29 April 2026

7 min read

How to Prepare for the Entry into Force of the KSC Act – A Practical Checklist for Boards and CISOs

Bartosz Pyrczak

Head of Growth

How to Prepare for the Entry into Force of the KSC Act – A Practical Checklist for Boards and CISOs

The implementation of the NIS2 Directive into the Polish legal system is entering a decisive phase. The amendment to the Act on the National Cybersecurity System (the KSC Act) is not merely a cosmetic change to regulations, but a fundamental reconstruction of the approach to the state’s digital resilience. For companies and institutions, this marks the end of the period where cybersecurity was a “best practice,” and the beginning of an era where it becomes a hard legal requirement, enforced by strict sanctions.

The New Regulatory Landscape: Who does NIS2 apply to?

The most important change introduced by the draft KSC Act is the departure from issuing administrative decisions to designate an operator of essential services. Instead, the act introduces a self-identification mechanism. The burden of determining whether they fall under the new regulations rests on the entrepreneur.

The legislator introduces a division into two categories of entities, depending on the sector of activity and the size of the enterprise:

1. Essential Entities (Podmioty kluczowe)

This category includes entities from sectors critical to the economy and society, which are usually (though not always) large enterprises. These include:

Energy sector (electricity, district heating, oil, gas, hydrogen),

Transport (air, rail, water, road),

Banking and financial market infrastructure (though DORA regulations take precedence here),

Health sector (including laboratories, pharmaceutical manufacturing),

Public administration (public entities are essential by principle, regardless of size),

Digital infrastructure and ICT service management (B2B).

Entity size is key here: generally, these are large entities (over 250 employees or turnover > EUR 50 million). However, there are exceptions—e.g., DNS service providers, qualified trust service providers, or public entities are essential entities regardless of size.

2. Important Entities (Podmioty ważne)

This category covers a wide spectrum of medium-sized enterprises (from 50 to 249 employees or turnover > EUR 10 million) operating in key sectors and new sectors covered by the regulation, such as:

Postal and courier services,

Waste management,

Production, processing, and distribution of food,

Manufacturing (medical devices, computers, vehicles, etc.),

Digital providers (online marketplaces, search engines).

The NIS2 Registry

A fundamental change is the registration obligation. The draft KSC Act assumes that entities identifying themselves as essential or important will be required to submit an application for entry into the register within 3 months of meeting the criteria (or from the entry into force of the schedule announced by the Minister of Digital Affairs).

our service

Lead your board through the maze of new regulations

NIS2 holds board members personally accountable for security oversight but a full time CISO is costly. Gain a strategic leader who builds compliance programs manages risk and reports directly to management in clear business terms.

CISO AS A SERVICE

Obligations of NIS2 Entities – What is Changing?

The implementation of NIS2 in Poland imposes four main pillars of obligations on organizations. These are no longer recommendations, but hard legal requirements.

1. Information Security Management System (ISMS)

Entities must implement adequate and proportionate technical and organizational measures. The Act (Art. 8 of the draft) specifies that security management must be a continuous and documented process. This system must include, among others:

Information system security policies.

Incident management.

Business Continuity and Crisis Management.

Supply chain cybersecurity – this is a novelty and a huge challenge. Entities must verify the security of their ICT service and product suppliers.

Use of cryptography and encryption.

Human resources security and access control.

2. Incident Reporting

The reporting procedure has been significantly tightened. The KSC Act introduces a cascading model for reporting significant incidents to the appropriate CSIRT (sectoral, or if unavailable – national level: NASK, GOV, or MON):

Early Warning: Within 24 hours of detecting the incident. This aims to signal whether the incident may have cross-border effects or is the result of a deliberate attack.

Incident Notification: Within 72 hours – fuller information about the event (initial assessment, effects, indicators of compromise).

Final Report: No later than one month after the notification.

3. Mandatory KSC Audit

Essential entities will be required to conduct an external security audit of their information system at least once every 3 years. This audit must be performed by an accredited body or auditors meeting statutory competence requirements. Important entities are subject to audits in an ex-post supervisory mode or upon request by the authority in case of irregularities.

4. Board Liability and Training

This is a significant change. The draft KSC Act (Art. 8c) explicitly states that the head of the entity (the Management Board) bears responsibility for fulfilling cybersecurity obligations. This responsibility cannot be fully delegated. Furthermore, members of management bodies are required to undergo cybersecurity training to possess the knowledge necessary to supervise these processes.

Timeline and Vacatio Legis – How Much Time Do We Have?

Analyzing the transitional provisions of the amendment to the KSC Act (version from Oct 3, 2024), the following deadlines are crucial:

Entry into force: The Act enters into force 1 month after its publication (we know this has not happened yet).

Adjustment Period: According to Art. 25 of the draft, entities that meet the criteria for being recognized as an essential or important entity on the day the Act enters into force have 6 months to implement the obligations specified in Chapter 3 (i.e., implementing the ISMS, risk assessment, incident response procedures).

First Audit: Essential entities must conduct the first audit within 24 months of the Act’s entry into force.

Registration: The Minister responsible for computerization will announce the schedule for submitting applications for entry into the register. This process is intended to last up to April 2025 (according to Directive assumptions, though this date may shift depending on when the Act is passed).

Conclusion: Time is very short. 6 months to build or adapt a security management system, supply chain controls, and incident response procedures is an incredibly ambitious deadline for a large organization.

Sanctions – The Cost of Inaction

Non-compliance with the Act carries severe financial consequences. NIS2 penalties are intended to be “effective, proportionate, and dissuasive.”

For Essential Entities: The penalty can amount to up to EUR 10,000,000 or 2% of the total annual worldwide turnover (whichever is higher).

For Important Entities: Up to EUR 7,000,000 or 1.4% of turnover.

For Entity Managers: The supervisory authority may impose a financial penalty on the head of the entity (e.g., the CEO) amounting to up to 600% of their salary if they fail to fulfill supervisory duties or ensure the implementation of audits and training.

Action List for the CISO and the Board

To meet NIS2 requirements, organizations should take immediate action. Below is a priority list of tasks.

For the Board (CEO, COO, CFO):

Status Verification

Determine whether the company is an essential or important entity in light of the annexes to the Act (analysis of PKD codes, employment size, and financials).

Budgeting

Secure funds for cybersecurity. NIS2 requirements mean costs, not just for technology, but also for audits, training, and legal services.

Training

Schedule training for the Board. This is a statutory requirement, and ignoring it results in direct personal liability.

Governance

Formally include cybersecurity issues in the Board meeting agenda. Oversight of risk management cannot be a facade.

For the CISO / Security Department:

Gap Analysis

Conduct a “zero audit.” Compare the current state of security (e.g., according to ISO 27001) with the new requirements of the KSC Act.

Asset and Process Inventory

Precisely define which information systems support essential/important services.

Documentation Update

Adapt security policies, Business Continuity Plans (BCP), and Disaster Recovery Plans (DRP).

Incident Response Procedures

Test the incident reporting path. Is the organization capable of detecting an incident and reporting it within 24 hours?

Supply Chain Audit

Begin verification of key IT/OT suppliers. Do contracts contain appropriate security clauses? Are suppliers ready for NIS2?

How to Accelerate the Implementation Process?

Self-implementation of NIS2 requirements, especially in the technical and audit areas, can be a challenge in terms of time and competence. It is worth considering external support, particularly at the stage of gap analysis and preparation for the audit.

Technological partners, such as Tenesys, have experience in infrastructure security and regulatory compliance. Cooperation with a specialized entity allows, on the one hand, for an objective assessment of the security state (an independent outside view), and on the other hand, enables organizations to go through the adaptation process quickly and effectively, focusing on critical areas requiring improvement before the 6-month vacatio legis expires. External support is particularly valuable when mapping technical processes to legal requirements and implementing mechanisms for continuous monitoring and incident reporting.

The amendment to the KSC Act implementing NIS2 is not just bureaucracy. It is a forced professionalization and standardization of cybersecurity in Poland. Responsibility is shifting from IT departments directly to boardrooms.

The key to success is not “buying security,” but building a process. Given the short deadlines for NIS2 implementation, organizations that have not yet started analyzing their status and security gaps are already operating in a risk zone. Remember: NIS2 sanctions are real, but even more real are the digital threats against which the Act is meant to protect us.

Author

Bartosz Pyrczak

Head of Growth

Head of Growth at Tenesys. Connects people, builds relationships, and ensures the company grows in the right direction. Convinced that in IT sales, the one who listens better than they speak wins. Privately a traveler and cyclist.

Przeczytaj również

Cloud Strategy for Manufacturing: how to Store IoT Data Without Burning the Margin?
The factory floor generates a tidal wave of information that promised to revolutionize OEE (Overall Equipment Effectiveness). Yet, for many manufacturers, the reality of Industry 4.0 has arrived as a ballooning line item on the monthly budget. When every vibration sensor and temperature probe sends raw data directly to the cloud, storage costs can quickly…
11 May 2026
Manufacturing & Industrial
Industrial Cybersecurity Guide – how to Secure IT/OT Convergence Without Stopping Production?
Modern manufacturing operates under a contradictory pressure: the board demands data transparency, while the shop floor requires physical isolation to keep machines running In the era of Industry 4.0, the “Air Gap” is a myth. Cyber-Physical Systems (CPS) now link software directly to hardware, meaning a single digital bug can lead to broken gears or…
11 May 2026
Manufacturing & Industrial
The Unified FinTech Cloud Compliance Framework: Aligning DORA, AI Act, PCI DSS & MiCA
FinTech institutions today operate in a regulatory crossfire. The pressure to innovate and hit “Time-to-Market” targets often clashes with the reality of an audit. The challenge is no longer just “getting into the cloud” — it is staying there while satisfying the overlapping demands of DORA, the AI Act, PCI DSS v4.0, and MiCA. Without…
04 May 2026
Financial Sector