Business

Cybersecurity in companies. The new regulations are already in force. Check if you need to register

Photo of Ashley Davis Ashley Davis03/04/2026
0 45 6 minutes read

On Friday, an amendment to the Act on the National Cybersecurity System (KSC) entered into force. From May 7 to October 3 this year. companies will have to assess whether they belong to the KSC and, if so, register in a special list. A set of questions and answers published on cyber.gov.pl is intended to help them in this regard.

Cybersecurity in companies. Check whether you need to register with KSC
photo: zef art / / Shutterstock

The amendment to the KSC Act prepared by the Ministry of Digitization entered into force on Friday. The regulation implements the EU NIS 2 cybersecurity directive and Toolbox 5G in Poland, i.e. the EU document on 5G network security. The NIS 2 directive replaced the previous division into operators of essential services and digital service providers into “key entities” and “important entities”. It also introduced new sectors covered by cybersecurity obligations.

In response to the growing number of cyberattacks on critical infrastructure and the increasing scale of disinformation, we are creating a new ecosystem that will ensure greater security for the state and citizens. The amendment to the KSC Act enters into force at a similar time as the Cybersecurity Strategy. Together, these two documents will increase resilience in cyberspace and improve Poland's security – emphasized Deputy Prime Minister and Minister of Digitization Krzysztof Gawkowski during a recent press conference.

The amendment to the KSC Act introduces new sectors that will be covered by cybersecurity obligations. In addition to energy, transport, health care, banking, financial market infrastructure, water supply and digital infrastructure, the following were added: wastewater, ICT management, space, postal services, production and distribution, including chemicals and food. KSC sectors also include public entities, including offices, local governments, schools, hospitals, research institutes and the Polish Press Agency.

Settle your PIT online and get the maximum tax refund for 2025.

Companies must assess themselves whether they meet the criteria for a key entity

According to the amendment, companies must assess themselves whether they meet the criteria for a key entity or an important entity. If the answer is positive, they will be obliged to register in the list of KSC entities. According to Gawkowski, the list for private companies will be opened on May 7, and entities will be able to register in it for the next 6 months, i.e. until October 3 this year. Entrepreneurs will be subject to financial penalties for failing to fulfill this obligation.

To facilitate self-identification, the Ministry of Digital Affairs has published 131 detailed questions and answers for companies and entities covered by the new regulations on the cyber.gov.pl website. – This is not a closed catalogue. If someone – an entity, a company, a natural person, a newspaper – asks a question that is not included in these lists, we will provide an individual answer and it may happen that this question and its answer will be included in the list – emphasized Deputy Minister of Digital Affairs Paweł Olszewski during a meeting with journalists.

Representatives of the ministry also informed that they will try to reach companies that may not be aware of their new obligations. The resort will do this, among others: through announcements, information campaigns, providing information to the media or via the biznes.gov.pl portal.

The obligation to self-identify does not apply to public entities. According to the head of the MC, on April 13, the process will begin in which the Minister of Digitization will ex officio enter entities into the list. This will apply – in addition to public entities – to electronic communications entrepreneurs and existing operators of key services.

Some of the changes are spread over time

By April 3, 2027, key and important entities must implement cybersecurity obligations arising from the new regulations, the ministry said. The new responsibilities include: implementation of an information security management system, regular assessment of the risk of incidents and incident management. It will also be mandatory to collect information on cyber threats and vulnerabilities to incidents and to apply measures to limit the impact of incidents. These measures include, for example, regular software updates or taking immediate action after noticing a threat.

Entities covered by the KSC will also have to implement technical and organizational measures proportional to the assessed risk, which should be adapted, among others, to: to the size of the organization. These measures include cybersecurity policies and procedures, access control to systems, secure means of communication including multi-factor authentication and employee training. The implemented measures are intended to ensure the safety of people, the environment, the entity's resources and the supply chain of ICT products, services and processes (ICT – PAP). They are also intended to ensure the continuity of the entity's operations and the ability to provide services in the event of an incident

In turn, until April 3, 2028, key entities have time to conduct the first mandatory cybersecurity audit. Subsequent audits will have to be carried out at least every three years.

CSIRT is to come to the rescue

The amendment also provides for the creation of sectoral CSIRT teams that will support entities covered by the KSC in handling cybersecurity incidents.

Pursuant to the act, a National Plan for responding to large-scale cybersecurity incidents and crises will be introduced. However, the Minister of Digital Affairs will be able to issue a protective order specifying behavior that will limit the effects of an ongoing critical incident. As part of it, it may, for example, order the entity to conduct a risk analysis or secure certain information.

Financial penalties will be imposed on entrepreneurs covered by the KSC for non-compliance with the regulations. The fine for key entities may amount to 2%. company revenues; minimum 20 thousand PLN, and a maximum of EUR 10 million (approx. PLN 42.4 million). However, fines for important entities may amount to 1.4%. company revenues; min. 15 thousand PLN and max. EUR 7 million (approx. PLN 20 million).

Regardless of the limits, failure to comply with the order of the cybersecurity authority will result in a fine ranging from PLN 500 to PLN 100,000. PLN for each day of delay. Such a penalty may be imposed, for example, for failure to comply with an order to take specific actions regarding the handling of a serious incident or for failure to conduct an audit.

The Act also provides for penalties of up to PLN 100 million in a situation where a key or important entity is identified as violating the provisions of the Act and at the same time causing a direct and serious cybersecurity threat to defense, state security, public safety and order, and human life and health; or causes a threat of serious property damage or serious difficulties in the provision of services.

Representatives of the Ministry of Digitization emphasized in a conversation with journalists that the penalty system is not oppressive and the procedure in this case is multi-stage. Includes, among others: inspections, post-inspection reports, reporting objections and calling for the removal of irregularities. The ministry declared that financial penalties should be a last resort, not a starting point.

During the parliamentary work on the act, changes were adopted that clarified the selected solutions. One of them introduced the obligation for the president's representative to participate in government work on the resolution of the Council of Ministers on the National Plan for responding to large-scale cybersecurity incidents and crises.

The next one provided that administrative fines for failure to fulfill the obligations arising from the amendment to the KSC Act could be imposed for the first time after 2 years from the date of entry into force of the amendment. This solution is intended to enable regulated entities to adequately prepare for the new requirements.

February 19 this year President Karol Nawrocki signed the amendment to the Act on the National Cybersecurity System (KSC) and referred it to the Constitutional Tribunal. The head of state's doubts are raised, among others, by: regulations governing the principles of recognizing entities as high-risk suppliers (DWR) and the principles of issuing the so-called security commands. “These provisions interfere with the independence of entrepreneurs, including by imposing the obligation to replace equipment and software without compensation and without securing financial resources for this purpose,” the president said. Nawrocki also pointed out that the system of penalties provided for in the act is – in his opinion – restrictive, and their amounts “actually have the nature of independent punitive measures.” (PAP)

mbl/drag/

Photo of Ashley Davis Ashley Davis03/04/2026
0 45 6 minutes read
Photo of Ashley Davis

Ashley Davis

I’m Ashley Davis as an editor, I’m committed to upholding the highest standards of integrity and accuracy in every piece we publish. My work is driven by curiosity, a passion for truth, and a belief that journalism plays a crucial role in shaping public discourse. I strive to tell stories that not only inform but also inspire action and conversation.

Related Articles

How does the Monetary Policy Council decide on interest rates? We explain step by step

30/03/2026

Venezuela's leader in the world exodus. The UN alerts, the government denies

17/06/2025

Donald Trump threatened that China would “eat Canada alive.” There is Beijing's response

26/01/2026

Emmanuel Macron and Donald Tusk signed a historic treaty

10/05/2025

Leave a Reply

Your email address will not be published. Required fields are marked *

2022 © Automatic RSS News Aggregator KNews.Media. Company Name: KNEWS Media Group LLC Address: 160 Broadway, New York, NY 10038 United States
Back to top button