How to Prepare for the Entry into Force of the KSC Act – A Practical Checklist for Boards and CISOs
2025-11-26 13:16:54The implementation of the NIS2 Directive into the Polish legal system is entering a decisive phase. The amendment to the Act on the National Cybersecurity System (the KSC Act) is not merely a cosmetic change to regulations, but a fundamental reconstruction of the approach to the state’s digital resilience. For companies and institutions, this marks the end of the period where cybersecurity was a "best practice," and the beginning of an era where it becomes a hard legal requirement, enforced by strict sanctions.
The New Regulatory Landscape: Who does NIS2 apply to?
The most important change introduced by the draft KSC Act is the departure from issuing administrative decisions to designate an operator of essential services. Instead, the act introduces a self-identification mechanism. The burden of determining whether they fall under the new regulations rests on the entrepreneur.
The legislator introduces a division into two categories of entities, depending on the sector of activity and the size of the enterprise:
1. Essential Entities (Podmioty kluczowe)
This category includes entities from sectors critical to the economy and society, which are usually (though not always) large enterprises. These include:
Energy sector (electricity, district heating, oil, gas, hydrogen),
Transport (air, rail, water, road),
Banking and financial market infrastructure (though DORA regulations take precedence here),
Health sector (including laboratories, pharmaceutical manufacturing),
Public administration (public entities are essential by principle, regardless of size),
Digital infrastructure and ICT service management (B2B).
Entity size is key here: generally, these are large entities (over 250 employees or turnover > EUR 50 million). However, there are exceptions—e.g., DNS service providers, qualified trust service providers, or public entities are essential entities regardless of size.
2. Important Entities (Podmioty ważne)
This category covers a wide spectrum of medium-sized enterprises (from 50 to 249 employees or turnover > EUR 10 million) operating in key sectors and new sectors covered by the regulation, such as:
Postal and courier services,
Waste management,
Production, processing, and distribution of food,
Manufacturing (medical devices, computers, vehicles, etc.),
Digital providers (online marketplaces, search engines).
The NIS2 Registry
A fundamental change is the registration obligation. The draft KSC Act assumes that entities identifying themselves as essential or important will be required to submit an application for entry into the register within 3 months of meeting the criteria (or from the entry into force of the schedule announced by the Minister of Digital Affairs).
Obligations of NIS2 Entities – What is Changing?
The implementation of NIS2 in Poland imposes four main pillars of obligations on organizations. These are no longer recommendations, but hard legal requirements.
1. Information Security Management System (ISMS)
Entities must implement adequate and proportionate technical and organizational measures. The Act (Art. 8 of the draft) specifies that security management must be a continuous and documented process. This system must include, among others:
Information system security policies.
Incident management.
Business Continuity and Crisis Management.
Supply chain cybersecurity – this is a novelty and a huge challenge. Entities must verify the security of their ICT service and product suppliers.
Use of cryptography and encryption.
Human resources security and access control.
2. Incident Reporting
The reporting procedure has been significantly tightened. The KSC Act introduces a cascading model for reporting significant incidents to the appropriate CSIRT (sectoral, or if unavailable – national level: NASK, GOV, or MON):
Early Warning: Within 24 hours of detecting the incident. This aims to signal whether the incident may have cross-border effects or is the result of a deliberate attack.
Incident Notification: Within 72 hours – fuller information about the event (initial assessment, effects, indicators of compromise).
Final Report: No later than one month after the notification.
3. Mandatory KSC Audit
Essential entities will be required to conduct an external security audit of their information system at least once every 3 years. This audit must be performed by an accredited body or auditors meeting statutory competence requirements. Important entities are subject to audits in an ex-post supervisory mode or upon request by the authority in case of irregularities.
4. Board Liability and Training
This is a significant change. The draft KSC Act (Art. 8c) explicitly states that the head of the entity (the Management Board) bears responsibility for fulfilling cybersecurity obligations. This responsibility cannot be fully delegated. Furthermore, members of management bodies are required to undergo cybersecurity training to possess the knowledge necessary to supervise these processes.
Timeline and Vacatio Legis – How Much Time Do We Have?
Analyzing the transitional provisions of the amendment to the KSC Act (version from Oct 3, 2024), the following deadlines are crucial:
Entry into force: The Act enters into force 1 month after its publication (we know this has not happened yet).
Adjustment Period: According to Art. 25 of the draft, entities that meet the criteria for being recognized as an essential or important entity on the day the Act enters into force have 6 months to implement the obligations specified in Chapter 3 (i.e., implementing the ISMS, risk assessment, incident response procedures).
First Audit: Essential entities must conduct the first audit within 24 months of the Act’s entry into force.
Registration: The Minister responsible for computerization will announce the schedule for submitting applications for entry into the register. This process is intended to last up to April 2025 (according to Directive assumptions, though this date may shift depending on when the Act is passed).
Conclusion: Time is very short. 6 months to build or adapt a security management system, supply chain controls, and incident response procedures is an incredibly ambitious deadline for a large organization.
Sanctions – The Cost of Inaction
Non-compliance with the Act carries severe financial consequences. NIS2 penalties are intended to be “effective, proportionate, and dissuasive.”
For Essential Entities: The penalty can amount to up to EUR 10,000,000 or 2% of the total annual worldwide turnover (whichever is higher).
For Important Entities: Up to EUR 7,000,000 or 1.4% of turnover.
For Entity Managers: The supervisory authority may impose a financial penalty on the head of the entity (e.g., the CEO) amounting to up to 600% of their salary if they fail to fulfill supervisory duties or ensure the implementation of audits and training.
Action List for the CISO and the Board
To meet NIS2 requirements, organizations should take immediate action. Below is a priority list of tasks.
For the Board (CEO, COO, CFO):
Status Verification: Determine whether the company is an essential or important entity in light of the annexes to the Act (analysis of PKD codes, employment size, and financials).
Budgeting: Secure funds for cybersecurity. NIS2 requirements mean costs, not just for technology, but also for audits, training, and legal services.
Training: Schedule training for the Board. This is a statutory requirement, and ignoring it results in direct personal liability.
Governance: Formally include cybersecurity issues in the Board meeting agenda. Oversight of risk management cannot be a facade.
For the CISO / Security Department:
Gap Analysis: Conduct a “zero audit.” Compare the current state of security (e.g., according to ISO 27001) with the new requirements of the KSC Act.
Asset and Process Inventory: Precisely define which information systems support essential/important services.
Documentation Update: Adapt security policies, Business Continuity Plans (BCP), and Disaster Recovery Plans (DRP).
Incident Response Procedures: Test the incident reporting path. Is the organization capable of detecting an incident and reporting it within 24 hours?
Supply Chain Audit: Begin verification of key IT/OT suppliers. Do contracts contain appropriate security clauses? Are suppliers ready for NIS2?
How to Accelerate the Implementation Process?
Self-implementation of NIS2 requirements, especially in the technical and audit areas, can be a challenge in terms of time and competence. It is worth considering external support, particularly at the stage of gap analysis and preparation for the audit.
Technological partners, such as Tenesys, have experience in infrastructure security and regulatory compliance. Cooperation with a specialized entity allows, on the one hand, for an objective assessment of the security state (an independent outside view), and on the other hand, enables organizations to go through the adaptation process quickly and effectively, focusing on critical areas requiring improvement before the 6-month vacatio legis expires. External support is particularly valuable when mapping technical processes to legal requirements and implementing mechanisms for continuous monitoring and incident reporting.
Summary
The amendment to the KSC Act implementing NIS2 is not just bureaucracy. It is a forced professionalization and standardization of cybersecurity in Poland. Responsibility is shifting from IT departments directly to boardrooms.
The key to success is not “buying security,” but building a process. Given the short deadlines for NIS2 implementation, organizations that have not yet started analyzing their status and security gaps are already operating in a risk zone. Remember: NIS2 sanctions are real, but even more real are the digital threats against which the Act is meant to protect us.