formal evidence of due diligence. Entities that register at a lower tier than their actual classification risk reclassification by the supervisory authority, with retroactive compliance expectations. If you meet the essential threshold, register as essential.
Management Board Liability: What Board Accountability Actually Means
Following NIS2 Article 20, Poland’s amended KSC places cybersecurity governance responsibility directly on management bodies. The explicit intent is to prevent boards from treating cybersecurity as a delegated IT function with no personal accountability attached.
For CISOs and compliance officers: this changes your internal governance architecture. Board approval is required for the organisation’s cybersecurity risk management policy — not just a summary deck presented to the board, but documented evidence that the board reviewed and formally approved the risk approach. Board meeting minutes recording the annual ISMS review and supply chain security decisions are the minimum an auditor will expect at the mandatory April 2028 audit.
For board members: the personal exposure is direct. Under the amended KSC, individual management board members face fines of up to 300% of their monthly remuneration for cybersecurity governance failures. Repeated or serious violations can also result in a prohibition on holding management positions. These personal penalties are distinct from the organisational fine and can be imposed on individuals even when the organisation has separately paid its own penalty.
Outsourcing does not transfer liability. Delegating incident monitoring to a managed security service provider leaves the board accountable for ensuring those services are contractually required, periodically verified, and operating as intended. Delegation reduces operational burden; it does not reduce board-level legal responsibility.
The training obligation: board members must receive formal cybersecurity training aligned with the organisation’s NIS2 obligations, and that training must be documented. Practical steps: add cybersecurity as a standing board agenda item; document board sign-off on the annual risk assessment; record supply chain security review decisions at board level; ensure board members can demonstrate familiarity with incident response procedures and escalation contacts.
ISAC Participation in the KSC Framework
Poland’s amended KSC formally recognises Information Sharing and Analysis Centres (ISACs) and external Security Operations Centres (SOCs) as legitimate components of the national cybersecurity ecosystem. This is an explicit upgrade from the original 2018 KSC, which did not address sectoral information-sharing bodies.
ISACs allow entities within the same sector to share threat intelligence, vulnerability disclosures, and incident data with peers — often before that information reaches national CSIRT level. Participation is voluntary under the current KSC framework, but it serves two practical compliance purposes: it accelerates threat awareness during sector-wide attacks, and it provides documented evidence of proactive risk management during supervisory audits.
Sector-specific CSIRTs established by individual competent authorities often function as operational coordination hubs for sector ISACs in practice. Financial sector entities supervised by KNF, energy operators under the Ministry of Energy, and healthcare organisations under the Ministry of Health each have sectoral working groups that serve ISAC functions. Engage with the relevant sectoral CSIRT or ministry coordination body before the October 2026 registration deadline — incident-response relationships are more effective when established before they are needed.
Key Deadlines and Penalties at a Glance
Implementation Timeline
| Date | Obligation |
|---|---|
| 3 April 2026 | KSC amendment enters into force; incident-reporting obligations apply immediately |
| 13 April 2026 | S46 portal launches; telecoms auto-registration begins |
| 6 May 2026 | Telecoms auto-registration window closes |
| 12 June 2026 | S46 portal access opens for self-registering entities |
| 3 October 2026 | Registration deadline for all essential and important entities (except auto-registered telecoms) |
| 3 April 2027 | Full compliance deadline: ISMS, incident handling, supply chain security, and business continuity must be operational |
| 3 April 2028 | First mandatory cybersecurity audit (essential entities); financial penalty moratorium expires |
Penalty Structure
| Category | Maximum Penalty | Moratorium? |
|---|---|---|
| Essential entities | €10 million OR 2% of global annual turnover (whichever is higher) | Yes — cannot be imposed before 3 April 2028 for most operational failures |
| Important entities | €7 million OR 1.4% of global annual turnover (whichever is higher) | Yes — same moratorium applies |
| Super-fine (serious threats) | PLN 100 million (~€23 million) for violations causing direct threats to defence, state security, public safety, or human life | No — applies immediately; no moratorium protection |
| Individual board members | Up to 300% of monthly remuneration; possible management position ban | Personal liability is not affected by the moratorium |
The two-year moratorium protects against operational compliance fines only — not against registration failures, incident-reporting non-compliance, or the PLN 100 million super-fine. Non-registration by 3 October 2026 is an enforceable failure from the deadline date.
Multinationals with Polish Operations
If your group operates across multiple EU member states, Poland’s amended KSC applies to the Polish legal entity — subsidiary or registered branch — assessed independently. Parent-company compliance in another jurisdiction does not exempt the Polish entity, and EU-wide group turnover may determine penalty exposure even if the Polish entity’s own turnover is modest.
Polish-registered subsidiaries meeting sector and size criteria are in scope. Polish branches of non-Polish EU groups are assessed on the branch’s Polish activities. Non-EU organisations providing DNS, TLD, cloud, CDN, or trust services directed at Polish users are also in scope regardless of establishment location.
High-risk vendor (HRV) mechanism: The amended KSC gives the Minister of Digital Affairs authority to designate specific ICT products or service suppliers as high-risk. Entities using designated suppliers must cease new deployments immediately and remove existing systems within four to seven years — at their own cost, with no state compensation. This mechanism extends beyond the EU 5G Toolbox and applies across all 18 NIS2 sectors. Multinationals using a shared ICT stack across EU operations should monitor the Polish HRV designation list independently from equivalent mechanisms in other member states.
Constitutional Tribunal challenge: President Nawrocki signed the law on 19 February 2026 but simultaneously filed a motion with the Constitutional Tribunal challenging the HRV designation provisions and certain sector expansions. The law is fully enforceable while the challenge is pending. Multinationals considering HRV-related infrastructure replacements should obtain legal advice on timing before committing to replacement programmes that may be reversed by the Tribunal’s ruling.
Frequently Asked Questions
Is Poland’s NIS2 law already in force?
Yes. The amended KSC Act entered into force on 3 April 2026. Incident-reporting obligations applied immediately. Registration deadline: 3 October 2026. Full implementation: 3 April 2027.
Which CSIRT do I report incidents to?
Most private-sector entities — digital infrastructure, ICT, cloud, energy, food, chemicals, manufacturing, and telecoms — report to CSIRT NASK (CERT Polska). Public-sector entities report to CSIRT GOV. Defence-related entities report to CSIRT MON.
My organisation is a licensed telecoms operator registered with UKE. Do I still need to use S46?
Check wykaz-ksc.gov.pl. Telecoms operators were automatically entered between 13 April and 6 May 2026. If your entry contains errors, correct them within 14 days of discovery.
Does the two-year moratorium cover all fines?
No. The PLN 100 million super-fine for violations causing direct serious threats is explicitly excluded from the moratorium. Registration failures and incident-reporting non-compliance are also outside its protection.
Does ISO 27001 certification satisfy KSC obligations?
No, but it is helpful evidence for the mandatory audit. KSC registration and incident-reporting obligations are independent requirements that GDPR or ISO 27001 compliance does not substitute for.
Sources
NIS2 Directive finally implemented in Poland — Addleshaw Goddard LLP
Poland: Mandatory NIS2 Registration Launched — Mondaq
EU NIS2 in Poland — OpenKRITIS
Poland — EU NIS2 Directive — Eversheds Sutherland
Poland’s KSC Act: NIS2 Impact on Supply Chain — CMS Law
NIS2 directive implementation in Poland — Copla
NIS2 Directive implementation in Poland — European Commission
Poland’s New Cybersecurity Law: What the KSC Amendment Means — security.land
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
