Skip to content
Knowledge base

The President Signed the KSC Act — The End of Postponing Cybersecurity

On February 19, 2026, President Nawrocki signed Poland's KSC amendment into law. LinkedIn is full of posts about it. But here's my question: what actually changed in cyberspace that day? Attacks didn't take a recess during the parliamentary debate. And that's the paradox every board needs to consider.

Marcin Godula Marcin Godula

On February 19, 2026, President Karol Nawrocki signed the amendment to Poland’s National Cybersecurity System Act (KSC). Six years of legislative work, two parliamentary terms, a change in the presidency — and finally, a signature. The law implementing the EU’s NIS2 Directive passed through the Sejm on January 23 (407 votes in favor, a mere 10 against), through the Senate on January 28, and then made its way to the Presidential Palace. During the signing ceremony, Nawrocki used a phrase that aptly captures the spirit of our era: “We live in an era where war doesn’t always begin with a gunshot. Sometimes it begins with a click.”

At the same time, the President filed a motion with the Constitutional Tribunal for ex-post review — challenging, among other things, the extension of obligations to as many as 18 economic sectors. He noted, however: “Security has no party colors.” The law nonetheless entered into force upon publication.

The industry immediately erupted. Law firms sent out alerts, consulting companies updated their offerings, compliance departments called emergency meetings. But it’s worth pausing for a moment to ask a fundamental question: did anything actually change in the cyber threat landscape on February 19? No. APT group operations continued at the same pace as the week before. Ransomware campaigns weren’t halted for the duration of the legislative process. Vulnerabilities in Polish companies’ systems didn’t vanish overnight.

And it’s precisely in this disconnect between the legal event and operational reality that the problem I’ve been observing for years resides. Hundreds of organizations treated the absence of legislation as justification for deferring security investments. Now that justification no longer exists — but the risks they should have been protecting against are exactly the same as they were one, two, or five years ago. That should give every board of directors in Poland pause for thought.

📚 Read the complete guide to obligations under the amendment: Poland’s KSC amendment implementing NIS2 — what it means for your business

Why did companies wait for the signature before taking action?

In conversations with boards — and I’ve been having them for over two decades — I observe a pattern that repeats regardless of industry or company size. Cybersecurity features in strategic presentations, appears on board meeting agendas, is sometimes even listed among priorities. But until there’s a hard, external trigger, the topic doesn’t cross the threshold of real action — it doesn’t land in the budget, doesn’t get a dedicated team, doesn’t receive a C-suite sponsor.

In organizational psychology, this is known as a “permission structure” — a mechanism where organizations need external legitimization to make a decision whose validity they’ve internally recognized for some time. The President’s signature serves precisely this function. It didn’t cause threats to multiply. It eliminated the excuses for ignoring them.

This phenomenon is most visible in mid-sized companies — those employing 100 to 1,000 people. Large corporations in the financial or energy sectors have been operating under regulatory pressure for years and have mature security programs. Micro-enterprises are rarely subject to regulations directly. But the middle segment — manufacturers, logistics companies, B2B service providers, technology integrators — these are the organizations that spent years operating under the assumption that cybersecurity matters “don’t apply to them.” Meanwhile, the KSC amendment expands the circle of obligated entities from approximately 400 to an estimated 42,000. The vast majority of those newly covered are firms from precisely this segment.

It’s worth recalling the scale of the delay. Work on implementing NIS2 in Polish law dragged on for 6 years — from initial consultations in 2019, through multiple draft revisions, ministerial rotations, and a change of government. The EU deadline (October 17, 2024) expired over 15 months ago. Poland joined the ranks of the last EU member states to complete the transposition process.

Organizations that monitored the legislative process over those 6 years while simultaneously building capabilities — are prepared today. Those that deferred the decision until “the right moment” — didn’t actually need legislation. They needed an alibi to finally get started.

📚 Read the complete guide: NIS2: Kompletny przewodnik po dyrektywie NIS2 - obowiązki, kary, terminy

What the President’s signature didn’t change — and what it actually did

Let’s start with what did not change on February 19, 2026:

  • The threat landscape — ransomware attacks, phishing campaigns, APT group activities proceeded identically to the day before
  • Your organization’s attack surface — every unpatched system, every open RDP port, every untrained employee posed the same risk as a week ago
  • Adversary capabilities — cybercriminals and state-sponsored groups didn’t become more or less capable because of the Polish legislative process
  • The cost of incidents — the average cost of a data breach in Central Europe (approximately PLN 4 million) didn’t change overnight

Now, what actually changed:

  • Personal accountability of boards — board members of essential and important entities now bear individual responsibility for implementing risk management measures. This isn’t an abstract clause — it’s financial and criminal liability.
  • Budget conversations — CISOs and security directors received the argument they’d been missing for years: “This is no longer a recommendation — it’s a legal requirement with specific penalties.”
  • Timeline — the law provides a 2-year moratorium on penalties, but obligations take effect immediately. Every month of delay is one less month to prepare.
  • Mandate for transformation — for organizations that wanted to invest but couldn’t break through budget resistance, the President’s signature is a lever for change.

What about the motion to the Constitutional Tribunal? The President challenged, among other things, subjecting as many as 18 sectors to regulation. The motion concerns ex-post review — the law is in effect in its current form until the Tribunal rules otherwise. It’s an important legal signal, but it should not be an excuse for delaying action. The obligations arising from the NIS2 Directive exist regardless of the Polish Tribunal’s ruling — because the source of law is the EU directive, not solely its national implementation.

Compliance-driven vs. strategy-driven: why this distinction costs millions

Working with organizations of varying sizes and across different sectors, I’ve identified two fundamentally different approaches to regulation — let’s call them Type A and Type B.

Type A: the compliance-driven organization

Learns about a regulation. Assembles a project team. Engages external advisors. Implements exactly enough to pass the audit. Positive report — case closed. The organization returns to “business as usual” and forgets about security until the next review or — worse — until the first serious incident.

What comes to light then? That meeting formal requirements and actual security are two different things. That a checked box won’t stop a ransomware operator. That an incident response plan no one ever tested under real conditions is worth less than the paper it was printed on.

Type A companies spend their budgets reactively — first on meeting requirements, then on fighting fires after an incident, then again on hardening they could have done from the start. Over a 5-year horizon, this model costs 30-40% more than a proactive approach. Because it adds the cost of downtime, the cost of reputation recovery, the cost of regulatory penalties, and the cost of lost customer trust.

Type B: the strategy-driven organization

Treats security as a component of business continuity. The CEO is engaged — not just through signing a policy, but through regular risk discussions at board level. The security budget is proportional to risk, not to the regulator’s minimum requirements.

For a Type B organization, the President’s signature wasn’t a turning point — it was confirmation of the course they charted years earlier. The KSC amendment doesn’t force a revolution upon them. It sanctions an evolution already underway.

From the perspective of continuous improvement — a philosophy I apply in both management and technology — security is never a one-off project. It’s an iterative process, not an event. Companies that internalized this principle are operating normally today. Companies that didn’t — have just entered panic mode, trying to make up for years of neglect in a matter of months.

Who will actually benefit from this signature

Contrary to appearances, the biggest beneficiaries of February 19 aren’t law firms or consulting companies — though the compliance services market is undoubtedly heading for a boom. The real winners are CISOs and security directors who have been waging an uphill battle for budgets in organizations that treated security as a cost center.

I work with many such individuals. For years, they prepared gap analysis reports, presented risk scenarios, proposed multi-year remediation plans — and regularly heard: “we appreciate it, but we have other priorities right now” or “we’ll revisit this in the next budget cycle.” Since February 19, they have an argument that admits no counter-argument: a legal mandate, financial penalties, personal liability for board members.

The President’s words — “security has no party colors” — carry additional meaning here. It’s a signal that regardless of political changes, the direction of cybersecurity regulation in Poland is set for the next 10-15 years. NIS2 isn’t a one-off law — it’s a framework that will be updated, expanded, and enforced by successive governments. For organizations planning multi-year strategies, this is information of fundamental importance.

The nature of board-level conversations has also shifted. Not long ago, discussions revolved around: “Do we really need to invest in this?” Today, I increasingly hear: “How do we invest in a way that both meets requirements and genuinely strengthens our resilience?” That’s a qualitative leap — from questioning the rationale for spending to seeking the optimal way to allocate it.

What every CEO should do after February 19 — three decisions, not theory

I won’t list the amendment’s requirements here — we’ve done that in detail in our complete guide to the KSC amendment. Instead, here are three specific decisions that every CEO or board member should make within the next 30 days.

Decision 1: One phone call

Call the person responsible for IT or security in your company and ask one question: “If a serious cyberattack happened today at 2 PM — how long would we need to restore operational capability?”

If the answer is: “we have a plan, we tested it in Q4, we estimate RTO at 8 hours for critical systems” — your organization is on the right track.

If the answer is silence, hesitation, or “I’d need to check” — you have a problem. And it’s not a regulatory problem. It’s an operational problem that existed long before the President’s signature. The KSC amendment merely makes it visible.

Decision 2: Project or program?

In many organizations I hear: “we’re implementing NIS2.” The word “implementing” suggests a project — something with a beginning, an end, and a budget. But NIS2 is not a project. It’s an ongoing program.

Ask yourself: does your organization treat cybersecurity as a project to close, or as a program to maintain and improve? If you see a completion date — e.g., “by the end of 2027 we’ll be ready” — that’s a warning sign. Readiness is not a state you achieve once. It’s a process you maintain continuously.

The amendment requires, among other things, regular audits, continuous monitoring, updated risk analyses, and personnel training. By definition, this is not a project — it’s a program.

Decision 3: The signature as a budget lever

If you’ve ever planned to increase investment in cybersecurity but lacked the argument at board level — the next 6 months are the best window you’ll get in a decade.

The President’s signature, the 2-year countdown to penalties (up to EUR 10 million or 2% of annual revenue), personal board accountability, media buzz around NIS2 — all of this creates a unique decision-making context. Boards are now open to security budget conversations like never before. This moment won’t last forever.

Use it not for minimum compliance, but for building genuine cyber resilience. Because in 3 years, no one will ask “are you KSC-compliant?” They’ll ask: “Did you survive the attack, and how quickly did you get back to operations?”

A catalyst, yes. A substitute for strategy — no.

The President’s signature on the KSC amendment is a historic event — it closes a 6-year legislative marathon and marks a new regulatory era for cybersecurity in Poland. 42,000 entities now face the necessity of addressing obligations that previously applied to only a small fraction of the market.

But law can catalyze change. It cannot replace it.

I’ve watched regulations take effect across sector after sector — from finance, through telecommunications, to energy. The conclusion is always the same: legislation alone has never made any organization secure. Regulations create frameworks, enforce minimums, provide mandates for budgets — but real resilience against cyberattacks stems from organizational culture, the consistent work of security teams, and strategic decisions by boards that understand criminals don’t follow legislative timetables.

Let me return to President Nawrocki’s words about war beginning with a click. It’s an apt diagnosis. But the answer to such a war isn’t a law — it’s an organization where that click doesn’t lead to catastrophe. An organization where employees recognize the threat, systems block the intrusion attempt, response procedures activate automatically, and the board knows within the first hour the scope of the incident and what steps to take.

That can’t be decreed. It has to be built. The President’s signature gives you the strongest mandate in years to start or accelerate that construction. Use it before the window closes.

Explore key terms related to this article in our cybersecurity glossary:

  • NIS2 — The European Parliament Directive establishing a common cybersecurity framework for essential and important entities in the EU
  • Risk management — A systematic process of identifying, analyzing, and mitigating security threats in an organization
  • ISO 27001 — An international standard for information security management systems (ISMS)
  • Incident Response — An organized process of detecting, analyzing, and responding to security incidents
  • Risk assessment — The process of identifying threats and vulnerabilities to determine the level of risk to an organization

Learn more

Explore related articles in our knowledge base:

Check our services

Need cybersecurity support? Check out:

  • NIS2 Compliance — comprehensive support for implementing NIS2 requirements
  • Security Audits — assessment of your security posture and readiness
  • vCISO — strategic support without a full-time CISO

Tags:

Cybersecurity Compliance KSC NIS2 Strategy

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Sales Representative
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist