As of early August 2025, Poland has yet to adopt the long-awaited amendment to its Act on the National Cybersecurity System (KSC Act), the key legislation designed to implement the EU’s NIS2 Directive.
The new cybersecurity laws are expected to impact tens of thousands of Polish businesses, particularly those in critical sectors such as energy, transport, healthcare, banking, and digital infrastructure. The delay places Poland in a difficult legal and political position, with the European Commission issuing a formal warning and raising additional concerns about the draft’s compliance with EU notification rules.
Although Polish officials initially indicated that the amendment would be adopted by the Council of Ministers in July, the draft remains stuck at the inter-ministerial consultation stage. The main barrier to adoption is reportedly a dispute between the Ministry of Digital Affairs and the Ministry of Finance over a proposed PLN 250 million annual increase to the Cybersecurity Fund (Fund). The Ministry of Finance has expressed objections concerning budgetary constraints and the intended allocation of the Fund. The Fund serves as a mechanism enabling public administration to enhance salaries for personnel responsible for cybersecurity in key institutions, including organizational units within ministries. Established in 2021, it was created in response to the shortage of cybersecurity specialists in the labor market.
Notification Concerns and Legal Implications
Another controversy centers on the European Commission’s recent reminder to Polish authorities about their obligation under Directive (EU) 2015/1535, which requires Member States to notify any proposed legislation containing technical regulations. The Commission questioned whether parts of the draft KSC Act – particularly the mechanism for designating high-risk vendors (HRVs) – constitute technical provisions subject to mandatory notification under this directive.
The Ministry of Digital Affairs maintains that the draft does not require notification, arguing that it does not impose technical requirements in the sense defined by EU law. However, some legal experts believe that the HRV mechanism creates binding technical rules by restricting access to the Polish market for certain ICT products and services. If this interpretation is accepted, the failure to notify could result in a three- to eighteen-month standstill period, further delaying the implementation of the NIS2 Directive in Poland.
If the law is adopted without proper notification and later challenged, the HRV-related provisions could be deemed inapplicable by Polish courts, making enforcement impossible against both companies and individuals. To avoid such risks, some countries – like Germany – have formally notified their NIS2 implementation laws to the European Commission in accordance with the required EU procedures.
Regulatory Uncertainty for Polish Businesses
Meanwhile, Polish businesses are left in regulatory limbo. The NIS2 Directive introduces broader obligations for operators in essential and important sectors, including stricter incident reporting, risk assessments, and mandatory cooperation with authorities. Without the KSC Act amendment, it remains unclear how these obligations will be enforced or what timeline businesses should prepare for.
The delay also adds pressure on Poland’s National Recovery Plan. The European Commission has warned that continued non-compliance could jeopardize access to recovery funds. The longer the legislative impasse continues, the greater the reputational and financial risks for the government.
Looking Ahead: Timelines and Strategic Considerations
The Ministry of Digital Affairs maintains that the law will be adopted by the end of 2025. However, unresolved disputes over funding and notification procedures make this timeline uncertain. Meanwhile, entities operating in essential and important sectors should start considering and preparing for future obligations under the upcoming legislation, keeping in mind that the final details may still evolve.
Poland’s delay goes beyond mere legislative hurdles; it highlights deeper challenges around cybersecurity governance and the balance between national protection of digital infrastructure and compliance with EU law. The coming months will be crucial –not only for passing the amendment but for ensuring it is legally sound, operationally practical, and strategically effective.
Many businesses operating in Europe have already begun rolling out their NIS2 implementation projects, particularly as the transposition deadline passed in October 2024 and several EU Member States have completed the transposition process. Once Poland implements the NIS2 Directive, these organizations will need to adapt their programs to align with Poland’s specific legal requirements and enforcement framework.
In the meantime, it is strongly recommended that companies assess whether they fall within the scope of the NIS2 Directive, as this will determine their future obligations and support their compliance efforts.
By Szymon Sieniewicz, Head of TMT/IP, and Malgorzata Czubernat, Associate, Addleshaw Goddard
This article was originally published in Issue 12.7 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
