Current status of implementation


The proposal of the National Cyber Security System Act is still a work in progress, and there is no date of enactment set yet.

Implementation Act


The National Cyber Security System Act is the implementation Act.  The text of the Act is still in preparation and has not yet been published. 

Determination of operators of essential services (Art. 5 NIS)

The Act states that essential operators will be appointed from the same sectors as mentioned in Annex II to the NIS Directive, namely Energy, Transportation, Banking, Infrastructure for the Financial Market, Healthcare, Supply of Drinking Water, and Digital Infrastructure. Essential operators will be appointed by the competent authority according to the criteria listed in the regulation issued by the Council of Ministers.
Reporting obligations


Operators of critical infrastructure must immediately, but within no more than 24 hours, report a significant incident to the CSIRT MON (Computer Security Incident Response Team led by the Minister of National Defence), CSIRT NASK (Computer Security Incident Response Team run by Academic Computer Network - National Research Institute), CSIRT GOV (Computer Security Incident Response Team led by the Head of the Internal Security Agency), Article 12.1.4 of the NCSA.

Providers of digital services must immediately, but within no more than 24 hours, report a significant incident to the CSIRT NASK (Article 20.1.4) of the NCSA.

Sanctions regime


Article 57 of the NCSA provides for administrative fines of up to PLN 200,000 (EUR 50,000) imposed by the competent authority, in particular in the following cases:

Operators of critical infrastructure

  • fail to implement a security management system, ensuring management of incidents, including their identification, classification and prioritisation of incident handling, registration, analysis, searching for connections, undertaking corrective actions and remedying the causes of incidents and providing information on serious incidents to the appropriate CSIR;
  • fail to classify security incidents;
  • fail to properly report a significant incident.

If as a result of an inspection the competent authority finds that an operator of critical infrastructure persistently violates the Act, causing:

  1. a direct and serious threat to cybersecurity for defence, state security, public safety and order, or human life and health;
  2. the threat of serious damage to property or serious difficulties in providing key services;

the competent authority will impose a penalty of up to PLN 200,000.

Competent authorities

The competent authorities for cybersecurity are the ministers competent for the sector in which the given operators of critical infrastructure operate.
Jurisdictional applications

Operators of critical infrastructure are subject to Polish law and the NCSA if they have an organisational unit within the territory of  Poland. The provision of digital services is subject to Polish law if the digital service provider has its registered seat in Poland (Article 17.1. of the NCSA).
Remarks (if any)

The requirements set out in the NIS Directive have already been addressed in the National Strategy of Cyber Security of the Republic of Poland for the years 2017-2022. One of the main objectives of the Strategy is implementation of the NIS Directive.


Last reviewed 28.02.2018