As promised, here is a practical update on NIS2 and Poland’s KSC framework.
However, the legislative process is ongoing, so these points may still change.
Therefore, the summary below reflects current assumptions, not final legal wording.
First, the implementation timeline is one of the key topics.
Under the latest proposal, key and important entities would have one year to comply.
Previously, the timeline was six months, so this is a major shift.
Notably, the Sejm Committee on Digitization introduced this change.
In addition, the committee adopted the amendment unanimously.
For now, we treat this as the leading direction of travel.
At the same time, the draft introduces new cybersecurity obligations for key and important sectors.
In practice, it covers energy, healthcare, banking, manufacturing, and water supply.
Therefore, organisations in these sectors should expect broader requirements.
Moreover, governance and control expectations will likely become stricter.
A central element is the mandatory Information Security Management System (ISMS).
In effect, ISMS shifts security from ad-hoc actions to structured management.
As a result, roles, procedures, and continuous improvement become formal requirements.
In addition, the proposal strongly emphasises ICT supply chain security.
Specifically, organisations must secure ICT products, services, and processes across suppliers.
Therefore, risks extend beyond internal systems to vendors and technology partners.
Alongside supply chain duties, the draft highlights regular incident risk assessments.
That means entities must assess incident likelihood and impact on a regular schedule.
Then, they should use results to set priorities and strengthen controls.
When it comes to incident handling, the draft points to reporting via the s46 system.
Therefore, key and important entities should report incidents through the s46 channel.
As a result, reporting becomes more standardised and easier to track.
Another key area is national-level governance powers.
The proposal would expand the powers of the Minister for Digital Affairs.
In particular, the minister could designate high-risk suppliers, known in Polish as DWR.
Importantly, such decisions would use technical and non-technical criteria.
In addition, the process would include consultations with several stakeholders.
These may include prosecutors, civil society, and the cybersecurity college.
Crucially, the draft also includes procedural safeguards.
For example, suppliers would have the right to appeal to an administrative court.
Furthermore, high-risk supplier equipment would be phased out over four to seven years.
As for the timeline: the current KSC Act dates back to 2018, and the deadline for implementing NIS2 into national law expired on October 18, 2024. As for the status of legislative work: the draft was submitted to the Sejm at the beginning of November 2025; work in the committee is ongoing, and the deadline for the committee’s report is January 20.
For more information, please refer to the source, i.e., the draft amendment: https://www.sejm.gov.pl/sejm10.nsf/PrzebiegProc.xsp?nr=1955
