Cyber incident reporting obligations for Polish

A Warsaw-based fintech company suffers a ransomware attack at 2 a.m. on a Tuesday. By morning, the operations team has contained the breach. The legal team faces a different question: to whom must this be reported, within how many hours, and what happens if the notification arrives late? The answer depends on which regulatory regime – or regimes – apply to that entity.

Polish entities face cyber incident reporting obligations under at least three parallel legal frameworks: the Act on the National Cybersecurity System (ustawa o krajowym systemie cyberbezpieczeństwa, KSC Act), the General Data Protection Regulation (GDPR), and – for financial sector participants – the Digital Operational Resilience Act (DORA). Each framework sets its own notification deadline, its own recipient authority, and its own penalty for non-compliance. The KSC Act imposes a 24-hour initial notification window for operators of essential services; GDPR requires personal data breach notification to the Personal Data Protection Office (UODO) within 72 hours; DORA mandates a preliminary report to the Polish Financial Supervision Authority (KNF) within 24 hours of classification. Missing any of these windows does not merely invite a fine – it forfeits the entity's ability to shape the regulator's initial narrative of the event.

This analysis maps the doctrinal structure of each obligation, identifies where the regimes overlap and conflict, and offers a strategic framework for managing multi-regime notifications. It then examines the cross-border dimension for entities with operations outside Poland, and closes with a practical outlook on forthcoming changes to Polish cybersecurity law.

What is the doctrinal structure of Polish cybersecurity reporting law?

Polish cybersecurity law rests on three statutory pillars. The KSC Act, which implements the original EU Network and Information Security (NIS) Directive, applies to operators of essential services (OES) and digital service providers (DSP). The forthcoming NIS2 implementation will substantially expand that scope. GDPR operates as directly applicable EU law, enforced in Poland by UODO. DORA, effective from January 2025, applies to financial entities supervised by the KNF and the Bank Guarantee Fund (Bankowy Fundusz Gwarancyjny, BFG).

The KSC Act creates a tiered notification architecture. An OES must report a significant incident to its relevant Computer Security Incident Response Team (CSIRT) – either CSIRT GOV, operated by the Internal Security Agency (Agencja Bezpieczeństwa Wewnętrznego, ABW), CSIRT MON for defence-sector entities, or CSIRT NASK for remaining sectors – within 24 hours of detection. A follow-up report is due within 72 hours. A final post-incident report must follow within 30 days. Each report has prescribed content requirements. The 24-hour window runs from the moment the entity determines the incident is significant, not from the moment of detection – a doctrinal distinction that practitioners regularly exploit to buy preparation time, but that regulators scrutinise closely.

What qualifies as "significant"? The KSC Act defines significance by reference to thresholds set in sector-specific regulations: for energy, the threshold relates to the number of affected users; for banking, it ties to transaction volumes; for digital infrastructure, it links to service availability. Entities that have not mapped their thresholds in advance will struggle to make this determination under pressure. That mapping exercise – typically two to four weeks of internal work – is the first deliverable in any cybersecurity compliance programme.

CSIRT GOV: competent for public administration and critical infrastructure sectors
CSIRT NASK: competent for digital service providers and most commercial OES
CSIRT MON: competent for defence and military entities
UODO: recipient of GDPR personal data breach notifications
KNF / BFG: recipients of DORA major incident reports for financial entities

One doctrinal tension deserves attention. The KSC Act's definition of "incident" is broader than GDPR's definition of "personal data breach." A ransomware attack that encrypts operational data but does not expose personal data triggers KSC Act obligations but may not trigger GDPR notification. Conversely, a credential-stuffing attack that compromises customer accounts may require GDPR notification even if it does not meet the KSC Act significance threshold. Entities that treat these as interchangeable categories will misfile – or miss – at least one notification.

How do GDPR and DORA reporting obligations interact with KSC Act requirements?

GDPR personal data breach notification to UODO is mandatory within 72 hours of the controller becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. That risk assessment is the controller's responsibility. Getting it wrong in either direction carries consequences: over-notifying creates regulatory noise; under-notifying forfeits the 72-hour window and triggers penalties that can reach 10 million EUR or 2% of global annual turnover for a standard breach, and 20 million EUR or 4% for breaches involving special-category data.

We secured a reversal of a UODO enforcement decision for a technology client in the Mazowieckie region (autumn 2025), where the regulator had classified a pseudonymised data exposure as a notifiable breach. The key argument was that re-identification risk was negligible given the encryption standard applied. The case illustrates that the risk assessment is not a formality – it is a legal determination with enforcement consequences.

DORA introduces a separate three-tier notification structure for financial entities. A preliminary notification must reach the KNF within 24 hours of the entity classifying an incident as "major" under DORA's classification criteria. An intermediate report follows within 72 hours. A final report is due within one month. DORA's classification criteria differ from both KSC Act thresholds and GDPR risk assessments. An entity that is simultaneously an OES under the KSC Act, a controller under GDPR, and a financial entity under DORA may face three parallel notification tracks, each with different deadlines, different content requirements, and different recipient authorities.

The practical solution is a unified incident classification matrix – a single internal document that maps each incident type to its applicable regimes, triggers, and deadlines. That matrix should be tested through tabletop exercises at least twice per year. Entities that have not built this tool before an incident occurs will spend the first critical hours determining which form to file rather than managing the incident itself. That delay is itself a compliance failure under the 24-hour KSC Act window.

For a deeper analysis of UODO enforcement trends that inform how the regulator approaches late notifications, see our review at GDPR fines in Poland – UODO enforcement trends.

What penalties apply for non-compliance with cyber incident reporting obligations?

Penalties under the three frameworks are not merely financial. They operate across different dimensions – administrative, reputational, and operational – and their cumulative effect can be more damaging than any single fine. Understanding the penalty structure in advance is the only way to calibrate the proportionate compliance investment.

Under the KSC Act, the supervisory authority for a given sector can impose fines on OES operators for failure to notify a significant incident within the prescribed timeframe. Fines reach up to PLN 1 million for OES operators in most sectors, with higher caps for entities in the energy and water supply sectors. The supervisory authority can also impose operational restrictions – including suspension of the entity's designation as an OES – which carries consequences for regulated contracts and public procurement eligibility. Personal liability of board members is available where the failure results from intentional conduct or gross negligence.

GDPR penalties are set at EU level and enforced by UODO. For notification failures, UODO has imposed fines in the range of PLN 100,000 to PLN 2 million in documented Polish cases, though the theoretical maximum is substantially higher. UODO's enforcement pattern, reviewed in detail in our linked analysis, shows a preference for proportionate sanctions calibrated to the entity's size and the severity of the breach. However, repeated failures or failures combined with inadequate security measures attract the higher end of the range.

DORA penalties for financial entities are enforced by the KNF. Under Polish financial sector legislation, the KNF can impose fines up to PLN 20 million on regulated financial institutions for material DORA compliance failures, including notification delays. The KNF can also impose personal liability on management board members – up to PLN 2 million per individual – where the failure is attributable to inadequate governance. That personal liability dimension distinguishes DORA from the KSC Act penalty regime and makes it the highest-stakes framework for financial sector executives.

One frequently overlooked consequence: late notification forfeits the entity's ability to frame the incident narrative. Regulators who learn of an incident from a third party – a data subject complaint, a press report, or a notification from another affected entity – approach the subsequent investigation with a presumption of concealment. That presumption is difficult and expensive to rebut. Early, complete notification, even when the facts are still developing, consistently produces better regulatory outcomes than delayed, polished notification.

How does the cross-border dimension affect Polish entities' reporting obligations?

For a German investor whose Polish subsidiary is an OES, the reporting chain runs through Polish CSIRTs and Polish sectoral supervisors – not through German authorities. The EU NIS2 framework, which Poland is in the process of implementing through a revised KSC Act, introduces a "home Member State" concept for cross-border digital service providers. But for entities with physical operations in Poland, Polish law applies to Polish-based operations regardless of where the parent is incorporated.

We obtained interim measures protecting operational continuity for a German manufacturing group's Polish subsidiary in Lower Silesia (spring 2026), in a situation where a cyber incident triggered simultaneous notification obligations in Poland, Germany, and under DORA. The key learning was that the Polish 24-hour KSC Act window ran independently of the German NIS2 transposition deadline, and the two notifications required different content and different legal characterisations of the same underlying event.

The NIS2 Directive, which EU Member States were required to transpose by October 2024, introduces a 24-hour "early warning" obligation followed by a full notification within 72 hours – aligning more closely with GDPR's structure. Poland's NIS2 transposition has been delayed. The revised KSC Act bill, at the time of writing, has not been enacted. Entities should monitor the legislative process closely: once enacted, the new law will expand the scope of OES designation to cover additional sectors including manufacturing, food production, and waste management. Many entities that currently have no KSC Act obligations will acquire them.

Cross-border data transfers add a further layer. An entity that transfers personal data to a processor in Ukraine or another non-EEA jurisdiction must ensure that its incident notification procedures account for the applicable transfer mechanism. A breach affecting data processed under a standard contractual clauses arrangement may trigger notification obligations in both the exporting and importing jurisdiction. For the mechanics of lawful data transfers to Ukraine, see our guide at data transfer from Poland to Ukraine – legal mechanisms. Transfer pricing documentation for intra-group IT services – a common vector for cross-border incident complexity – is addressed in our analysis at transfer pricing safe harbours under Polish law.

One structural point for groups with Polish entities: the GDPR one-stop-shop mechanism does not apply to cybersecurity notification under the KSC Act. Even if a group has its EU data protection lead supervisory authority in another Member State, the KSC Act notification goes to Polish CSIRTs. These are legally distinct obligations with legally distinct recipients. Conflating them is a common error in multi-jurisdiction incident response plans.

What strategic approach should Polish entities adopt for incident response compliance?

The strategic question is not whether to comply – all three frameworks are mandatory – but how to build a compliance architecture that functions under the time pressure of a real incident. That architecture has three layers: documentation, governance, and testing.

Documentation means maintaining, in advance, the incident classification matrix described above, together with pre-drafted notification templates for each applicable regime. Templates should be reviewed by legal counsel and approved by the management board. They should identify the specific individual responsible for triggering each notification, with a named substitute. Under the KSC Act, the notification obligation falls on the entity as a legal person, but the KNF and UODO expect a named contact person to be identified in the notification itself. Having that person designated before an incident saves at least two hours of the 24-hour window.

Governance means ensuring that the management board receives regular reporting on cybersecurity posture and incident response readiness. DORA makes this explicit: financial entities must ensure that their management body approves the ICT risk management framework and receives incident reports. The KNF has indicated that it will assess management body engagement as part of DORA supervisory reviews. Boards that delegate cybersecurity entirely to the IT function without oversight exposure face personal liability risk if a major incident occurs without adequate governance structures in place.

Appoint a named notification officer for each applicable regime
Maintain pre-drafted notification templates reviewed by legal counsel
Build a unified incident classification matrix covering KSC Act, GDPR, and DORA
Conduct tabletop exercises at least twice per year, including legal team participation
Map sector-specific significance thresholds before an incident occurs

Testing means running tabletop exercises that include the legal team, not just the IT and security functions. A tabletop exercise that does not include a lawyer making a real-time notification decision does not test the actual compliance obligation. The exercise should simulate the information environment of a real incident: incomplete facts, competing internal priorities, and a countdown clock. Entities that have run this exercise once know what they do not know. That knowledge is the most valuable output of the exercise.

Finally, the AI Act Poland dimension: entities deploying AI systems in critical infrastructure or high-risk categories face additional incident reporting obligations under the EU AI Act, which began applying in phases from August 2024. Serious incidents involving high-risk AI systems must be reported to the national market surveillance authority. That obligation sits alongside, not instead of, KSC Act and GDPR notification. The compliance architecture must accommodate this additional layer as AI deployment in operational contexts expands.

Specific situations – particularly those involving simultaneous obligations under multiple frameworks – require individual legal assessment. Entities facing an active incident should seek legal advice immediately. A specific gap in your notification architecture can foreclose the ability to shape the regulatory outcome. To receive an expert assessment of your cyber incident reporting posture, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does every cyber incident require notification to UODO under GDPR?

A: No. Notification to UODO is required only where the breach is likely to result in a risk to the rights and freedoms of natural persons. Where the affected data was fully encrypted with a standard not subject to known vulnerabilities, and the encryption key was not compromised, the risk threshold may not be met. The controller must document this assessment regardless of the outcome. UODO has published guidance indicating that encrypted data breaches may fall below the notification threshold, but the burden of demonstrating that assessment rests with the controller. The 72-hour clock runs from the moment the controller becomes "aware" of the breach – a concept that includes the point at which the controller should have been aware had it maintained adequate monitoring.

Q: How long does the KSC Act compliance process take for a newly designated operator of essential services?

A: The designation process itself is initiated by the relevant sectoral supervisory authority and does not require application by the entity. Once designated, the entity has 3 months to implement the security measures prescribed by the KSC Act and to establish its incident reporting procedures. In practice, building a compliant incident response function – including classification matrix, notification templates, CSIRT registration, and staff training – takes four to six months for a mid-sized organisation. Entities that receive a designation notice should engage legal and technical advisors immediately, as the 3-month clock begins from the date of the designation decision.

Q: Is there a common misconception about DORA's relationship to existing Polish financial sector cybersecurity requirements?

A: Yes. Many financial entities assume that compliance with existing KNF cybersecurity guidelines – which predate DORA – satisfies DORA requirements. This is incorrect. DORA is directly applicable EU regulation that sets its own ICT risk management framework, incident classification criteria, and notification content requirements. Existing KNF guidelines remain in force to the extent they do not conflict with DORA, but they do not substitute for DORA compliance. Entities that have not conducted a DORA gap assessment against their existing cybersecurity documentation should treat that assessment as urgent. The KNF began supervisory reviews of DORA compliance in the first quarter of 2025, and entities without documented ICT risk management frameworks have been the first to receive supervisory inquiries.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to cyber incident response, DORA compliance, GDPR enforcement, and AI Act obligations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating multi-regime cybersecurity obligations. To discuss your situation, contact info@kordeckipartners.com.