Polish Cybersecurity Act (UKSC)

What is the Polish Cybersecurity Act?

The Act on the National Cybersecurity System (Ustawa o krajowym systemie cyberbezpieczenstwa, dated 5 July 2018) is the Polish implementation of the NIS Directive (Network and Information Systems Directive). The Act defines the framework of the national cybersecurity system, establishing institutional roles and obligations for various entities regarding network and information system security.

The Act identifies several entity categories: Essential Service Operators (OUK) - entities in the energy, transport, banking, financial market infrastructure, healthcare, water supply and digital infrastructure sectors. Digital Service Providers (DUC) - entities providing online marketplace, search engine and cloud computing services. CSIRT teams - CSIRT MON, CSIRT NASK, CSIRT GOV. Competent authorities - sector-specific supervisory bodies.

Essential Service Operators are required to implement a security management system, conduct risk assessments, apply technical and organisational measures, report serious incidents to the relevant CSIRT and undergo security audits every two years.

Why does it matter?

The amendment to the Cybersecurity Act implementing the NIS2 Directive significantly expands the scope of regulated entities and tightens requirements. Organisations that were previously outside the Act’s scope may now fall within it. Preparing for new requirements - security posture audits, risk analysis, implementing incident response procedures - takes time and should begin well in advance.

Related topics

• NIS2
• DORA
• ISO 27001