NIS2 in Poland: new cybersecurity audits and data protection obligations

The Act introduces a number of changes to cybersecurity obligations. Their violation may result not only in financial penalties but also in imposing a ban on performing management functions on a person who failed to comply with the requirements of the supervisory authority for cybersecurity.

Given the very short, one month vacatio legis, business entities operating in Poland are required to promptly conduct an audit to determine whether they fall under the new obligations. Importantly, it will be up to entrepreneurs themselves to verify whether they are subject to the obligations arising from NIS2. The purpose of this self identification is proactive risk management and increasing the level of security within organizations.

Under the new legislation, every entity using broadly understood digital solutions (e.g., by providing digital services) will be obliged to assess whether it meets the criteria to be classified as a “key entity” or an “important entity” within the meaning of the Act. Key and important entities are those whose cybersecurity is particularly significant for the functioning of the state, society and the economy (e.g., cloud service providers), and are therefore considered jointly responsible for preventing and combating cyber threats.

The Act only occasionally lists the specific entities directly covered by the new obligations. All others must independently analyze whether they fall under the obligations specified in the Act.

As a first step, each entity should check whether it is covered directly due to the type of activity named explicitly in the legislation. Second, it is necessary to consult Annexes 1 and 2 to the Act. These annexes list sectors, types of activities or entities considered particularly important, and therefore sensitive and vulnerable to cyber threats. Each organization should verify whether its activities are listed there. Third, the entity must determine its size on the basis of Annex I to Regulation 651/2014/EU. The size of the entity may affect whether it can be classified as a key or an important entity.

If an organisation determines that it is a key or an important entity, it must apply for entry in the “Register of Key or Important Entities.” This must be done within 6 months from the date of meeting the criteria for being recognised as such an entity.

Next, it will be necessary to conduct a cybersecurity audit and implement new technical solutions that adequately protect the organization. Increasing cybersecurity awareness among both management and staff is also essential.

Under the new rules, entities that qualify as key entities on the day the Act enters into force and have not previously conducted a security audit must undertake their first security audit within 24 months of the Act's entry into force. Entities that obtain key entity status after the Act enters into force must conduct the first audit within 24 months from the date of meeting the criteria.

Subsequent audits must be performed at least once every 3 years, counting from the date of preparation and signing of the report from the previous audit.

Furthermore, the Act obliges key and important entities to implement an information security management system, which must include, among others, technical and organizational measures ensuring the security and continuity of the ICT product supply chain. In practice, this will require assessing the cybersecurity practices of suppliers, adjusting contractual provisions accordingly, and monitoring potential risks.

Conducting supplier audits (especially for those responsible for critical deliveries) is highly recommended.

The Act regulates the rules for processing personal data in the process of reporting and handling incidents. Although its main purpose is to ensure the resilience of systems, in practice it also introduces a consistent data protection regime that must be applied in parallel with the GDPR.

The Act provides that the reporting, handling and coordination of incidents inevitably involve the processing of personal data — both the contact details of the reporting persons and technical data such as IP addresses or device identifiers. In many cases, this data is pseudonymised, but it still remains personal data within the meaning of the GDPR.

CSIRT MON, CSIRT NASK, CSIRT GOV and sectoral teams may process personal data, including special categories of data, only to the extent necessary to perform their statutory tasks. The Act requires the use of enhanced security measures: risk analysis, access control, malware protection and secure information exchange procedures. Data must be deleted or anonymised when it is no longer needed, and at the latest five years after the incident has been addressed.

The regulation also allows for the restriction of certain rights of data subjects, including the right of access, rectification or restriction of processing, if their exercise would prevent an effective response to an incident. At the same time, CSIRTs must ensure transparency by publishing on their websites information about the controller, legal basis, data categories, storage periods and the scope of restrictions of rights.

The Act also provides for the possibility of transferring data between CSIRTs and other entities within the cybersecurity system if this is necessary for the performance of statutory tasks. In situations where an incident also constitutes a personal data breach, cooperation with the supervisory authority is required.

In practice, the new regulations require organisations to implement consistent procedures combining cybersecurity with data protection — from data minimisation and retention, through process documentation, to ensuring accountability. The NSC Act creates a framework that strengthens digital security while requiring full compliance with GDPR principles — proportionality, lawfulness, transparency and security of processing.​