NIS2 in Poland: A Long Journey from Brussels to the President's Desk

Feb 8, 2026

Nis2 Cybersecurity

Even in 2024, many entrepreneurs hoped that NIS2 would "get postponed again." That, as usual—there would be time, there would be guidelines, there would be a vacatio legis, and the practice would settle later. Today, this narrative definitely ends. The act implementing the NIS2 directive has been adopted by the Parliament and has been waiting for the President's signature for a week. This is a good moment to look back and understand why this journey has been so long—and what has truly changed along the way.

2024: the directive exists, the act does not

October 2024 was the formal deadline for implementing NIS2 in EU member states. Poland—like many other countries—did not make it. The draft amendment to the Act on the National Cybersecurity System (KSC) circulated between ministries, committees, and consultations, while the market was in a state of suspension.

Companies already knew one thing: the scope of NIS2 is significantly broader than NIS1. New sectors, new entities, management liability, real financial penalties. However, it was not clear:

  • who exactly would be a "key entity,"

  • who a "significant entity" would be,

  • from when to count deadlines,

  • and how strictly the state intends to enforce the regulations.

2025: a year of amendments, committees, and "clarifications"

The year 2025 was marked by intensive legislative work. The draft act was repeatedly analyzed by parliamentary and senate committees, with changes being substantive, not cosmetic. They clarified among other things:

  • definitions of key entities and significant entities,

  • rules for maintaining a central registry of entities covered by the act,

  • the relationship of NIS2 with other regulations, including DORA,

  • the scope of responsibility of entity managers (boards),

  • and the timetable for implementing obligations.

It was at this stage that it was clearly decided that cybersecurity is no longer solely the domain of IT but an element of risk management for the entire organization.

January 2026: key amendments and political consensus

Contrary to appearances, January 2026 was not a formality. It was then that the final, key committee work took place, which genuinely influenced the shape of the act. One of the most important changes was the extension of the deadline for conducting the first audit—from an originally shorter period to 24 months, which directly responded to the demands of the market and public administration.

This is an important signal: the legislator, on one hand, does not give up high standards, but on the other, gives organizations time for the real implementation of systems, rather than superficial actions.

The culmination of the work in the Parliament was the adoption of the act by an overwhelming majority—407 votes "for", crossing political divisions. In practice, this means one thing: NIS2 is no longer a project of a single political option, but has become a national security standard.

On January 23, 2026, the Senate adopted the act without amendments. Today, the document has been waiting for a week for the President's signature—which means that the legislative process is essentially concluded.

Why was this journey so long?

Because NIS2 is not just a simple amendment. It's a philosophical change in the approach to cybersecurity in Poland. The state unmistakably says for the first time:

cybersecurity is a component of state security and economic continuity, not an internal matter of the IT department.

Hence the extensive obligations, central registry of entities, audits, training for management staff, and personal responsibility of entity managers.

What does this mean now—in practice?

The enactment of the law will not be symbolic. For thousands of organizations, it triggers specific deadlines:

  • identifying the status of the entity,

  • implementing an information security management system,

  • preparing for audits,

  • and incorporating cybersecurity into managerial responsibilities.

NIS2 is no longer a "future topic." From this moment on, it's a strategic project that must be planned, embedded in the organization's structure, and financed.

Of course, if the President signs it… :)

Learn more on how to prepare your company with Spiree. We will answer all your questions.


‹ The First 6–12 Months After Implementing NIS2 – A Step-by-Step Guide

NIS2 – legislation in the Council of Ministers›