On 3 April 2026, an amendment to the Act on the National Cybersecurity System entered into force, implementing the NIS2 Directive into Polish law. The new provisions extend the catalogue of entities subject to cybersecurity obligations and introduce a division into key entities and important entities. For many entrepreneurs, this means the need to carry out self-identification, prepare for entry in the KSC Register, and implement new organisational and technical requirements.
The Polish implementation of NIS2 is now in force
Following the entry into force of the Polish implementation of NIS2, the new cybersecurity rules have moved from the legislative stage to the stage of practical application. Since 7 May 2026, self-registration in the Register of key entities and important entities has been ongoing, and since 12 June 2026, new entities covered by the Act have been able to use the S46 System. This means that entrepreneurs should not only monitor the new regulations, but above all determine whether they are subject to the obligations arising from the Act and whether they should be entered in the KSC Register.
The NIS2 Directive replaces the previous EU cybersecurity framework and significantly broadens the scope of regulation. Its purpose is to increase the cyber resilience of entities operating in sectors that are important for the functioning of the economy and the state. The regulation is based on the assumption that the security of networks and information systems is not only a technical issue, but also an element of the continuity of services that are important from the perspective of the market, public administration and citizens.
The Polish implementation was carried out through an amendment to the Act on the National Cybersecurity System, which entered into force on 3 April 2026. From that moment, the deadlines for fulfilling the new obligations started to run. One of the key changes is the replacement of the previous model of operators of essential services and digital service providers with a new division into key entities and important entities. In practice, this means that many organisations need to reassess their status, including those that had not previously been formally identified as participants in the national cybersecurity system. The Ministry of Digital Affairs indicates that the deadlines for fulfilling statutory obligations run from the date on which the amendment entered into force.
Who may be covered by the new provisions?
The new obligations may apply to entities operating, among others, in the sectors of energy, transport, banking, financial market infrastructures, healthcare, water supply, digital infrastructure, ICT service management, public administration, waste management, chemicals production, food production and selected types of industrial activity.
This scope is broad and covers both entities providing services directly to end users and organisations performing important functions in supply chains. For this reason, status verification should not be limited to simply checking whether an entrepreneur operates in the “cyber” sector or provides traditional digital services. It may also be relevant whether its activity supports the functioning of sectors considered by the legislator to be key or important.
In practice, not only the formal scope of business activity will be relevant, but also the actual functions performed by a given entity, its size, sector of activity and links with other enterprises. The Ministry of Digital Affairs indicates that, before making an entry in the KSC Register (see below), the activity profile, the relevant PKD code and the size of the entity should be verified, taking into account linked and partner enterprises. Self-registration applies to entities operating in the sectors listed in the annexes to the Act, which meet the size criteria and are not entered in the register ex officio.
Entry in the KSC Register
Self-registration in the Register of key entities and important entities, i.e. the KSC Register, is one of the first practical stages in the application of the new provisions. It applies to entities that meet the statutory criteria for being classified as a key entity or an important entity and are not entered in the register ex officio.
Self-registration was launched on 7 May 2026, and the deadline for submitting an application expires on 3 October 2026. The KSC Register is maintained within the S46 System, which is intended to support, among other things, cooperation with CSIRT teams, communication with authorities and the performance of obligations related to incident reporting. Since 12 June 2026, new entities have been able to start using the S46 System for the purpose of fulfilling their statutory obligations.
Entry in the KSC Register should not be treated solely as a formal step. In practice, it requires a prior analysis of whether a given entity meets the statutory criteria, how it should be classified and what obligations will follow from that classification.
Key dates
| Date | Meaning |
|---|---|
| 3 April 2026 | entry into force of the amendment to the Act on the National Cybersecurity System |
| 13 April 2026 | launch of the KSC Register |
| 7 May – 3 October 2026 | self-registration period in the KSC Register |
| 12 June 2026 | S46 System made available to entities covered by the Act |
| 3 April 2027 | end of the adjustment period for implementing the obligations and starting to use S46 |
| 3 April 2028 | start of application of the provisions on administrative fines and deadline for the first audit for certain key entities |
The above timeline means that although the full implementation of some obligations has been spread over time, the preparatory stage has already begun. The self-registration period is particularly important, as entities that are not entered in the register ex officio should submit the application themselves within the prescribed deadline. By 3 April 2027, entities that met the criteria on the date the amendment entered into force should also start using the S46 System and implement the obligations arising from the Act.
The date of 3 April 2028 is important primarily from the perspective of sanctions and audit obligations. From that date, administrative fines may be imposed for breaches of most obligations, and certain key entities will be required to conduct their first information system security audit.
What does this mean for entrepreneurs?
The coming months should be used primarily to determine whether a given entity is subject to the new provisions. The verification should cover the sector of activity, the services actually provided, the scale of activity, the group structure and any links with other enterprises. This may be particularly relevant for energy companies and entities from the waste management sector, where cybersecurity is increasingly linked not only to the protection of IT systems, but also to the continuity of services, the security of technical infrastructure, the use of ICT/OT systems and dependence on external providers of technology and digital services. In the case of the energy sector, the new provisions may require a reassessment of status under the division into key entities and important entities, including with respect to entities that already operated within the national cybersecurity system. In turn, in the waste management sector, NIS2 may be particularly relevant for entities that have not previously identified themselves as being directly covered by the cybersecurity regime, even though their activities are important for the continuity of municipal, environmental and logistics services.
Entities that may be classified as key or important should then prepare for entry in the KSC Register and plan the implementation of the required technical and organisational measures. In practice, this may include a review of existing cybersecurity procedures, a gap analysis, clarification of internal responsibilities, updating documentation, preparing incident reporting rules and assessing ICT supply chain security. The implementation of NIS2 should therefore be treated as an organisational project involving not only the IT function, but also compliance, legal, procurement, operational teams and persons responsible for managing the organisation.
Summary
The entry into force of the Polish implementation of NIS2 means that the stage of waiting for the provisions has ended. Entrepreneurs should now focus on self-identification, registration in the KSC Register and preparing their organisations to comply with the new obligations before the end of the adjustment period.
In practice, the key issue will be to quickly determine whether a given organisation falls within the scope of the new regulations and then to plan adjustment measures. Early analysis will help reduce the risk of delays in entry in the KSC Register, organise documentation and prepare internal procedures before the full application of the obligations begins.
Scope of KPMG Law support
KPMG Law supports entrepreneurs in analysing and implementing obligations arising from the Act on the National Cybersecurity System and the NIS2 Directive, in particular in the following areas:
- assessing whether a given entity may be classified as a key entity or an important entity;
- mapping activities against the sectors and categories indicated in the Act;
- preparing for entry in the KSC Register;
- conducting a regulatory and documentation gap analysis;