	NIS2 Implementation in the EU
	Poland
	(Europe) Firm Wardyński & Partners Contributors Jakub Barański Updated 03 Feb 2026
Status of the legislative process	Ongoing
Status of the NIS2 Implementation Act	The implementation process for the NIS2 Directive in Poland is ongoing, although close to being completed. A draft legal act has been prepared by the Ministry for Digital Affairs (Ministerstwo Cyfryzacji) and initially published on 23 April 2024. Public consultation of the initial draft has been held, resulting in several subsequent revisions of the draft implementing act, published by the Ministry of Digital Affairs respectively on 7 October 2024, 22 November 2024, 6 December 2024, 7 February 2025, and 16 April 2025. The final version of the draft act was submitted for deliberation by Parliament and approved on 29 January 2026. The next and final stage of the legislative process involves signing the draft act into law by the President. It is expected that the President will not choose to veto the act approved by Parliament and will sign it within the next few days or weeks.
Significant deviations of the National Implementation Act from the NIS2 Directive, if any	The draft act, including the revised version, is generally considered more rigorous and wider in scope than the directive. In particular, it includes a broader list of sectors considered essential, e.g., wastewater supply, managed IT and cybersecurity services, and medical device manufacturing. The draft act goes somewhat beyond the directive with respect to the personal responsibility of management. It specifies, for example, that in the case of multi-member management, if a single member has not been appointed as responsible for cybersec, all members will bear joint and several responsibilities. The draft act also foresees an additional type of fine in case a regulated entity causes a direct and serious cybersecurity threat to Polish defense, state security, public safety and order, human life, and health. In such cases, the maximum threshold for the fine is higher, i.e., up to PLN 100,000,000 (approx. EUR 23,000,000). The draft act will also transpose the EU Commission’s Toolbox for 5G Security to Polish law.
Date of entry into force of the Implementation Act	Q1 2026. The draft act is expected to be signed into law by the President soon. After this, there will be a 1-month vacatio legis period, after which the actual implementation deadlines will begin to run (6 months for registration as an essential or important entity and 12 months for implementation of an information management system).

NIS2 Implementation in the EU

Back XLS

Status of the legislative process

Ongoing

Status of the NIS2 Implementation Act

The implementation process for the NIS2 Directive in Poland is ongoing, although close to being completed.

A draft legal act has been prepared by the Ministry for Digital Affairs (Ministerstwo Cyfryzacji) and initially published on 23 April 2024. Public consultation of the initial draft has been held, resulting in several subsequent revisions of the draft implementing act, published by the Ministry of Digital Affairs respectively on 7 October 2024, 22 November 2024, 6 December 2024, 7 February 2025, and 16 April 2025. The final version of the draft act was submitted for deliberation by Parliament and approved on 29 January 2026. The next and final stage of the legislative process involves signing the draft act into law by the President. It is expected that the President will not choose to veto the act approved by Parliament and will sign it within the next few days or weeks.

Significant deviations of the National Implementation Act from the NIS2 Directive, if any

The draft act, including the revised version, is generally considered more rigorous and wider in scope than the directive. In particular, it includes a broader list of sectors considered essential, e.g., wastewater supply, managed IT and cybersecurity services, and medical device manufacturing.
The draft act goes somewhat beyond the directive with respect to the personal responsibility of management. It specifies, for example, that in the case of multi-member management, if a single member has not been appointed as responsible for cybersec, all members will bear joint and several responsibilities.
The draft act also foresees an additional type of fine in case a regulated entity causes a direct and serious cybersecurity threat to Polish defense, state security, public safety and order, human life, and health. In such cases, the maximum threshold for the fine is higher, i.e., up to PLN 100,000,000 (approx. EUR 23,000,000).
The draft act will also transpose the EU Commission’s Toolbox for 5G Security to Polish law.

Date of entry into force of the Implementation Act

Q1 2026. The draft act is expected to be signed into law by the President soon. After this, there will be a 1-month vacatio legis period, after which the actual implementation deadlines will begin to run (6 months for registration as an essential or important entity and 12 months for implementation of an information management system).