Check whether your company falls under KSC/NIS2 and what cyber evidence to prepare

We treat KSC as a regulatory exposure and a supply chain factor, not as the only protagonist. No scare tactics about penalties and no artificial urgency.

Could your company fall under KSC?

Enter a NIP number and we will check in a few seconds.

We do not store NIP numbers.

KSC in brief

KSC is the act on the national cybersecurity system, which implements the EU NIS 2 directive (Dz.U. 2026 poz. 252). The obligations of Polish entities arise from the act, not directly from the directive.

  • The act distinguishes between an essential entity and an important entity based on sector (annexes) and the size of the enterprise (art. 5). Where the criteria overlap, the entity is essential.
  • The core obligation is an information security management system and risk management measures (art. 8).
  • Senior management completes training once per calendar year (art. 8e).
  • A major incident is reported to the relevant sectoral CSIRT: an early warning within 24 hours, a notification within 72 hours, and a final report within one month (art. 11).
  • An essential entity carries out an audit at least once every 3 years. An important entity has no cyclical audit, but the competent authority may order an audit in the event of a major incident or a breach of the rules (art. 15).

Key dates

  • The act entered into force around 3 April 2026.
  • Entry into the register of entities (the KSC ICT system, commonly known as S46, art. 46) takes place in line with the minister's schedule.
  • Implementation of the obligations from chapter 3 (including art. 8 and art. 14) within 12 months of entry into force, that is around 3 April 2027.
  • The first audit of an essential entity within 24 months, that is around 3 April 2028.

Administrative penalties are imposed by the act (art. 73): for an essential entity up to EUR 10 million or 2% of turnover, for an important entity up to EUR 7 million or 1.4%. A moratorium applies, however: financial penalties may be imposed for the first time only after 2 years from entry into force, that is around 3 April 2028 (art. 35). The act also provides for personal liability of a manager up to 300% of remuneration (art. 73a). For this reason we build urgency on real grounds, not on penalties.

What the Exposure Check covers

  • Initial qualification of status (essential, important, not subject).
  • A map of obligations tailored to your situation.
  • The impact on the board and management liability.
  • The impact on the supply chain and the requirements that may come from clients.
  • The link with cyber insurance and with OT and IEC 62443.
  • Recommendations for 60–90 days.

Holding ISO 27001 makes it easier to meet KSC requirements, but it does not automatically mean compliance. IEC 62443 is not a general statutory obligation for every company with OT.

Related services

Book a 20-min call →