Implementation of the NIS Directive – cybersecurity in Poland

On November 21, 2018, a regulation of the Council of Ministers of 31 October 2018 on the thresholds for the recognition of the incident as serious was adopted, and thus ended in Poland the process of implementing the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning the measures for a high common level of security of network and information systems across the Union, that has been initiated by adopting the Act of 5 July 2018 on national cybersecurity systems into the Polish legal order.

How has the cybersecurity system in Poland been shaped?

The provisions of the Act impose certain obligations on digital service providers, public entities and operators of the so-called key services – entities operating, among others, in the energy, transport, banking and financial market infrastructures, digital infrastructure and health sectors. Not every entity operating on the market is therefore obliged to apply to the Act.

The Act introduces general security measures that operators of essential services, digital service providers and public entities must implement to ensure the security of information and information systems, such as: conducting systematic incident risk assessment, implementing appropriate technical and organisational measures limiting the impact of incidents on the security of the information system used, systematically collecting information on cyberthreats, implementing appropriate technical and organizational measures proportionate to the estimated risk, as well as means of communication enabling proper and safe communication within the national cyber security system.

Competence to supervise the application of the provisions of the Act by the obliged entities was allocated at ministerial level. The Act provides for financial penalties for violation of obligations imposed on entities that are obliged to apply to its provisions. The amount of penalties depends on the type of violation and may be imposed up to a maximum of PLN 150,000.00. If a persistent violation of the provisions of the Act is found causing a direct and serious threat to cybersecurity for the security of the state, public order or life and health of people, or the threat of causing material damage to property, the supervision authority is entitled to impose a fine of up to PLN 1,000,000.00.


Attorney at law Ewa Lejman

Attorney trainee Kamila Spalińska