Poland: Mandatory NIS2 Registration Launched - Self Assessment Required

The amendment to the Act on the National Cybersecurity System („the Act”) introduces changes in the way cybersecurity is supervised in Poland. One of the key features is the obligation to register in the centralized S46 platform. This requires entrepreneurs and public institutions to make appropriate organisational, technological and legal preparations. The following analysis provides a detailed overview of the registration process that was launched on 3 April 2026.

Evolution and name of the system - S46

The name "System S46" has its legal basis in Article 46(1) of the amended Act on the National Cybersecurity System. It should be noted that the system is not being developed entirely from scratch. It already existed under the original 2018 version of the Act and was used in relation to operators of essential services. Any pre-existing arrangements governing the use of that system remain in force until terminated. However, the amendment significantly expands its function. Under the newly added Article 46(1a) of the Act, the platform is to serve as a central, nationwide tool for maintaining the official register of entities subject to the NIS2 regime. It is also intended to support the secure, encrypted exchange of information concerning incidents, vulnerabilities and cyber threats with the relevant Computer Security Incident Response Team and competent authorities.

Obliged entities and the broad principle of territoriality

The registration obligation rests absolutely on entrepreneurs that will obtain the status of "essential entity" or "important entity" under the amended regulations that implemented NIS2 to the Polish legal framework. Failure to comply with this obligation may expose an entity to administrative fines.

To determine whether a given entity is subject to Polish jurisdiction in the area of cybersecurity – and subject to mandatory registration, the updated principle of territoriality, regulated in Article 5a (1) of the Act, is of fundamental importance. Under that provision, an essential entity or an important entity is subject to the obligations arising from the Act if:

• it has its seat in Poland, or
• conducts business in Poland through its registered offices, branches,
• conducts business in Poland as part of cross-border activities.

The use of such a broad territorial link is a deliberate action of the legislator. It closes the regulatory gap and makes the Polish cybersecurity regime subject not only to entities registered in the National Court Register as legal entity with the Polish seat, but also to foreign companies that render their services here in a cross-border manner.

Deadlines for making an entry

The legislator imposes a strict timeframe on entrepreneurs to regulate their legal situation. According to the general rules, an essential or important entity is obliged to submit a formal application for entry on the list within 6 months from the date on which it met the conditions qualifying it for one of these roles.

Importantly, the registration obligation is not a one-off requirement. The Act also introduces an updating obligation. Any changes in the data covered by the entry must be reported in the S46 system within 14 days from the date on which the relevant change occurred. This requires entities to implement appropriate internal processes that will allow for quick mapping of organizational changes and transferring them to the system.

First registration – transitional provisions

For entities that meet the qualification criteria on the date of entry into force of the amendment, detailed transitional provisions have been introduced. On 8 April 2026, the Minister of Digital Affairs issued a statement in which he specified the schedule for submitting applications for entry into the list of essential entities and important entities and for them to start using the S46 platform. The Minister of Digital Affairs will create a list of essential entities and important entities within one month from the date of entry into force of the Act. At the same time, the Minister shall, ex officio, enter the above list of operators of essential services entered into the list of operators of essential services entered before the date of entry into force of the Act and deliver a notification of this entry.

Based on announcement published by the Ministry of Digital Affairs¹, the schedule for submitting applications for entry into the list of essential entities and important entities is following:

1. 13 April 2026. Launch of the register of essential and important entities

   On this date, the register of essential and important entities will be launched. Entities covered by the provisions of the Act will be entered into this register.

2. 13 April - 6 May 2026. Ex-officio entries by the Minister of Digital Affairs 

   During this timeframe, the Minister of Digital Affairs will, ex officio, enter into the register existing operators of essential services, trust service providers, telecommunications undertakings, and public entities. It seems that telecom providers will be entered into the registered automatically, based on telecoms register held by the telecom regulator (UKE).

3. 7 May - 3 October 2026. Self-registration in the register of essential and important entities 

   Entities not covered by ex officio entry into the register will be required to apply for registration themselves. Therefore, self-assessment is required before that date – also as formal evidence of due-diligence.

   The register will be maintained within the S46 System as described above and will be available at: https://wykaz-ksc.gov.pl. Applications for entry, modification, or removal from the register will be completed and submitted electronically by S46 and must be signed with a qualified electronic signature.

4. 12 June 2026. Launch of access to the S46 System for new entities 

   The Act introduces an obligation for essential and important entities to use the S46 system. From 12 June 2026 entities may begin using the system, which is intended, among other things, for fulfilling statutory obligations, in particular for incident reporting and communication with competent authorities within the national cybersecurity system.

Detailed scope of data to be reported to the list

Registration in the S46 system requires the disclosure of a broad range of technical and organisational information. The catalogue of data, set out in Article 7(2) of the Act, is intended to provide the competent public authorities with meaningful visibility into the cybersecurity architecture of critical sectors of the economy. The application is submitted under penalty of criminal liability for making a false statement, pursuant to Article 233(6) of the Polish Criminal Code.

The notification includes information points introduced by the essential or important entity itself, which include, in particular:

1. Identification and classification data: full name (company), Tax Identification Number and National Business Registry Number, registered office and correspondence address, e-mail address, address for electronic delivery and exact indication of the sector, subsector and type of activity, in accordance with Annex 1 or Annex 2 to the Act.
2. Business status: a declaration specifying the size of the company (micro, small, medium, large) determined in accordance with EU employment and turnover criteria, as well as information on the EU Member States in which the entity provides services.
3. IT infrastructure: a list of continuously used Internet domains and a range of public IP addresses. In this case, the regulations provide for a significant exclusion – errors in indicating IP addresses and domain names are not subject to criminal liability.
4. External service: information about contracts concluded with external managed security service providers of managed cybersecurity services (e.g. external SOCs), along with their identification data.
5. Contact persons and account administration: indication of the names of persons to contact the supervisory authorities and detailed data of the administrator of the entity's account in the S46 system, including, mandatorily, that person’s Personal ID number or the relevant EU electronic identifier.

Formal requirements for application authorization

The proceedings before the Minister have been fully digitized. An application for entry, change of entry or deletion of an entry is made only in electronic form directly in the S46 system. This document must be validly authenticated by the head of the entity or its duly authorised representative.

The Act specifies a closed catalogue of permissible forms of authorisation, which include:

• Qualified electronic signature
• Trusted signature
• Personal signature (certificate stored in the electronic layer of the ID card)
• Qualified Electronic Seal of the entity.

An important aspect is the rules of representation. The application must be accompanied by an electronic power of attorney with an appropriate signature, but this requirement is excluded if the person submitting the application is a commercial proxy or a member of a body authorised to represent and this right results directly from an entry in the register of entrepreneurs of the National Court Register or the Central Register and Information on Economic Activity.

Consequences of non-compliance

Failure to comply with the registration obligation, submission of inaccurate information, or failure to meet the statutory updating requirements creates a direct risk of severe pecuniary penalties being imposed by the competent supervisory authorities. The implementation of appropriate organisational procedures prior to filing should significantly improve an entity’s readiness to communicate efficiently with the relevant Computer Security Incident Response Team in the event of an actual cyber threat or reportable incident.

Footnote

1. Available here in Polish: https://www.gov.pl/web/cyfryzacja/nowelizacja-ustawy-o-krajowym-systemie-cyberbezpieczenstwa-ksc--najwazniejsze-terminy

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.