NIS2 Poland 2026. Is Your Company Subject To The New National Cybersecurity System Obligations, And What Are The Deadlines?

NIS2 Poland 2026 is relevant not only for large infrastructure operators. It also affects many companies in sectors that are important to the economy. The amendment to the Act of 5 July 2018 on the National Cybersecurity System entered into force on 3 April 2026. (Consolidated text: Journal of Laws of 2026, item 20; hereinafter: the NSC Act). It implements into the Polish legal order the provisions of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ EU L 333, 2022, p. 80). From that date, deadlines for new obligations started to run.

The main question for a business is: Is the company an essential entity or an important entity? This determines whether the company must apply for entry into the NCS register and implement an information security management system. It also defines whether it must report incidents and prepare for a cybersecurity audit.

NIS2 Poland 2026 – What Changed On 3 April 2026?

On 3 April 2026, the Act of 23 January 2026 amending the Act on the National Cybersecurity System and certain other acts entered into force. (Journal of Laws of 2026, item 252). The amendment adjusted Polish regulations to the NIS 2 directive. It introduced a new way of classifying entities covered by cybersecurity obligations.

The previous division into operators of essential services and digital service providers has been replaced. New classification recognises the following categories:

• essential entities,
• important entities.

This change is significant. In practice, the scope of regulated entities has expanded a lot. The new obligations may apply not only to the energy, transport, and healthcare sectors. They may also cover ICT services and postal services. In addition, they may extend to manufacturing and food distribution. They also include chemical-related activities. Waste management and wastewater services may fall within the scope as well. Certain areas of industry are also covered.

Key Deadlines for Essential and Important Entities

The amendment to the NCS Act sets specific deadlines that businesses should not delay. There are three key dates: 3 October 2026, 3 April 2027, and 3 April 2028.

In practice, the process starts with a self-assessment. The next step is determining whether the entity should be included in the NCS register. Only then should companies plan the implementation of technical, organisational, and documentation requirements.

Essential and Important Entity – Why Classification Is Crucial

The biggest mistake would be assuming that NIS2 applies only to large infrastructure operators. After the amendment to the NCS Act, many companies must assess their status on their own. They need to check whether they meet the legal criteria. Registration is not always done automatically by authorities. Some entities must submit an application themselves.

Classification requires analysing at least three elements:

• the sector or type of activity,
• the size of the business,
• the importance of the services provided for the economy, society, or service continuity.

Only by combining these factors can a company determine whether it qualifies as an essential or important entity.

Step 1: Check Your Business Sector

Start by identifying whether your company operates in a regulated sector. It is not enough to say: “We use IT systems.” What matters is whether your activity falls within the sectors listed in the act.

The amendment covers, among others, the following areas:

If a company operates in one of these areas, it does not automatically mean that it is subject to all obligations. However, it does mean that it should undergo further classification.

Step 2: Check the size of the company

In many cases, company size will be an important factor. The NIS2 Directive and the NCS Act mainly target entities whose activity is essential for the functioning of specific sectors. Therefore, companies should verify the number of employees, turnover, and balance sheet total.

However, the analysis should not be limited only to size criteria. Some entities may fall within the scope of the rules due to the nature of their activity. Others may be included ex officio or because their services are of particular importance.

Step 3: Determine Whether Your Entity Classifies as Essential or Important

The classification into essential or important entities matters. It affects the level of supervision. It also determines the scope of obligations and the risk of inspections. As a rule, essential entities face stricter requirements. This includes the obligation to carry out cybersecurity audits.

In practice, the assessment should include:

• reviewing the annexes to the NCS Act;
• identifying the type of services provided;
• checking whether the company meets size thresholds;
• verifying whether the entity has been or should be registered ex officio;
• assessing whether the company’s activity is important for service continuity or sector security.

If the analysis shows that the regulations apply, the business should prepare for registration in the NCS register.

Entry Into The NCS Register – What To Do By 3 October 2026?

Entities not registered automatically must apply by 3 October 2026. The NCS register is maintained in an ICT system. The application is submitted electronically.

In practice, before submitting the application, the company should take several steps.

• confirm whether it meets the criteria for an essential or important entity.
• determine the relevant sector and type of activity.
• collect the identification and organisational data required for registration.
• designate persons responsible for contact and handling NCS obligations.
• prepare for using the S46 system at a later stage.

Registration in the NCS should not be treated as a mere formality. It is the first step in entering the system of statutory obligations.

S46 System – What Will It Be Used For?

The S46 system will be used by essential and important entities. It will support the performance of statutory obligations. It will also be used for incident reporting and communication with competent authorities within the national cybersecurity system.

According to the timeline, access to the system will open on 12 June 2026 for new entities. By 3 April 2027, entities covered by the law must start using the system. They must also implement the required obligations.

For companies, this means more than preparing documents. They must also implement practical processes for response, reporting, and communication.

What Must Be Implemented by 3 April 2027?

By 3 April 2027, entities that are classified as essential or important must act to comply with the law. This applies to companies that already met the criteria on the day the amendment entered into force. They must implement all obligations under the law. The most important requirement is an Information Security Management System.

The Information Security Management System should include at least:

• identification of information systems used to provide services;
• risk analysis for network and IT system security;
• implementation of appropriate technical, operational, and organisational measures;
• incident handling and reporting procedures;
• business continuity management rules;
• access control procedures;
• supply chain security rules;
• training and clear allocation of responsibilities.

This is not just about documentation. The law requires real risk management. It also requires readiness to respond to incidents.

NIS2 And The National Cybersecurity System Obligations – A Practical Checklist For Companies

Below is a simplified list of obligations. It is intended for companies that the amendment to the National Cybersecurity System Act may cover.

Responsibility of the Head of the Entity

The amendment introduces responsibility for the head of the entity. This applies to both essential and important entities. Cybersecurity is no longer only an IT issue.

Management must understand the risks. They must approve key actions and provide resources. They must also supervise compliance. The law also requires appropriate cybersecurity training.

For companies, this means that the management board must be informed about the classification process. Its knowledge and decisions should be documented.

Cybersecurity Audit – Who Must Conduct It?

The first cybersecurity audit is especially important for essential entities. Entities that were not previously operators of essential services must act by 3 April 2028. They must carry out their first information system security audit by that date.

Further audits should take place at least every three years. Existing operators of essential services keep their current audit cycle. It is calculated from the date the last audit report was prepared and signed.

An audit is not just a document review. It checks whether implemented measures actually address risks and legal requirements.

Sanctions and Penalties – When Does the Risk Become Real?

The amendment introduces financial penalties for non-compliance. This includes failure to implement an Information Security Management System or failure to register.

Financial penalties may be imposed after two years from the entry into force of the Act. This means after 3 April 2028. However, this does not justify delaying implementation. Authorities may expect compliance earlier. Late preparation may be difficult to fix before an inspection.

NIS2 for Companies – How to Prepare Step by Step

Companies should start with a classification audit. Only after determining their status can they plan further actions.

Recommended Order Of Actions:

1. Check if the company operates in a sector covered by the National Cybersecurity System Act.
2. Verify the size and sector criteria.
3. Assess whether the company is an essential entity or an important entity.
4. Prepare an internal decision and classification documentation.
5. Submit an application for entry into the NCS register, if required.
6. Design or update the Information Security Management System
7. Prepare incident response procedures and communication with authorities.
8. Train management and responsible staff.
9. Prepare to use the S46 system.
10. Plan a cybersecurity audit if the company is an essential entity.

What Should Be Avoided?

The biggest risk in practice is starting the analysis too late. Many companies assume that if they are not public entities or do not operate critical infrastructure, the NIS2 Directive does not apply to them. After the amendment to the NCS Act, this assumption may be wrong.

Companies should also not limit themselves to a general “cybersecurity policy.” That is not enough. The law requires specific actions related to risk management, information security systems, and incident reporting. Clear management responsibility will be crucial.

NIS2 Poland 2026 – Summary

NIS2 Poland 2026 requires many companies to perform a real self-assessment. They must check whether they are covered by the new NCS obligations. The most important deadlines are 3 October 2026 for the NCS register entry, 3 April 2027 for implementation of obligations and start of S46 system use. 3 April 2028 will be the deadline for the first audit for some key entities.

For businesses, the most important step is to quickly determine their status. Only then can obligations, budget, responsibilities, and timelines be properly planned.

If you are unsure whether your company falls under the NIS2 Directive and the new obligations, contact our law firm. We will analyse your business profile. We will determine whether you qualify as an essential or important entity. We will also help you prepare an implementation plan for the obligations before the statutory deadlines expire.

FAQ – Most Frequently Asked Questions on: NIS2 Poland 2026