In response to the significant increase in threats in cyberspace, the European Union adopted the so-called NIS 2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022). It is the successor to the 2016 NIS Directive, which aims to set higher and more consistent cybersecurity standards across the Union.

In Poland, the NIS-2 Directive is implemented through the Act of 23 January 2026 amending the Act on the National Cybersecurity System and certain other acts.

On 19 February 2026, the legislative process implementing the new law ended with the signing of the above-mentioned act by the President of the Republic of Poland. The document introduces numerous changes that adapt the Polish cybersecurity system to the requirements of NIS-2 and significantly expand the scope of duties and responsibilities of entities covered by the regulation.

The Act  will enter into force one month after its publication in the Journal of Laws.

What is the NIS-2 Directive?

The NIS-2 Directive aims to increase the overall level of security of network and information systems in the EU by introducing uniform requirements for cyber risk management, incident reporting and cooperation between Member States. NIS-2 expands the scope of entities covered by the regulation, including:

• entities from key sectors such as energy, transport, finance, health care or digital infrastructure,
• entities important for the functioning of the state and society, including, m.in, production, water and sewage management and the food sector.

The Directive also puts more emphasis on  the accountability of management bodies, imposing specific obligations and potential liability on them for non-compliance with cybersecurity obligations.

What will happen next with the act after it is signed?

• The act implementing the NIS 2 Directive into the Polish legal system has been signed, while the President of the Republic of Poland has submitted a request to the Constitutional Tribunal to examine the compliance with the Constitution of the Republic of Poland of some of its provisions (in particular those concerning the so-called high-risk suppliers). This does not suspend its entry into force, but it may result in possible changes after the Constitutional Tribunal’s ruling.
• The act  will enter into force one month after its publication in the Journal of Laws, which means the entry into force of the new regulations and the related implementation deadlines for enterprises.

The most important changes resulting from the amendment

The new regulations provide m.in:

• Division of entities into key and important, significantly expanding the catalogue of entities covered by cybersecurity obligations.
• Risk management system and technical/organisational responsibilities adapted to the business profile and the degree of risk.
• Faster response and incident reporting through an integrated reporting system and support from the Computer Security Incident Response Team (CSIRT).
• Enhanced oversight and the ability to identify high-risk suppliers, which creates additional practical and procedural challenges for companies.
• High administrative penalties for violations of cybersecurity obligations.

What does this mean for entrepreneurs?

For companies operating in the sectors covered by NIS-2 and for many organizations in the supply chain of key services, signing the act means the need to:

• self-identification and assessment of whether they are subject to the obligations
• implementation of adequate risk management measures and security procedures,
• preparation of incident reporting structures and compliance with new compliance requirements,
• taking into account the potential liability of the management board in its activities.