2

The new National Cybersecurity System

11 March 2026 | Knowledge, News, The Right Focus

The amendment to the Act on the National Cybersecurity System (UKSC) is one of the most significant regulatory reforms in recent years. Its main objective is to align Polish law with Directive (EU) 2022/2555 of the European Parliament and of the Council. The directive, also known as NIS2, substantially raises digital security requirements across the Union.

The Polish Act on the National Cybersecurity System has undergone a thorough overhaul, covering more organisations (with estimates suggesting nearly 40,000 entities)[1], introducing more demanding obligations, statutory personal liability for management board members, and even more stringent rules for imposing financial penalties. In the case of the most serious violations, these penalties can reach 100 million PLN.

Essential and important entities. And even more companies subject to new obligations

One of the amendment’s key features is the expansion of the list of entities subject to cybersecurity obligations. The previous distinction between operators of essential services and digital service providers has been replaced by a broader classification covering essential entities and important entities.

The amended UKSC now covers 18 sectors and industries, all of which must prepare to meet the new requirements. These include energy, transport, healthcare, postal services, waste management, the chemical industry, the space sector, the manufacture of equipment and machinery, digital infrastructure, and the production and distribution of food.

The amendment requires businesses to conduct a thorough analysis of their activities to determine whether they meet the criteria for classification into one of the entity categories. Rather than passively awaiting individual decisions from state authorities, companies should assess for themselves whether they meet the criteria and prepare for mandatory entry into the list.

For many organisations, especially SMEs, this will be their first experience of formal cybersecurity procedures. Consequently, it may be necessary for them to develop policies, implement manuals and procedures, conduct audits, and ensure that these activities are properly documented.

The obligation to create a comprehensive information security management system

One of the most important aspects of the amendment is the obligation to establish a comprehensive information security management system. This system must be proportionate to the level of risk assessed and must, first and foremost, include:

  • Risk analysis and assessment
  • Technical and organisational measures (including encryption, multi-factor authentication (MFA), access control, and physical protection of systems)
  • Ensuring business continuity and crisis management, including disaster recovery plans and backup testing
  • Monitoring, reporting and responding to incidents
  • Supply chain security management

Computer Security Incident Response Teams (CSIRTs) are to play a key role in responding to threats, gathering knowledge and educating entities within specific sectors.

The personal responsibility of board members for implementing cybersecurity requirements

One significant change that could impact the management of organisations is the introduction of personal responsibility of board members for ensuring that the company’s activities comply with the UKSC.

This means that, in the event of serious violations or omissions relating to cybersecurity, the legal and financial consequences could affect not only the company itself, but also the members of its management bodies. It is important to note that responsibility for oversight in this area cannot be fully delegated to lower organisational levels or specialised technical units.

If an organisation fails to clearly allocate responsibilities and designate individuals accountable for specific tasks, all members of the management board will be held jointly and severally liable for any negligence. This signals to the market that cybersecurity management is becoming a fundamental corporate governance responsibility.

Strengthening the country’s entire protection system

The ministers responsible for specific sectors, the Financial Supervision Authority (KNF) and the President of the Office of Electronic Communications (UKE) have been given the tools to oversee and penalise certain services, and even to issue decisions ordering their discontinuation. They can also request audits, issue warnings, monitor compliance, and take preventive action both before and after a breach occurs.

From a market perspective, the new regulations mark the next stage in the development of national cyber resilience. Rather than merely imposing formal requirements on businesses, the Act aims to foster a mature security culture within organisations. Consequently, the amendment is set to become one of the most important tools for modernising the Polish digital economy.

It should be noted that when signing the Act, the President decided to refer certain provisions concerning, among other things, the rules for assessing and approving high-risk suppliers to the Constitutional Tribunal for an a posteriori review. However, this means that the Act has been promulgated and will enter into force in its entirety, so businesses must comply with the obligations it imposes.

Any questions? Contact us

 

[1] https://edgp.gazetaprawna.pl/prawo/prawo-internetu-i-ochrony-danych/artykuly/10594833,czy-uksc-obejmie-najwieksza-liczbe-podmiotow-w-ue.html

Latest Knowledge

Banking in 2026: technology, regulation and the new market landscape

The year 2026 will see the banking sector undergo its most dynamic transformation in a decade. The trends identified in Accenture’s Top Banking Trends FY26 report suggest that the sector is entering a phase in which technology and regulation will be inseparable, driving all aspects of change. However, it is regulation that determines the boundaries, pace and manner of implementation for new solutions. We take a look at what else the experts are focusing on.

‘Made in Europe’ is no longer just a slogan. It is becoming law

Until recently, ‘Made in Europe’ was just a label. While it was useful for marketing purposes, it lacked any hard, normative content. This may soon change. On 4 March, the European Commission published a proposal for the Industrial Accelerator Act, stipulating that, from 2027 onwards, the Union origin of components will be a prerequisite for participating in renewable energy auctions, accessing public funding, and for being eligible to participate in public procurement procedures. The slogan ‘Buy European’ could become a concrete instrument for supporting local production and controlling foreign investment.

Non-obvious cases of transferring an establishment to a new employer

The transfer of all or part of an establishment (zakład pracy) is a special concept in labour law relating to changes in ownership. Put simply, it is the automatic transfer of all the rights and obligations of the employer from one entity to another, without the need for any additional actions or consents from the parties involved. However, this must be preceded by the fulfilment of a range of informing obligations by both the new and former employers. Let’s take a look at what the process should involve.

Protecting yourself against tax risks in the deposit-return system

The deposit-return system has been in place since October 2025, raising significant tax concerns from the outset. Although the regulations came into force, it was unclear for a long time how to apply them in practice. Some of the regulations needed clarification, some solutions were missing and the published explanations did not cover all the key issues. Consequently, the market began to develop its own operating standards.

Banking sector overview | Banking today and tomorrow | March 2026

On 12 February 2026, the Court of Justice of the European Union (CJEU) issued a judgment concerning the use of the WIBOR index in loan agreements. The CJEU judges confirmed that, in consumer cases, courts cannot examine the correctness of the WIBOR calculation. The banks had correctly informed their clients about the reference rate in accordance with national and EU law.

The issue of the National Labour Inspectorate reform has resurfaced

A new draft law proposing changes to the way the National Labour Inspectorate operates has been submitted to the Sejm. During its first reading on 25 February, the draft was not rejected and was therefore referred to the Social Policy and Family Committee for further consideration. Despite the concerns and controversies raised so far, including by businesses, the legislature continues to pursue the thorough modernisation of Poland’s employment model, which involves increased supervision of the labour market and curbing the abuse of civil law contracts. In this article, we will take a look at the proposals included in the new draft and explain what they mean for businesses.

Polish AI boom

According to the latest data, nearly 15,000 companies dealing with artificial intelligence were registered in Poland in 2025.[1] This testifies to an undoubted boom in AI, as well as to the dynamic changes related to the development of this technology. However, amid the rush to implement AI, do companies consider the most important issue: securing the outcomes of their work and protecting themselves against competitors? In this article, we explore this issue and suggest ways to avoid costly problems.

Contact us:

Robert Brodzik

Robert Brodzik

Advocate / Counsel / NewTech / Data Protection and Cybersecurity

+48 532 206 479

r.brodzik@kochanski.pl