Amendment to the National Cybersecurity System Act: New Obligations and Penalties
The Act implements the NIS 2 Directive, expanding the list of essential and important entities (including energy, health, transport, wastewater, and ICT service management sectors). It introduces new requirements for risk management, incident reporting (early warning within 24h, notification within 72h), and security audits. It also establishes a procedure for designating hardware or software suppliers as high-risk vendors and provides for significant financial penalties for non-compliance.
Key points
Expansion of the list of entities covered by the Act to include new sectors (e.g., wastewater, ICT service management, space) and categorization into essential and important entities.
Introduction of a three-stage reporting system for serious incidents: early warning (24h), incident notification (72h), and final report (one month).
Potential financial penalties: up to €10 million or 2% of turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities.
CSIRT NASK will create an online service allowing individuals to check if their data (e.g., PESEL, login, email) has been leaked due to an incident.
The minister competent for computerization may designate a hardware or software supplier as a high-risk vendor and order the withdrawal of their products within up to 7 years (or 4 years for critical functions).
94%
VOTING RESULTS
2026-01-23
For
407
Against
10
Abstain
17
Status:
Enacted
Record your position for audit.
Why does your vote on bills matter?
It creates raw, undeniable proof. Civic Will provides the permanent data to verify the Government's loyalty towards its citizens
(explained here).
Start recording it now.