A Warsaw-based software company suffers a ransomware attack on a Tuesday morning. Systems are down. Customer data may be compromised. The IT team is working the problem. But the legal clock is already running – and most management boards do not know it.
Polish entities subject to the Act on the National Cybersecurity System (ustawa o krajowym systemie cyberbezpieczeństwa, KSC Act) must report serious cyber incidents to the designated Computer Security Incident Response Team (CSIRT) within 24 hours of detection. Operators of essential services and digital service providers face the strictest obligations. Failure to report on time triggers administrative fines and, in some cases, personal liability of management board members.
This alert covers three things: what the current rules require, which entities fall within scope, and what your organisation should do in the next 30 days to avoid irreversible compliance failures.
What has changed in Polish cyber incident reporting rules?
The KSC Act, which implements the original EU Network and Information Security Directive into Polish law, has been in force since 2018. The regulatory environment shifted materially when the EU adopted NIS2, requiring Poland to update its national framework. Poland's implementing legislation – the amended KSC Act – extends the scope of entities covered and shortens practical response windows. The Polish Government Security Centre (Rządowe Centrum Bezpieczeństwa, RCB) coordinates the national framework alongside three sector-specific CSIRTs: CSIRT GOV, CSIRT MON, and CSIRT NASK.
The most significant change is the expanded definition of "essential entities." It now reaches medium and large enterprises in sectors including energy, transport, banking, health, water supply, digital infrastructure, and public administration. Previously, only designated "operators of essential services" faced mandatory reporting. Now the threshold drops to companies with 50 or more employees or annual turnover exceeding EUR 10 million in a covered sector.
Under the updated framework, entities must submit an early warning within 24 hours of becoming aware of a significant incident. A full incident notification follows within 72 hours. A final report is due within one month. These three deadlines run in sequence – missing the first forfeits the ability to manage the regulatory narrative from the outset.
- Early warning: 24 hours from awareness
- Incident notification: 72 hours from awareness
- Final report: within one month of the incident
Which Polish entities are now in scope?
Scope is the first question every management board should answer. The KSC Act divides covered entities into two categories: essential entities and important entities. Essential entities face stricter supervision and higher fines. Important entities face lighter ex-post supervision but identical reporting timelines.
Essential entities include operators in energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities cover postal services, waste management, chemicals, food, manufacturing of medical devices, computers, motor vehicles, and digital providers. A company operating across multiple sectors must assess each line of business separately.
Foreign investors operating Polish subsidiaries should note that the obligation attaches to the Polish legal entity, not the group parent. A German holding company is not directly liable – but its Polish subsidiary is. (This distinction matters enormously when incident response protocols are designed at group level without Polish-law input.) We secured a compliance review and incident-response plan for a technology client in the Mazowieckie region (autumn 2025), identifying three reporting gaps that would have triggered fines exceeding PLN 100,000 per violation.
GDPR Poland obligations run in parallel. A cyber incident involving personal data triggers a separate 72-hour notification to the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). Both clocks run simultaneously. Entities subject to cross-border data transfer obligations face additional notification requirements in receiving jurisdictions.
What should your organisation do now?
Immediate action matters. The 24-hour early warning window leaves almost no time for legal review during an active incident. Preparation must happen before the attack, not during it. Three steps should be completed within 30 days.
First, confirm whether your entity falls within the KSC Act scope. The sector and size thresholds determine which CSIRT receives your reports. Misidentifying your CSIRT wastes critical hours. Second, draft or update your incident response procedure to include the three statutory reporting deadlines. The procedure should name a responsible individual – typically the Chief Information Security Officer or a designated board member – with authority to submit notifications without convening a full board meeting. Third, align your KSC Act procedure with your GDPR incident response plan. Running two parallel processes without integration creates contradictions that regulators notice.
DORA compliance obligations add a further layer for financial entities. Banks, payment institutions, and investment firms subject to the Digital Operational Resilience Act must meet EU-level ICT incident reporting requirements on top of KSC Act obligations. The timelines differ slightly, and the reporting channels are separate. For IP-intensive businesses, a cyber incident may also implicate IP protection strategy considerations – particularly where source code, trade secrets, or licensed technology is involved.
- Confirm entity classification under the KSC Act within 14 days
- Assign a named incident reporting officer
- Integrate KSC Act and GDPR notification procedures
- Map DORA obligations if your entity is a financial institution
- Test the procedure with a tabletop exercise before June 2026
For entities subject to internal investigations following a cyber incident, the methodology for evidence preservation and regulatory disclosure must be coordinated from day one. Our guidance on internal investigations methodology for Polish companies addresses this intersection directly. We assisted a manufacturing client in Silesia (spring 2026) in managing simultaneous KSC Act, GDPR, and internal investigation obligations following a data exfiltration incident – avoiding fines that would have exceeded PLN 200,000.
The specific facts of your organisation's cyber exposure determine which obligations apply and in what sequence. Waiting until an incident occurs to map those obligations is the single most common – and most costly – mistake we see.
To receive an expert assessment of your organisation's cyber incident reporting obligations, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the KSC Act apply to small companies with fewer than 50 employees?
A: Generally, the essential and important entity thresholds require at least 50 employees or EUR 10 million in annual turnover. Smaller companies in covered sectors may still face obligations if they are specifically designated by the relevant supervisory authority. Designation can occur regardless of size where the entity provides a service considered critical to public safety or economic continuity.
Q: How much time does a company actually have to prepare a full incident report?
A: The final report is due within one month of the incident. However, the early warning must be submitted within 24 hours and the full notification within 72 hours. The one-month period is for a detailed post-incident analysis, not the initial disclosure. Treating the one-month deadline as the primary obligation is a common misconception that leads to regulatory sanctions.
Q: What fines apply for failing to report a cyber incident under Polish law?
A: Under the KSC Act framework, administrative fines for essential entities can reach PLN 10 million or a percentage of global annual turnover, whichever is higher. Important entities face lower maximum fines. Individual board members may also face personal liability where the failure to report results from negligent management of the company's cybersecurity obligations.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology law, AI Act compliance, DORA obligations, and cyber incident response. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.