The President has signed the amendment to the Act on the National Cybersecurity System (KSC), implementing the NIS2 Directive. At the same time, the Act has been referred for subsequent review by the Constitutional Tribunal.
What Does This Mean in Practice for Organizations?
Subsequent review does not suspend obligations
Referring the Act to the Constitutional Tribunal does not suspend its entry into force.
The vacatio legis period is running, and the new obligations will be enforced according to the established timeline.
For many organizations, a six-month period of intensive compliance activities has just begun.
Significant Expansion of the Scope of Regulated Entities
The amendment implementing the NIS2 Directive significantly expands the catalogue of entities covered by the regulation.
In practice, this means that many organizations that were not previously formally covered by the KSC Act may now qualify as:
- essential entities,
- important entities.
The range of sectors and qualification criteria has been substantially broadened, and the entry threshold to the system has been lowered.
Self-Identification Obligation – Responsibility Lies with the Organization
The amendment introduces a clear obligation of self-identification.
It is the organization – not the supervisory authority – that must:
- determine its status,
- perform the qualification assessment,
- submit an application for entry into the relevant register.
Failure to conduct a reliable self-assessment does not exempt the organization from liability.
Key Risks for Organizations and Management Boards
The new provisions explicitly emphasize the role of the management body in overseeing cyber risk management.
Responsibility is no longer purely operational.
It becomes an element of corporate governance and the personal liability of board members.
Failure to act within the required timeframe entails real risks:
- regulatory (administrative fines),
- financial,
- reputational,
- contractual.
What Should Be Done in the Next 6 Months?
Organizations should immediately:
- Determine their status (essential or important entity).
- Complete self-identification and register accordingly.
- Conduct an ICT risk assessment.
- Review ICT supply chains (including DWR-related issues).
- Develop and implement IRP / BCP / DRP frameworks.
- Prepare for a compliance audit.
In practice, this requires conducting a comprehensive gap analysis against the new regulatory requirements.
Referral to the Constitutional Tribunal – Can You Wait?
No.
Proceedings before the Constitutional Tribunal may concern selected mechanisms (e.g., scope of supervisory powers), but they do not suspend the obligations arising from the Act.
From a practical standpoint, this means one thing: actions must begin now.
A Question Worth Asking Today
Does your organization have a clear and documented answer as to whether it qualifies as an essential or important entity under the new regulations?
If you require support in:
- determining your status,
- conducting a gap analysis,
- designing a governance model for cybersecurity oversight,
- preparing for a compliance audit,
- please feel free to contact us.
PKF Polska Expert – Tomasz Janas, Advisory Managing Director – remains at your disposal.
In the current situation, time is the key factor in mitigating risk. We therefore strongly recommend not delaying your decision or outreach.
PKF News
News, alerts, and events - Useful, last-minute information.
Wypełnienie pola oznacza wyrażenie zgody na otrzymywanie komunikacji marketingowej. Administratorem danych jest PKF Consult Sp. z o.o. Sp. k. ... więcej
Thank you for your trust! Your address has been saved in our database.
