Does my small business actually fall under NIS2 in Poland?

Only if it meets BOTH conditions: 1) it operates in a sector listed in UKSC Annex I or II (notably healthcare providers above threshold, digital infrastructure, certain digital services), 2) it employs at least 50 people OR generates at least EUR 10 million annual turnover. Most Polish accounting firms, dental clinics and aesthetic medicine practices fail at least one of these tests.

What is the nearest deadline that affects me?

3 October 2026 - registration in the essential and important entities register maintained by the Polish Ministry of Digital Affairs. Failure to register when the obligation applied carries an administrative fine of up to EUR 10 million.

What if I provide services to a public hospital?

The hospital is an essential entity and falls under NIS2 directly. Your firm falls under NIS2 only if it independently meets sector and size criteria. However, the hospital may require cyber clauses in your contract (Article 21(2)(d) supply chain) - this is your client's obligation passed down contractually, not your own NIS2 compliance burden.

How does NIS2 differ from GDPR?

GDPR (Polish equivalent: RODO) protects personal data, enforced by UODO. NIS2 mandates cyber risk management for designated sectors, enforced by the Ministry of Digital Affairs and sectoral organs. A ransomware incident with personal data leakage triggers dual reporting: UODO within 72 hours plus CERT Polska / CSIRT NASK in 24h/72h/30 day stages.

What are the NIS2 fines?

Essential entities: up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities: up to EUR 7 million or 1.4% turnover. Additionally, management board members face personal liability for cyber risk management failures, including potential bans from managerial positions.

I already hold ISO 27001 certification. Does that satisfy NIS2?

Roughly 80-90%. ISO 27001:2022 (93 controls in Annex A) covers most of the 10 measures in NIS2 Article 21. Gaps to fill: management board training (Article 20), three-stage incident reporting (Article 23), entity register filing. A full mapping appears in this pillar's clusters.

If we are out of scope, should we still implement the measures?

Yes. The 10 measures in NIS2 Article 21 are a strong cyber hygiene baseline for any business. Implementing them without formal NIS2 scope means no register, no CSIRT NASK reporting, no audit - but still satisfies GDPR Article 32.

How do I register in the NIS2 entity register?

The procedure is run by the Polish Ministry of Digital Affairs. Submission includes: entity identifiers, UKSC Annex I or II sector, size (employees + turnover), cybersecurity contact person. After filing, the entity receives formal status (essential or important) and Chapter 3 UKSC obligations apply. Deadline: 3 October 2026.

Can I postpone registration if I am not sure whether I am in scope?

No. UKSC places the self-identification burden on the entity itself. Failure to file when the obligation applied is sanctionable. Consult with a Polish counsel or specialist compliance firm BEFORE the 3.10.2026 deadline if you have any doubts.

What do the 10 Article 21 measures actually cover?

Risk analysis and information system security policies, incident handling, business continuity (backup and disaster recovery), supply chain security, security in system acquisition and development, effectiveness assessment policies, basic cyber hygiene and training, cryptography, access control and identity management including MFA, secure communications.

Does DORA also apply to me?

DORA (Regulation 2022/2554) is lex specialis for the financial sector - banks, insurers, investment firms and their critical ICT third-party providers. It has applied since 17 January 2025. If you sell services to a bank as a critical ICT provider, DORA applies regardless of NIS2.

NIS2 and UKSC Compliance for Polish SMBs

Q: Do I need a full NIS2 compliance audit?

Only essential entities face a mandatory formal audit (first one due by 3 April 2028). The audit must be performed by an independent auditor (law firm, specialist compliance firm). CyberCerber does NOT provide formal compliance audits - we deliver the technical evidence layer (vulnerability assessment, CVSS report) that an auditor uses.

Informational material, not legal advice. Consult Polish counsel or a Data Protection Officer for specifics. Information date: 2026-05-28. Reviewer of record: TBD (legal reviewer to be assigned pre-publication).

Poland’s National Cybersecurity System Act (UKSC), transposing the EU NIS2 Directive, took force on 3 April 2026. Small and medium enterprises in sectors listed in UKSC Annex I/II must register by 3 October 2026, achieve full Article 21 compliance by 3 April 2027, and undergo their first mandatory audit by 3 April 2028. Polish accounting firms, dental clinics and aesthetic medicine practices fall in scope only when both sector and size thresholds are met. See the decision tree below.

1. What NIS2 is, and what UKSC is

NIS2 is Directive (EU) 2022/2555 of the European Parliament and Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union. It replaces the original NIS Directive (2016/1148) and expands the scope from roughly 1,700 covered entities EU-wide to approximately 160,000.

UKSC - the Polish Act on the National Cybersecurity System of 5 July 2018 (Dz.U. 2018 item 1560) - is the Polish transposition act. The amendment signed on 19 February 2026 (Dz.U. 2026 item 314, official number to be confirmed) took force on 3 April 2026. Poland transposed NIS2 with a 16-month delay from the EU deadline of 17 October 2024, in line with most member states.

Practical rule: when you read about “NIS2 obligations in Poland”, you are actually applying UKSC. NIS2 supplies the principles; UKSC defines how they are enforced under Polish law. The supervisory authority is the Ministry of Digital Affairs (mc.gov.pl) together with sectoral organs. CERT Polska (cert.pl, operated by NASK) is the national CSIRT for incident reporting.

2. Does it apply to my company

The test has three questions. The decision tree:

<line x1="380" y1="76" x2="200" y2="110" stroke="#00C2A8" stroke-width="1.5"/>
<line x1="380" y1="76" x2="560" y2="110" stroke="#00C2A8" stroke-width="1.5"/>
<text x="280" y="100" font-size="10" fill="#00C2A8">NO</text>
<text x="470" y="100" font-size="10" fill="#00C2A8">YES</text>

<rect x="100" y="110" width="200" height="56" rx="8" fill="#1A2733" stroke="#4A6072"/>
<text x="200" y="134" text-anchor="middle" font-size="11" font-weight="700">Out of NIS2 scope</text>
<text x="200" y="152" text-anchor="middle" font-size="10" fill="#E8F8F6">Measures still worth adopting.</text>

<rect x="460" y="110" width="200" height="56" rx="8" fill="#00C2A8" fill-opacity="0.18" stroke="#00C2A8" stroke-width="2"/>
<text x="560" y="134" text-anchor="middle" font-size="11" font-weight="700">Question 2</text>
<text x="560" y="152" text-anchor="middle" font-size="10" fill="#E8F8F6">≥50 staff OR ≥EUR 10M turnover?</text>

<line x1="560" y1="166" x2="400" y2="200" stroke="#00C2A8" stroke-width="1.5"/>
<line x1="560" y1="166" x2="700" y2="200" stroke="#00C2A8" stroke-width="1.5"/>
<text x="475" y="190" font-size="10" fill="#00C2A8">NO</text>
<text x="640" y="190" font-size="10" fill="#00C2A8">YES</text>

<rect x="300" y="200" width="200" height="56" rx="8" fill="#1A2733" stroke="#4A6072"/>
<text x="400" y="224" text-anchor="middle" font-size="11" font-weight="700">Grey zone</text>
<text x="400" y="242" text-anchor="middle" font-size="10" fill="#E8F8F6">Exceptions for DNS, TLD, MSP</text>

<rect x="600" y="200" width="140" height="56" rx="8" fill="#00C2A8" fill-opacity="0.28" stroke="#00C2A8" stroke-width="2"/>
<text x="670" y="224" text-anchor="middle" font-size="11" font-weight="700">IN SCOPE</text>
<text x="670" y="242" text-anchor="middle" font-size="10" fill="#E8F8F6">Register by 3.10.2026</text>

<rect x="100" y="290" width="560" height="74" rx="8" fill="#1A2733" stroke="#00C2A8" stroke-width="1"/>
<text x="380" y="310" text-anchor="middle" font-size="11" font-weight="700" fill="#00C2A8">Typical Polish SMB cases in CyberCerber's portfolio</text>
<text x="380" y="328" text-anchor="middle" font-size="10" fill="#E8F8F6">Dental clinic: usually out of scope (healthcare provider &lt;50 staff)</text>
<text x="380" y="344" text-anchor="middle" font-size="10" fill="#E8F8F6">Accounting firm: usually out of scope, unless client portfolio = "important services"</text>
<text x="380" y="358" text-anchor="middle" font-size="10" fill="#E8F8F6">Aesthetic medicine clinic: almost always out of scope</text>

Question 1: Are you in an Annex I or II sector?

Annex I (essential entities), 11 sectors: energy, transport, banking, financial market infrastructures, healthcare (hospitals and medical entities above threshold), drinking water, wastewater, digital infrastructure (DNS, TLDs, cloud, IXP, registries), ICT service management, public administration, space.

Annex II (important entities), 7 sectors: postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (medical devices, automotive, electronics, machinery), digital service providers (marketplaces, search engines, social platforms), research.

Question 2: Do you meet the size threshold?

NIS2 Article 3(1) refers to the EU medium enterprise definition (Annex to Commission Recommendation 2003/361/EC): at least 50 employees OR at least EUR 10 million annual turnover or balance sheet. One condition is enough. Firms below both thresholds are out of scope - with exceptions.

Question 3: Do any size-independent exceptions apply?

NIS2 Article 2(2) lists categories that fall under the directive regardless of size: most commonly DNS service providers, country-code top-level domain (ccTLD) registries (NASK for .pl), managed ICT service providers, certain national-security-critical entities.

These exceptions rarely catch typical Polish SMBs.

By vertical (CyberCerber portfolio)

Dental clinic - usually out of main scope. The healthcare sector covers “medical entities” employing above the size threshold. A solo or three-chair practice is out. Supply chain wrinkle: if you are a subcontractor to a public hospital (essential entity), the hospital may require cyber clauses contractually - this is the hospital’s obligation cascading down, not your own NIS2 obligation.
Accounting firm - grey zone. Bookkeeping itself is not in Annex I or II. But if the firm services an essential entity as a critical ICT provider (e.g., managing the entity’s accounting systems), the client may enforce NIS2 requirements through contract. Review your client portfolio.
Aesthetic medicine clinic - almost always out of scope. Aesthetic procedures do not qualify as “health services” under the Polish Act on Medical Activity of 2011 (Article 3(2)). A clinic with certified medical staff offering borderline procedures (medical laser, podiatry) may fall into the healthcare sector - then the size threshold decides.

If the answers are ambiguous, consult Polish counsel before the 3.10.2026 deadline. Self-identification is the entity’s own obligation; failure to register when required is sanctionable.

3. Obligations if you are in scope

Deadline 1: 3 October 2026 - registration

Procedure run by the Polish Ministry of Digital Affairs. Submission includes: identification (KRS or REGON number, NIP), Annex I or II sector (directive category), firm size (headcount + turnover), cybersecurity contact person. Upon filing, the entity receives formal status (essential or important) and the obligations of Chapter 3 of UKSC.

Sanction for non-registration: administrative fine up to EUR 10 million (for an obligation that applied to an essential entity).

Deadline 2: 3 April 2027 - full Article 21 compliance

NIS2 Article 21(2) (and corresponding UKSC Chapter 3 provisions) requires 10 risk management measures:

Policies on risk analysis and information system security
Incident handling
Business continuity - backup, disaster recovery, crisis management
Supply chain security, including security aspects of supplier relationships
Security in network and information system acquisition, development and maintenance, including vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cybersecurity risk management measures
Basic cyber hygiene practices and cybersecurity training
Policies and procedures on the use of cryptography and, where appropriate, encryption
Human resource security, access control policies and asset management
Multi-factor authentication (MFA) or continuous authentication solutions, secured voice/video/text communications and secured emergency communication systems

Operational minimum for an in-scope 10-person Polish firm (rare but real): written risk analysis policy, MFA on critical accounts, at-rest and in-transit encryption, tested 3-2-1 backup, cyber clauses with ICT suppliers, training policy for staff and board, incident reporting procedure. Most elements overlap with GDPR Article 32 - see Section 4.

Deadline 3: 3 April 2028 - first audit

Only essential entities face the first mandatory audit in 2028. The audit must be performed by an independent auditor (law firm, specialist compliance firm). CyberCerber does not provide formal compliance audits - we supply the technical evidence layer (vulnerability assessment, CVSS report, evidence of measure testing) that an auditor uses to evaluate Article 21(2)(d) effectiveness.

Incident reporting (from 3.10.2026 for registered entities)

NIS2 Article 23 introduces a three-stage reporting procedure for significant incidents to CSIRT NASK:

24 hours - early warning with a brief description
72 hours - full notification with assessment of actions taken
30 days - final report with root cause analysis and lessons

The reporting system is operated at cert.pl. The entity’s internal procedure must be documented in the security policy.

The most common compliance officer question: “I implemented GDPR. Am I NIS2-compliant?” The answer: partially. Technical measures overlap 70-80%, but procedural and reporting obligations are independent.

Requirement	GDPR Article 32	NIS2 Article 21
MFA	”Appropriate” - UODO interprets as mandatory for special-category data	Explicitly required (measure 10)
Encryption	Listed as example (Art. 32(1))	Explicitly required (measure 8)
Backup	Implicit (“restoration capability”, Art. 32(1)(c))	Explicitly required (measure 3)
Patch management	Implicit (“regular testing of effectiveness”)	Explicitly required (measure 5)
Risk management	Implicit	Explicit (measure 1)
Breach reporting	UODO within 72h (Art. 33)	CSIRT NASK 24h/72h/30 days (Art. 23)
Audit	”Regular testing of effectiveness”	First mandatory 3.04.2028 for essential entities
Training	Implicit (“staff awareness”)	Explicit - Art. 20 (board) + Art. 21 (staff)
Supply chain	Art. 28 (DPA for processors)	Art. 21(2)(d) (broader, every ICT supplier)
Threshold	Every controller	≥50 staff / ≥EUR 10M + sector

One incident, two obligations: ransomware with personal data leakage in a registered essential entity triggers dual reporting: UODO within 72h (GDPR Art. 33) and CSIRT NASK 24h/72h/30 days (NIS2 Art. 23). Internal procedures should be synchronized - one incident, two different forms, two different recipients.

5. Fines

GDPR Article 83 sets two tiers: up to EUR 10M or 2% global turnover for lesser violations (e.g., Art. 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39); up to EUR 20M or 4% turnover for fundamental processing principles violations (Art. 5, 6, 7, 9, 12-22, 44-49). UODO levied 13.7 million PLN in fines in 2023; Poland’s highest fine to date is 4.9 million PLN (Morele.net, 2019). Polish SMBs typically receive 5,000-50,000 PLN.

NIS2

Article 34 of the directive + Article 73 UKSC: essential entities - up to EUR 10M or 2% global turnover (whichever is higher); important entities - up to EUR 7M or 1.4% turnover.

Personal liability of management

NIS2 Article 20 introduces personal liability of management board members at essential and important entities for cyber risk management failures. Possible sanctions include temporary bans from managerial positions. This is the biggest change from NIS1 - the decision-maker can no longer hide behind “IT handles that”.

6. Practical minimum-compliance guides

Three per-vertical mini-checklists. Polish-language versions (more useful for the day-to-day reader) at:

Summary of the common technical baseline that satisfies most of NIS2 Article 21 for an in-scope SMB: written risk analysis policy, MFA on all critical accounts, full-disk encryption and TLS 1.3 in transit, tested 3-2-1 backup with immutable copy, cyber clauses in supplier contracts, annual external vulnerability assessment, documented training of board and staff, written incident reporting procedure.

7. How CyberCerber helps

CyberCerber delivers the technical evidence layer that NIS2 Article 21(2)(d) and GDPR Article 32 demand: external vulnerability assessment of internet-facing infrastructure, Polish-language report with CVSS priorities, remediation plan, evidence of regular effectiveness testing.

What CyberCerber does not provide: formal NIS2/GDPR compliance audits, legal opinions, representation before UODO or the Ministry of Digital Affairs, advice on scope determination. That layer comes from law firms, in-house DPOs and specialist compliance firms. CyberCerber is a technical evidence provider, not a legal interpreter.

Three products: PreScan (free diagnostic), CyberAudyt (full vulnerability assessment), and Pentest (for regulated entities) - see our pricing. Consultation through contact or free PreScan.

8. FAQ

(See faq field in frontmatter - 12 atomic Q/A pairs rendered as FAQPage JSON-LD.)