NIS2 – legislation in the Council of Ministers

Jun 1, 2025

Nis 2 EU Cybersecurity

“The legislative process is a marathon, but it must lead to a secure digital economy. That's why, alongside requirements, we provide real funding sources so that no company is left alone.”

Paweł Olszewski

State Secretary at MC


1. The Finish Line of Years of Effort

The sixth—and likely final—version of the bill amending KSC (UC32) has just reached the Standing Committee of the Council of Ministers. If no further legal adjustments arise, the Council of Ministers could approve the text by June, and the Sejm will address it before the summer break. This is the culmination of four years of consultations, with each iteration expanding the list of entities and aligning provisions with the NIS 2 directive.

2. What Changes for Enterprises?

  1. New Definitions – Critical service operators are removed; key entities (KE) and important ones (IE) are introduced.

  2. Broader Scope – the bill will include, among others, the food, chemical, postal, water and sewage, ICT management sectors, and space entities.

  3. Risk Management System – an obligation to implement ISMS and register in the S46 e-list (without special token devices anymore—the connection will be cloud-based).

  4. Incidents “in Two Stages” – 24 hrs for early warning, 72 hrs for full reporting; the possibility to request CSIRT support within 24 hrs.

  5. Audit every three years (KE) or ad-hoc (IE at the authority’s request). The audit decision is to be immediately enforceable.

  6. New Sanctions – fines up to 10 million zloty or 2% of turnover (KE) and up to 7 million zloty / 1% (IE); in extreme cases, suspension of operations or even management.

  7. High-risk vendor – MC will be able to classify a supplier as high-risk; companies will have 5-7 years to replace equipment/software.

3. Sectoral CSIRTs – 24/7 Support Network

The Ministry announces at least five new sectoral CSIRTs, funded 2/3 from CyberPL KPO funds (~66 million zloty) and the budgets of sector ministries. The Office of Technical Supervision will cover production and chemistry, CSIRT NASK – public administration, and CSIRT KNF – financial markets. This way:

  • businesses will get an industry-specific contact point,

  • incident reports will reach “their own,”

  • CSIRTs will conduct industry training and exercises.

4. Funding for Adaptation – Where to Get It?
Agnieszka Wachowska points out that the MC’s grant line “for products and incident handling” is one of the most interesting new elements of version 6 – it prevents a situation where companies would have to finance the requirements solely from their own resources (entry)

5. What Should Companies Do Now?

  • Self-inventory – check if you qualify as KE or IE (≥ 50 employees or > 10 million € turnover + belong to the listed sectors).

  • Gap Analysis – compare current procedures and controls against the list of 10 requirements of Art. 21 NIS 2.

  • Budget Plan – allocate costs of ISMS, audit, and SOC by 2026; monitor MC/KPO competition deadlines.

  • Management Training – new regulations shift responsibility personally to the head of the entity.

  • Vendor-risk Monitoring – prepare a list of ICT products and service agreements; with an HRV decision, you'll know what to replace.

Our offer includes:

  • IT Security Audit – identification of key threats and analysis of current safeguards.

  • Training and Consulting – preparing management teams for new challenges and discussing best practices.

  • Support in Implementing ISO Standards – assistance in choosing appropriate standards, which, though not providing full guarantees, form a solid base for further actions.

We invite you to visit our website, where you will find detailed information about our services and the opportunity to consult with experts. This way, it will be possible to prepare your organization not only for the first report but also for full implementation of audit procedures.

6. Market Perspective

Emphasizing executive responsibility and strict penalties shifts cybersecurity from an “IT cost” to the role of a strategic risk factor. At the same time, funding programs (Cyber Fund, KPO, MC grants) ensure that transitioning to NIS 2 requirements will not be a financial trap, especially for SMEs and the public sector.

“Funding is a shield, allowing companies to focus on strengthening processes instead of worrying about the cost of replacing infrastructure. We must treat cybersecurity like insurance – it's an investment, not a burden.”
Marcin Ciesielski, NIS 2 Expert


7. What’s Next?

  • June 12 – project at the Standing Committee of the Council of Ministers.

  • End of June – potential approval by the Council of Ministers.

  • Q3 2025 – first reading in the Sejm.

  • January 2026 – planned vacatio legis (1 month) and counting down 6 months for registration in S46.

There are a few months left to prepare your organization and secure funding – it is worth using them to the fullest before the bill lands in the Journal of Laws.

Article prepared based on the UC32 project (May 2025) and public information from the Ministry of Digitalization.

‹ NIS2 in Poland: A Long Journey from Brussels to the President's Desk

Cybersecurity incident at a medical facility.›