12 March 2026 Update - The transposition of NIS 2 in Poland
Poland is an example of a late but now completed transposition of Directive (EU) 2022/2555.
For a considerable period after the EU deadline of 17 October 2024, Poland remained in the group of Member States that had not notified full implementation of the directive. The European Commission therefore issued a reasoned opinion on 7 May 2025 for failure to notify full transposition measures.
The legislative process has now concluded and the directive has been incorporated into Polish law through amendments to the Act on the National Cybersecurity System (Krajowy System Cyberbezpieczeństwa – KSC).
Before the NIS 2 Directive, Poland implemented the original NIS Directive through the Act of 5 July 2018 on the National Cybersecurity System. This law created the Polish cybersecurity governance architecture and established obligations for operators of essential services and digital service providers. The act also defined the institutional structure of the national cybersecurity system, including the network of national CSIRTs and the coordination mechanisms for incident reporting and response.
Although the 2018 act provided the basic regulatory infrastructure, its scope and regulatory model corresponded to the more limited framework of the first NIS Directive. Consequently, extensive legislative amendments were required to align Polish law with the broader requirements of NIS 2.
Under Article 41 of Directive (EU) 2022/2555, Member States were required to adopt national implementing legislation by 17 October 2024. Poland did not meet this deadline.
During 2024 and 2025 the Polish government prepared a series of draft amendments to the National Cybersecurity System Act designed to implement the directive. Several successive drafts were circulated and debated within the government and parliament, reflecting the complexity and political sensitivity of the reform.
The legislative process proved controversial, particularly because of provisions relating to the exclusion of so-called “high risk vendors” from certain sectors and the expansion of regulatory oversight over digital infrastructure providers.
The decisive milestone occurred in February 2026, when the Polish Parliament adopted amendments to the Act on the National Cybersecurity System implementing the NIS 2 Directive. The final legislative step took place on 19 February 2026, when the President of Poland signed the amendment into law. This presidential signature formally completed the legislative process and marked the legal transposition of NIS 2 into Polish law.
Poland chose to implement the directive through a major amendment to an existing cybersecurity statute rather than adopting a completely new law. This legislative approach preserves the basic structure of the National Cybersecurity System Act, while substantially expanding its scope and regulatory mechanisms.
The amended act introduces several significant changes. The number of regulated entities will increase dramatically, potentially expanding from a few hundred organisations under the earlier framework to tens of thousands of entities across multiple sectors of the economy.
The law also strengthens supervisory powers, introduces governance obligations for management bodies, and establishes mechanisms for identifying and restricting high-risk ICT suppliers considered to pose national security risks.
The Polish cybersecurity framework continues to rely on a network based institutional model. The national cybersecurity system includes CSIRTs and supervisory authorities responsible for monitoring compliance and coordinating incident response. The amendments expand the responsibilities of these institutions and provide additional regulatory tools for addressing cybersecurity threats affecting critical infrastructure and digital services.
EU - Transposition, Member States