Subject heading: Amendment to the National Cybersecurity System Act published. An intensive period of adjustment to new cybersecurity requirements is about to begin

02 Apr 2026
Konrad Basaj

On 2 March 2026, an amendment to the National Cybersecurity System Act, intended to harmonize Polish law with NIS 2, was published in the Journal of Laws. The new legislation will take effect as of 3 April 2026. According to government estimates, it will apply to more than 40 000 new organizations.

The promulgation of the amendment to the National Cybersecurity System Act is a turning point in almost two years of work to transpose NIS 2 into Polish law.

The moment of promulgation sets off a one-month vacatio legis, while the amendment itself will come into force on 3 April 2026, from which date milestones for the organizations subject to the new legislation – essential and important entities, will be counted.

The duration of certain milestones was extended in the course of the parliamentary work on the bill, resulting in the following schedule:

  • 3 October 2026 – essential and important entities are required to determine their status by themselves and register accordingly;
  • 3 April 2027 – essential and important entities are required to comply with most of the new requirements; this involves primarily adopting the appropriate technical and organizational methods within their information security management system;
  • 3 April 2028 – only essential entities, but not important entities, are required to conduct their first IT security audit; from that date, security audits must be conducted a minimum of every three years;

In practice this means that there is one year for compliance with a vast majority of the new requirements, while in fact this may leave many organizations little time, especially when at the same time measures such as determining whether they are subject to the new laws, devising new procedures, adopting new technical measures and training personnel will have to be taken.

The penalties for failing to comply on time are a separate matter. While the new legislation provides for the possibility of severe fines for not complying with the statutory obligations, there is a noteworthy moratorium on fines. Under interim rules, it will not be possible to impose administrative fines for the first two years following enactment of the amendment. This will be the rule except for special category fines, which can be up to PLN 100 m, imposed for instance when non-compliance causes a serious threat to national defense and security, public order, or human life and health.

The President of Poland signed the bill but also referred the new legislation for review by the Constitutional Tribunal. The President’s referral related among other things to the controversy surrounding the system of classification as a high-risk supplier. A future Constitutional Tribunal ruling could have implications for the constitutionality of the new legislation, but this will not affect the enactment of the amendment, or the milestones set for the organizations concerned.