Bill Implementing the NIS 2 Directive Submitted to the Sejm

In November 2025, after more than a year and a half of government work, a bill amending the Act on the National Cybersecurity System was submitted to the Sejm—intended to implement the EU NIS 2 Directive. Although more than a year has passed since the deadline for implementing the NIS 2 Directive, the required legislation has still not been adopted in Poland.

While the bill relatively faithfully reflects the content and principles provided for in the NIS 2 Directive, the Polish legislator diverges somewhat from the directive, for example by including new, autonomous solutions). Below we describe the five most important differences:

1. Greater scope of entities affected
   The bill extends the scope of entities subject to the legislation, for instance by classifying small, managed cybersecurity service providers as essential entities, and by including advisory services under this term. The bill also brings entities providing domain name registration services into the digital infrastructure sector (regulated in the NIS 2 Directive in a partially separate manner) and defines particular categories of entities by reference to Polish legislation. This may at times give rise to discrepancies between the Polish and EU-level understanding of certain concepts.
2. Introduction of a registration obligation
   The amendment would require essential and important entities to submit an application for entry in the relevant register. Essential and important entities will have three months to submit the application, and failure to do so may result in the entity concerned being fined.
3. Extension of CSIRT powers
   The bill grants the competent CSIRTs the power to examine ICT products, services, and processes in order to identify vulnerabilities. For this purpose, CSIRTs will be entitled to use methods aimed for instance at reconstructing the source code of software, duplicating program code, or translating its form. At the same time, CSIRTs will not be bound by contractual provisions (in particular license agreements) relating to the examined ICT products, services, or processes, and conducting such examinations will not require the consent of the licensor or the holder of the ICT product, service, or process.
4. Introduction of the concept of a high-risk supplier
   The bill introduces the possibility of designating a supplier of hardware or software as a high-risk supplier if it poses a threat to  fundamental national security interests. As a consequence, essential entities, important entities, and entities subject to the DORA Regulation will not be allowed to put into use ICT products, services, or processes originating from such suppliers, and those already in use will have to be withdrawn.
5. Introduction of an administrative fine of up to PLN 100 million
   The proposal provides for the possibility of fining an essential or important entity up to PLN 100 million for the following:
   a) causing a direct and serious cyber threat to national defense, national security, public safety and order, or human life and health;
   b) causing a risk of significant property damage or serious disruption to the provision of services.

The bill will now undergo readings in both chambers of parliament, and may still be amended. Importantly, representatives of all major parliamentary groupings (including opposition parties) emphasize the importance and necessity of adopting this legislation. As a result, it has a strong chance of becoming generally applicable law in the near future.