The act implementing the EU’s NIS2 Directive in Poland has been signed by the President and will enter into force one month after publication. Once effective, cybersecurity obligations will apply to a significantly broader group of entities than under the existing Act on the National Cybersecurity System.

Key Changes

• expanded scope (essential and important entities),
• obligation to implement an Information Security Management System (ISMS),
• incident reporting within 24 / 72 hours,
• increased management liability,
• mandatory training for all management board members,
• audits (for essential entities),
• real administrative sanctions.

What Is an ISMS?

An ISMS is a systematic approach to managing information security and business continuity, covering all information systems used in processes affecting the provision of services. All systems used in the conduct of business must be protected.

What Does an ISMS Cover?

In particular:

• Risk management – systematic risk assessment, identification, analysis and evaluation of risks, decisions on risk treatment, documentation of the process.
• Security policies – risk assessment policy, information systems security policy, thematic policies (e.g. access control, backup, cryptography).
• Physical security – access control to premises, infrastructure protection.
• ICT supply chain – supplier assessment, hardware and software security, technological dependencies.
• Monitoring – continuous monitoring, logging enabling the reconstruction of events, accountability.
• Cyber hygiene – software updates, vulnerability management, secure communication measures.

What Does Implementation Mean in Practice?

• identifying services provided (broadly understood, including production),
• mapping processes supporting those services,
• identifying the information systems used in those processes,
• conducting risk assessments,
• implementing appropriate measures,
• documenting the system,
• ensuring management oversight.

Who Is Covered?

The new regulations will apply to more than 18 sectors of the economy and potentially tens of thousands of entities. Many medium-sized companies that were previously outside the scope of the National Cybersecurity System will fall within the cybersecurity regime for the first time.

Find more articles in PRO HR February 2026.