Cyber incident reporting obligations for Polish

A Warsaw-based fintech company suffers a ransomware attack on a Tuesday morning. By noon, senior management wants to know: who must be notified, within how many hours, and under which legal regime? The answers depend on at least three overlapping frameworks – the national cybersecurity act, the EU's NIS2 Directive, and the General Data Protection Regulation. Getting the sequence wrong does not merely invite a fine. It can forfeit the company's ability to invoke regulatory safe harbours and expose board members to personal liability.

Polish entities subject to cybersecurity law must report significant incidents to the Computer Security Incident Response Team (CSIRT) at the national level – CSIRT GOV, CSIRT NASK, or CSIRT MON, depending on sector – within 24 hours of detection for an early warning, and within 72 hours for a full notification. Where the incident also constitutes a personal data breach, a parallel report to the President of the Personal Data Protection Office (UODO) is mandatory within 72 hours. Failure to file in time precludes the operator from relying on the "reasonable measures" defence in enforcement proceedings.

This analysis proceeds in five parts. First, it maps the applicable legal frameworks and the entities they cover. Second, it examines the incident classification triggers and timelines. Third, it addresses the cross-border dimension – where Polish subsidiaries of foreign groups face dual or triple reporting chains. Fourth, it sets out a practical response strategy. Fifth, it looks at the enforcement outlook as NIS2 transposition beds down and DORA compliance obligations activate for the financial sector.

Which legal frameworks govern cyber incident reporting in Poland?

Poland's primary cybersecurity statute is the Ustawa o krajowym systemie cyberbezpieczeństwa (Act on the National Cybersecurity System, KSC Act), which transposed the original NIS Directive. The KSC Act was amended in 2023 to begin alignment with NIS2, though full transposition remains in progress as of early 2026. Operators of essential services (OES) and digital service providers (DSPs) registered in Poland report to one of three national CSIRTs: CSIRT GOV (government administration), CSIRT NASK (other entities, including most commercial operators), or CSIRT MON (defence sector). The National Court Register (KRS) classification of your entity's business activity is a practical starting point for determining which CSIRT receives your report.

Alongside the KSC Act, the GDPR – implemented in Poland through the Ustawa o ochronie danych osobowych (Personal Data Protection Act) – imposes a separate 72-hour notification window to UODO whenever a breach is likely to result in risk to individuals' rights and freedoms. These two clocks can run simultaneously. A ransomware attack that encrypts personal data triggers both regimes from the moment the controller becomes aware of the breach. Awareness, not the moment of the attack itself, starts the clock – a distinction the Polish Financial Supervision Authority (KNF) has consistently emphasised in its supervisory guidance for the financial sector.

The financial sector adds a third layer. The EU's Digital Operational Resilience Act (DORA) became directly applicable in January 2025. DORA compliance obligations now require banks, investment firms, payment institutions, and insurance undertakings authorised in Poland to report major ICT-related incidents to KNF as their competent authority, with an initial notification within 4 hours of classification and a final report within one month. DORA does not replace the KSC Act or GDPR obligations – it sits on top of them. Entities in scope must therefore manage three parallel notification tracks after a single incident.

KSC Act: CSIRT NASK or CSIRT GOV within 24 h (early warning) / 72 h (full report)
GDPR / UODO: 72 h from awareness of personal data breach
DORA / KNF: 4 h initial notification for major ICT incidents (financial entities only)
Sector-specific rules: energy, healthcare, and transport operators face additional URRE, NFZ, or UTK requirements

The interaction between these regimes is not merely additive. A notification sent to CSIRT NASK under the KSC Act does not satisfy the GDPR obligation to notify UODO, even if the factual content is identical. Each supervisory body requires a submission in its own format, referencing its own legal basis. Treating one filing as sufficient for all is among the most common – and most costly – errors we see in post-incident reviews.

What triggers a reporting obligation, and how are incidents classified?

Under the KSC Act, a "significant incident" is any incident that has a substantial impact on the continuity of essential services or digital services. The statute provides indicative criteria: the number of users affected, the duration of the disruption, the geographic spread, and the degree to which the service is critical to economic or social life. Operators are expected to maintain internal classification methodologies that map these criteria to concrete thresholds. Regulators have indicated that thresholds should be documented in advance – not determined ad hoc after an incident occurs.

DORA introduces a more granular classification matrix. A major ICT-related incident under DORA is one that meets at least one of several criteria: it affects more than 10% of the entity's clients, causes a service disruption exceeding 2 hours, results in data loss exceeding defined thresholds, or triggers reputational damage requiring a public statement. The 4-hour initial notification clock starts from the moment the entity classifies the incident as "major" – not from detection. This distinction is operationally significant. An entity that delays classification to gather more information does not pause the clock; it merely shifts the risk of a late filing onto itself.

For GDPR purposes, the trigger is lower: any personal data breach likely to result in risk to natural persons must be reported to UODO within 72 hours. Breaches posing a high risk must also be communicated directly to affected individuals without undue delay. The Polish data protection authority has, in its enforcement practice, treated encrypted data as a breach even where the encryption key was not compromised – on the basis that availability of data to the controller was temporarily lost. This interpretation raises the threshold for claiming that an incident is non-reportable.

We secured a reversal of a regulatory penalty exceeding PLN 800,000 for a technology client in the Mazowieckie region (autumn 2025) where UODO had imposed a fine on the basis that the entity failed to report a breach within 72 hours. The key argument was that the entity had not "become aware" of the breach within the meaning of the GDPR until forensic analysis confirmed the scope of data exposure – not at the moment it detected anomalous network activity. The distinction between detection and awareness is a live doctrinal issue and one that enforcement practice has not yet fully resolved.

How does the cross-border dimension affect Polish entities in multinational groups?

For a German investor whose Polish subsidiary qualifies as an operator of essential services, the reporting chain is more complex than it first appears. The Polish subsidiary must report to CSIRT NASK as a Polish-law obligation. If the parent group is also subject to NIS2 in Germany, a parallel notification may be required to the German BSI. Where the group processes personal data under a single GDPR controller structure, the lead supervisory authority under the one-stop-shop mechanism may not be UODO at all – it could be a German or Dutch DPA, depending on where the group's main establishment is located. Yet UODO retains jurisdiction over processing activities conducted by the Polish entity, creating the risk of duplicate filings or conflicting instructions from two supervisory bodies.

DORA addresses this partially. For financial groups with a Polish subsidiary and an EU parent, the parent's competent authority coordinates with KNF under the Joint Examination Team framework. However, DORA's coordination mechanism applies only to ICT-related incidents, not to broader cybersecurity or data protection notifications. A group compliance team that routes all incident notifications through a single "DORA channel" will systematically miss the KSC Act and GDPR obligations applicable at Polish entity level.

IP-intensive businesses face an additional dimension. A cyber incident that results in exfiltration of trade secrets, source code, or registered design data may trigger obligations under the EU Trade Secrets Directive as well as Polish unfair competition law. Reporting the incident to regulators can itself create evidentiary records useful in subsequent IP litigation – or, if poorly drafted, admissions that undermine the company's legal position. For technology companies operating in Poland, our analysis of IP protection strategy for Ukraine tech companies in Poland sets out how incident documentation interacts with IP ownership structures in cross-border technology transfers.

Our team obtained interim measures protecting assets worth over EUR 3m for a Swiss software group's Polish subsidiary in Lower Silesia (spring 2026) following a supply-chain attack that exfiltrated proprietary algorithms. Early coordination between the cybersecurity notification team and the IP litigation team prevented the regulatory filing from being used against the client in parallel civil proceedings. Coordination of this kind requires both tracks to proceed simultaneously – not sequentially.

The structural question for multinational groups is therefore: who owns the incident response protocol? A protocol owned solely by the group's German or UK compliance function will not account for Polish-law deadlines, Polish supervisory body formats, or the interaction between KSC Act and GDPR obligations at entity level. Polish law requires the designated security officer (officer for cybersecurity) at the OES level to be identifiable by name in the entity's internal documentation – a requirement that group-level structures often overlook. For investors structuring their Polish operations, the joint venture framework under Polish corporate law contains guidance on how governance obligations – including regulatory compliance responsibilities – are allocated between JV partners.

To receive an expert assessment of your group's cross-border incident notification structure, contact info@kordeckipartners.com.

What is the practical incident response strategy for Polish operators?

The first 4 hours after detection are the most consequential. They determine whether an entity meets the DORA initial notification window, whether the GDPR 72-hour clock is correctly started, and whether the KSC Act early warning is filed on time. Entities that treat incident response as a purely technical exercise – escalating to legal counsel only after the technical team has completed its analysis – routinely miss the early warning deadline. The KSC Act does not require certainty about the scope of an incident before filing an early warning. It requires filing as soon as the operator has reasonable grounds to believe a significant incident may have occurred.

A practical response protocol should include the following elements:

A pre-mapped notification matrix identifying applicable regimes, deadlines, and responsible persons for each incident type
Pre-drafted notification templates for CSIRT NASK, UODO, and KNF (where DORA applies), reviewed by legal counsel and updated at least annually
An internal classification procedure with documented thresholds, approved at board level
A legal hold protocol triggered simultaneously with technical containment measures
A communications protocol governing what can be said to regulators, insurers, clients, and the press – in that order

The legal hold point deserves emphasis. Once an incident is detected, documents – including internal communications about the incident – become potentially relevant to regulatory investigations and civil litigation. An instruction to delete logs or overwrite backup data, even if motivated by legitimate IT hygiene, can constitute obstruction. Board members who authorise such instructions without legal advice face personal liability under both the KSC Act enforcement regime and general corporate law obligations under the Kodeks spółek handlowych (Commercial Companies Code, KSH). Personal liability of this kind is irreversible once enforcement proceedings are opened.

The AI Act Poland dimension is emerging but real. Entities deploying high-risk AI systems as defined under EU AI regulation may face additional incident documentation obligations where a cybersecurity incident affects the AI system's outputs or training data. While the AI Act's incident reporting provisions are not yet fully operational, operators in financial services, healthcare, and critical infrastructure should treat AI system incidents as presumptively within scope of their existing cybersecurity notification obligations – and document that assessment explicitly.

What does the enforcement outlook look like under NIS2 and DORA?

NIS2 transposition into Polish law is expected to be completed during 2026. The directive significantly expands the scope of entities subject to mandatory cybersecurity obligations, adding "important entities" – a new category below "essential entities" – and extending coverage to medium-sized enterprises in a broader range of sectors. The maximum administrative fine for essential entities under NIS2 is EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities, the ceiling is EUR 7 million or 1.4% of global turnover. These figures represent a material increase over the current KSC Act penalty levels.

DORA enforcement is already active. KNF has published its supervisory expectations for ICT risk management frameworks and has indicated that incident reporting quality – not merely timeliness – will be assessed. A notification filed within 4 hours but lacking a meaningful root-cause analysis will be treated as deficient. Repeat deficiencies can result in KNF exercising its DORA supervisory powers, which include requiring the entity to implement specific remediation measures within a defined timeline and, ultimately, imposing administrative penalties of up to 1% of average daily global turnover for each day of non-compliance.

GDPR enforcement by UODO has become more consistent since 2023. The authority has moved away from issuing warnings and toward imposing fines in cases involving delayed notification, incomplete notification, or failure to notify at all. The IP lawyer Warsaw community has noted a pattern in UODO decisions: entities that self-report promptly and demonstrate a structured response receive materially lower penalties than those discovered through third-party complaints. Voluntary disclosure, properly managed, is a genuine mitigation factor – but only if the disclosure is timely and substantively complete.

The trademark and IP dimension of cyber enforcement is also developing. Where an incident results in the publication or misuse of registered trademarks, brand assets, or confidential technical information, the affected entity has potential claims under both unfair competition law and IP law that run parallel to the regulatory enforcement track. Coordinating these tracks from the outset – rather than treating the IP claim as a secondary matter after regulatory proceedings conclude – significantly improves recovery prospects. Our analysis of IP protection strategy for Switzerland tech companies in Poland addresses how IP asset registers interact with cyber incident documentation in cross-border technology disputes.

The enforcement trajectory is clear: supervisory bodies are moving toward higher penalties, broader scope, and greater scrutiny of notification quality. Entities that have not yet mapped their obligations across the KSC Act, GDPR, and DORA frameworks are not merely non-compliant today – they are forfeiting the ability to demonstrate good-faith compliance when the next incident occurs.

Specific situations require tailored analysis. If your entity operates in a sector newly in scope under NIS2, or if a recent incident has raised questions about the adequacy of your notification, contact info@kordeckipartners.com for a structured review of your obligations and response procedures.

Frequently asked questions

Q: Does every cybersecurity incident require notification to CSIRT NASK?

A: No. The KSC Act notification obligation is triggered only by "significant incidents" – those meeting the statutory criteria relating to continuity of essential services or digital services. Operators must maintain documented internal classification methodologies to determine whether a given incident crosses the threshold. However, the threshold for a GDPR notification to UODO is lower: any breach likely to result in risk to individuals must be reported within 72 hours of the controller becoming aware. An incident that does not qualify as "significant" under the KSC Act may still require a GDPR notification if personal data is involved. The two assessments must be made independently.

Q: How long does the full notification process take, and what does it cost to manage properly?

A: The formal notification process – early warning within 24 hours, full KSC Act report within 72 hours, GDPR notification within 72 hours – runs concurrently. In practice, a well-prepared entity with pre-drafted templates and a designated security officer can complete the initial filings within the required windows. The cost of managing a major incident properly, including legal counsel, forensic analysis, and regulatory liaison, typically ranges from PLN 50,000 to PLN 500,000 depending on complexity. This compares favourably with the penalty exposure under NIS2 (up to EUR 10 million) or DORA (up to 1% of daily global turnover per day of non-compliance).

Q: Is it a misconception that only large companies face cyber reporting obligations?

A: Yes – and it is a misconception with serious consequences. The original KSC Act applied primarily to large operators of essential services. NIS2 transposition, expected during 2026, will extend mandatory cybersecurity obligations to medium-sized enterprises across a significantly broader range of sectors, including digital infrastructure, postal services, food production, and manufacturing. Entities that assume they are outside scope should conduct a fresh assessment against the NIS2 entity classification criteria. A company that has not classified itself as an important or essential entity by the time transposition takes effect will have no grace period to implement the required incident reporting procedures.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to cybersecurity compliance, IP protection, and technology regulation. We advise on KSC Act and NIS2 obligations, DORA compliance, GDPR incident response, and AI Act readiness for Polish entities and multinational groups with Polish operations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.