What is Poland's National Cybersecurity System Act (UKSC) amendment?

The UKSC amendment is Poland's national legislation implementing the EU NIS2 directive into Polish law. It expands the scope of entities covered by mandatory cybersecurity requirements, increases management accountability, and introduces significant financial penalties for non-compliance.

Which organizations are affected by the UKSC NIS2 amendment in Poland?

The amendment significantly expands the list of covered entities to include both essential and important entities across sectors such as energy, transport, banking, health, water supply, digital infrastructure, and public administration. Many mid-sized companies that were previously out of scope now fall under the regulation.

What are the key new obligations under the amended UKSC?

Key new requirements include implementing risk management measures across 10 specific security domains, mandatory incident reporting within 24 hours (early warning) and 72 hours (detailed report), supply chain security assessment, and regular security testing. Management boards face direct personal liability for compliance failures.

What penalties does the UKSC amendment introduce for non-compliance?

The amendment introduces administrative fines that can reach tens of millions of zlotys for essential entities. More significantly, senior managers including board members can face personal fines and temporary bans from holding management positions if cybersecurity obligations are neglected.

How should Polish businesses prepare for the UKSC NIS2 requirements?

Companies should first determine whether they qualify as an essential or important entity, then conduct a gap analysis against the required security measures, prioritize remediation based on risk, document all actions, and establish incident reporting procedures. Starting with a formal readiness audit before any technology investment is strongly recommended.

Poland''s NIS2 implementation: from draft to law

2026 Update: Current Legislative Status

Status as of February 2026: The amendment to Poland’s National Cybersecurity System Act (UKSC) has passed through the legislative process and been enacted. This article has been updated to reflect the current legal status.

The law implementing the NIS2 Directive into Polish law has entered into force. Key dates you should know:

January 17, 2025 - the date from which the NIS2 Directive should be applied in EU Member States
2025 - adoption of the UKSC amendment by the Polish Parliament
2026 - full implementation of requirements for essential and important entities

If your organization has not yet started the process of adapting to the new requirements, time is critical. Check our NIS2 implementation guide or contact us about a NIS2 compliance audit.

📚 Read the complete guide: NIS2: Kompletny przewodnik po dyrektywie NIS2 - obowiązki, kary, terminy

What key changes does the UKSC amendment introduce?

The amendment to the Law on the National Cyber Security System represents a crucial step towards the full implementation of the NIS2 Directive into Polish law. The main objective of the amendments is to strengthen the digital resilience of key sectors of the economy in response to the growing scale and complexity of cyber threats. The draft continues the evolution of the regulatory approach, moving from a static list of entities to a more dynamic and broad model of regulatory coverage, which is fundamental to the security strategy of many Polish companies.

The most important change is a significant expansion of the law’s scope of entities. The new legislation will cover many more sectors and companies than the existing law, which implemented the first NIS directive. The draft introduces a clear division into “key entities” and “important entities,” which determines the scope of obligations and level of supervision. This modification forces organizations that have not previously been subject to UKSC regulations to thoroughly analyze their operations against the new eligibility criteria, which poses a challenge to IT directors and boards.

Another pillar of the amendment is the introduction of risk assessment mechanisms in the supply chain, with a particular focus on strategic hardware and software suppliers. This change is a direct response to global trends in cyber attacks, which are increasingly targeting less secure technology partners. For Chief Information Security Officers (CISOs), this means implementing formal supplier vetting processes that go beyond standard technical analysis to include non-technical factors such as ownership structure or supplier legal jurisdiction.

The draft also tightens the existing reporting framework and penalty regime. Deadlines for incident reporting will be shortened, and financial penalties for non-compliance will be much more severe, with the aim of disciplining entities to make cyber security a strategic priority. These changes are forcing organizations to review and optimize their internal incident response procedures and allocate adequate resources to handle incidents to meet the new, more stringent time requirements.

Who will be covered by the new regulations and what obligations will be imposed?

The amendment to the NSC Law introduces a new two-tier classification of regulated entities: critical entities and important entities. The classification is based on the size of the organization and the criticality of the sector in which it operates. The category of key entities will include the largest companies in sectors of fundamental importance to the economy and society, such as energy, transportation, finance, health or digital infrastructure. Important entities, on the other hand, are companies in the same or other specific sectors (e.g., postal services, waste management, food production) that meet the size criteria, but whose disruption would have smaller, but still significant, consequences.

The new regulations impose a number of specific obligations on all covered entities. The foundation is the implementation of a comprehensive risk management system, based on an all-hazards approach that takes into account not only digital risks, but also physical, human and environmental risks. Organizations will be required to conduct regular risk analyses and implement adequate technical and organizational measures to mitigate risks. The list of minimum security measures includes access control policies, encryption, incident management, business continuity assurance and supply chain security, among others.

Particular emphasis has been placed on incident reporting responsibilities. Key and important players will have to report significant incidents to the relevant CSIRT (Computer Security Incident Response Team) in a much shorter timeframe than before. The project envisions a multi-stage reporting process: an early warning within 24 hours of incident detection, followed by a detailed report within 72 hours. This requires having not only efficient detection tools, but also well-rehearsed response and crisis communication procedures.

What is the new procedure for assessing supplier safety?

One of the most innovative yet challenging elements of the project is the introduction of a procedure for assessing the security of suppliers, detailed in the context of Article 36d. This mechanism gives state authorities a tool to verify hardware and software suppliers that are of strategic importance to the functioning of the national cyber security system. The goal is to reduce the risks associated with the use of technology from entities that may pose a threat to national security, for example, due to ties to foreign states.

The evaluation process is to be conducted by the College for Cyber Security at the request of authorized entities. The analysis will go far beyond the purely technical aspects of the product. Non-technical factors such as the corporate and ownership structure of the supplier, the ability of a third country to influence it, and the transparency of its operations will also be evaluated. This holistic approach aims to identify potential pressure vectors that could be used to compromise the technology at the production or maintenance stage.

The consequences of a negative assessment can be very serious. A supplier may be deemed a “high-risk supplier,” which will result in a protective order. Such an order may require key and important players to stop using certain hardware or software within a specified period of time. For companies, this means conducting a thorough audit of their technology stack and diversifying their supplier portfolio to avoid operational paralysis if a key technology partner is excluded.

Supplier Security Assessment (Article 36d) - Key Aspects

Target	Who evaluates	Criteria	Effect

What are the practical lessons for IT directors and CISOs?

The law has been enacted, and time to adapt to the new requirements is running. Proactive IT and security leaders should immediately take concrete implementation steps. The first and most important step is to conduct an initial self-assessment to determine whether the organization falls under the definition of a key or major entity. Analyzing the sector and size criteria included in the draft will allow early identification of potential responsibilities and start planning.

The second key activity is to review and map the supply chain. Security directors should identify all strategic hardware, software and service providers and then assess their risk profile in the context of the new regulations. It’s worth asking questions about the vendor’s legal jurisdiction, the transparency of their operations, and their ability to conduct an independent security audit. Initiating these conversations now will allow for smoother adaptation to future requirements and a possible planned change of supplier.

The third area is budgeting and resource planning. Implementing new requirements, such as advanced risk management systems, 24/7 security monitoring (SOC) and regular penetration testing, will require significant investments. CTOs and CISOs should prepare detailed cost estimates and present them to boards of directors, arguing the need for investment not only to comply with the law, but more importantly to build long-term business resilience. Treating the UKSC amendment as a strategic initiative, not just a regulatory burden, will help turn the obligation into a real competitive advantage based on trust and security.

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

NIS2 Compliance - NIS2 directive compliance
NIS2 Readiness Check - NIS2 readiness assessment
Security Audits - comprehensive security assessment

UKSC Amendment 2025/2026: Key Changes and Conclusions — from Draft to Law

2026 Update: Current Legislative Status

What key changes does the UKSC amendment introduce?

Who will be covered by the new regulations and what obligations will be imposed?

What is the new procedure for assessing supplier safety?

What are the practical lessons for IT directors and CISOs?

See Also

Learn More

Explore Our Services

Tags:

Share:

Talk to an expert

Grzegorz Gnych

Want to Reduce IT Risk and Costs?

2026 Update: Current Legislative Status

What key changes does the UKSC amendment introduce?

Who will be covered by the new regulations and what obligations will be imposed?

What is the new procedure for assessing supplier safety?

What are the practical lessons for IT directors and CISOs?

See Also

Related Terms

Learn More

Explore Our Services

Related topics

Tags:

Share:

Talk to an expert

Grzegorz Gnych

Want to Reduce IT Risk and Costs?