The KSC Act sets out how the incident response system is to operate in Poland and outlines the cybersecurity obligations of designated organizations. Its aim is to enhance the resilience of the state and critical services against cyberattacks—through a clear division of roles, incident handling procedures, reporting, and oversight. Below, we have compiled the most important areas covered by the Act.
The Act defines key terms (including incident, incident response, and critical service) and establishes the framework for the operation of the national cybersecurity system.
It describes which entities may be subject to the KSC (e.g., operators of critical services and digital service providers) and what tasks and responsibilities arise from their status.
The Act establishes CSIRT teams within the system and defines the rules for cooperation in incident handling—from information exchange to coordination of actions.
It identifies the authorities responsible for oversight in specific sectors and their competencies: inspection, issuing decisions, and enforcing requirements.
This is the practical core of the Act: the obligation to adopt a risk-based approach, implement appropriate policies, procedures, roles, and response protocols in the event of an incident.
The Act highlights the need to implement adequate technical safeguards and maintain the capability to detect, analyze, and mitigate the effects of incidents.
It regulates the rules for reporting incidents within the KSC and cooperation with CSIRT—depending on the type of entity and the nature of the incident.
The Act provides for inspection mechanisms and enforcement measures—including administrative sanctions—if an organization fails to meet the requirements.
