A Polish logistics software provider with operations across three EU member states received a formal inquiry from the national supervisory authority in autumn 2025. The company had not registered under the new cybersecurity regime, had no incident-response procedure in place, and could not demonstrate that its management board had received mandatory cybersecurity training. The inquiry arrived with a 30-day deadline to respond.

Poland's NIS2 transposition legislation – the amended ustawa o krajowym systemie cyberbezpieczeństwa (Act on the National Cybersecurity System, KSC Act) – imposes binding obligations on a broad category of entities classified as essential or important. Qualifying companies must register with the competent supervisory authority, implement risk-proportionate technical and organisational security measures, and report significant incidents within 24 hours of detection. Failure to comply exposes management boards to personal liability and the entity itself to administrative fines reaching EUR 10 million or 2% of global annual turnover, whichever is higher.

This case study traces how our team helped the logistics software provider move from a position of non-compliance to a documented, auditable security programme within eight weeks. The lessons apply to any Polish company assessing its NIS2 exposure for the first time.

Background: how did the company fall outside the NIS2 perimeter?

The provider had grown quickly. It began as a domestic transport-management platform and expanded into freight-forwarding software for clients in Germany and Czechia. By summer 2025 its headcount exceeded 50 and annual turnover crossed EUR 10 million – the threshold that triggers classification as an "important entity" under the KSC Act. Management was unaware the threshold had been crossed. No one had mapped the company against the NIS2 sector annexes.

The KSC Act assigns supervisory responsibility to sector-specific authorities. For digital infrastructure and managed-service providers, the competent body is the Ministerstwo Cyfryzacji (Ministry of Digitalisation), acting through the Urząd Komunikacji Elektronicznej (Office of Electronic Communications, UKE). The Agencja Bezpieczeństwa Wewnętrznego (Internal Security Agency, ABW) retains oversight for entities with national security relevance. The company had received correspondence from UKE but had misclassified it as routine regulatory mail.

Three structural gaps drove the exposure. First, the company had no designated cybersecurity officer or equivalent function. Second, its incident log covered only IT helpdesk tickets – not security events. Third, board minutes showed no cybersecurity agenda item in the preceding 18 months. Each gap mapped directly onto a statutory obligation under the KSC Act.

What strategy did the legal team adopt?

Speed and sequencing mattered most. The 30-day UKE response window could not be extended. We structured the engagement in three parallel tracks: legal classification, gap remediation, and regulatory communication. Running them in sequence would have consumed the entire window. Running them simultaneously required clear ownership of each track from day one.

The first task was confirming entity classification. The KSC Act uses the NIS2 size thresholds – 50 employees or EUR 10 million turnover – but also sector annexes that list covered activities. Logistics software sits within the "digital services" annex only if the provider operates a digital marketplace, search engine, or cloud service. This company did not. It fell instead under "transport" as an ancillary digital provider to transport operators. That classification shifted the competent supervisory authority and altered the applicable incident-reporting timeline from 24 hours to 72 hours for the initial notification. The distinction was material.

We secured a compliance gap assessment for a logistics client in the Mazowieckie region (autumn 2025), identifying 11 remediable gaps and reducing the projected regulatory fine exposure from EUR 10 million to a formal warning. That outcome shaped the template applied here.

  • Confirm sector classification before contacting any supervisory authority
  • Identify the competent body – UKE, ABW, or sectoral regulator
  • Map existing controls against the KSC Act's six security-measure categories
  • Draft a remediation roadmap with board sign-off before the response deadline
  • Prepare a registration application and incident-reporting procedure simultaneously

How was the compliance programme built in eight weeks?

Week one focused on documentation. The KSC Act requires entities to maintain a written information security policy covering risk analysis, asset management, supply-chain security, access controls, and business continuity. The company had fragments of each in various IT procedures. Consolidating them into a single policy framework – reviewed by the board and formally adopted – was the foundational step. Board adoption is not optional: the statute places personal liability on individual management board members for failure to implement the required measures.

Incident-response came next. The revised KSC Act tightened the reporting chain significantly. An entity must notify its sector-specific Computer Security Incident Response Team (CSIRT) within 24 hours of detecting a significant incident (or 72 hours for this company's classification). A full incident report follows within 72 hours. A final report closes the file within one month. Missing any of these deadlines independently triggers enforcement, even if the underlying incident was handled well technically.

Supply-chain security proved the most time-consuming element. The company relied on four third-party software components with no contractual cybersecurity clauses. Under the KSC Act, entities must assess the cybersecurity practices of their suppliers and include minimum security requirements in procurement contracts. Negotiating four addenda within the eight-week window required parallel legal and technical workstreams. Two suppliers accepted standard clauses within two weeks. Two required bespoke negotiation and were not resolved before the UKE response deadline – a risk we disclosed proactively in the regulatory submission.

For cross-border data flows implicated by the German and Czech client integrations, we applied the legal mechanisms analysed in our guide on data transfer from Poland to Sweden – legal mechanisms, adapting the framework to EEA-internal transfers where the GDPR Poland standard contractual clause analysis remained relevant.

What are the transferable lessons for Polish companies?

The most common mistake is treating NIS2 as an IT project rather than a governance obligation. Board liability under the KSC Act is direct and personal. Management board members who fail to ensure implementation of the required security measures face fines of up to PLN 600,000 individually. That figure forfeits any argument that cybersecurity is purely a technical matter for the IT department.

Classification errors are the second major risk. Many Polish companies assume they fall outside NIS2 scope because they do not operate critical infrastructure. The "important entity" category is far broader. Any company meeting the size thresholds and operating in a covered sector – which includes transport, digital services, manufacturing of certain products, and food production – must register and comply. Failure to register does not suspend the obligations. It simply adds a separate registration-failure violation to any substantive non-compliance finding.

We obtained interim compliance protection for a technology services client in Silesia (spring 2026), demonstrating to the supervisory authority that a structured remediation programme was underway before the formal inspection. That approach – proactive disclosure combined with a documented remediation roadmap – consistently produces better regulatory outcomes than waiting for enforcement. The anti-corruption compliance framework under Polish law applies the same principle: documented good-faith effort materially affects enforcement discretion.

Companies with existing GDPR Poland programmes have a structural advantage. The data-protection impact assessment methodology, vendor due diligence processes, and incident-response documentation requirements overlap substantially with KSC Act obligations. Firms that have already invested in GDPR compliance and understand UODO enforcement trends can adapt existing frameworks rather than building from scratch. The marginal cost of NIS2 compliance is significantly lower for GDPR-mature organisations.

DORA compliance timelines for financial-sector entities follow a parallel logic. Companies subject to both DORA and NIS2 should map the obligations together to avoid duplicating governance structures. AI Act Poland obligations, where relevant, add a third layer – but the risk-management documentation required under all three frameworks shares a common architecture.

What to prepare before a NIS2 compliance review:

  • Current headcount and annual turnover figures – classification threshold documentation
  • Sector activity description mapped against KSC Act annexes
  • Existing IT security policies and board resolutions adopting them
  • List of third-party software and cloud providers with contractual cybersecurity terms
  • Incident log for the preceding 12 months, including near-miss events

Specific situations require tailored analysis. If your company has crossed the NIS2 size thresholds and operates in a covered sector, the personal liability exposure for board members is live – regardless of whether a supervisory authority has made contact. To receive an expert assessment of your company's NIS2 classification and compliance posture, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does NIS2 apply to a Polish company that only serves domestic clients?

A: Yes. The KSC Act applies based on where the entity is established and what sector it operates in – not where its clients are located. A purely domestic logistics software provider meeting the 50-employee or EUR 10 million turnover threshold in a covered sector must register and comply. Cross-border operations may add obligations under other member states' transposition laws, but domestic scope alone is sufficient to trigger Polish obligations.

Q: How long does the NIS2 registration process take with UKE?

A: Registration itself is administrative and typically acknowledged within 14 days of a complete application. The preparatory work – sector classification, security policy adoption, incident-response procedure drafting, and board training – realistically requires six to ten weeks for a company starting from a low baseline. Companies that delay registration until after a supervisory inquiry face the same substantive obligations but with a compressed timeline and an active enforcement file already open.

Q: Is it a misconception that NIS2 only covers large enterprises?

A: It is a common and costly misconception. The "important entity" category covers companies with as few as 50 employees or EUR 10 million in annual turnover operating in covered sectors. The "essential entity" category has higher thresholds but carries stricter obligations and proactive supervision. Many mid-market Polish technology, transport, and manufacturing companies fall into the important-entity category without realising it. The IP lawyer Warsaw and trademark registration communities have separately flagged NIS2 exposure for IP-intensive digital-service providers, where the sector overlap is frequently overlooked.

About KORDECKI & Partners

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to technology law, AI regulation, NIS2 and DORA compliance, and IP protection. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.