Amendment to the Act on the National Cybersecurity System (NIS2) – the most important changes and deadlines.

In recent weeks, we have observed a clear acceleration of legislative work on the amendment to the Act on the National Cybersecurity System (UKSC), which is the national implementation of the NIS2 Directive.

In January 2026, legislative work accelerated sharply:

• 23 January: The Sejm voted for the draft amendment.
• 28 January: The bill passed the Senate and was signed by the President.

For businesses, the new rules will take effect soon. Below are the key aspects that every organization that cares about cybersecurity needs to know.

Who is affected by UKSC? Key entity vs important entity

A priority is the possibility of an organisation being recognised as a key player or important entity. Currently, there are three paths to be included in the list of such entities:

1. Decision “ex officio” – communicated by the competent minister, unambiguously indicating the organization as subject to the provisions of the Act.
2. Self-assessment and notification – the organisation independently assesses the fulfilment of the criteria and makes a notification (within 6 months of their occurrence).
3. Discretionary decision of the competent authority (Article 8L) – even if the criteria the statutory provisions do not indicate this directly.

UKSC implementation schedule – how much time do you have?

The legislator has provided for specific timeframes for the adaptation of systems and procedures:

• Organizations have 12 months to implement the requirements of the Act from the moment of entry into the list.
• However, some obligations arise earlier, according to Article 46, IT systems must be prepared for cooperation with the S46 system within 6 months
• The first inspection can only be carried out after 24 months, which gives a certain time buffer to organize the activities.

Financial penalties and liability of the management board

Failure to comply with the UKSC entails unprecedented financial sanctions:

• key entity – up to EUR 10 million or 2% of annual revenue,
• an important entity – up to EUR 7 million or 1.4% of annual revenue.

Important! The entity’s manager may also be subject to a fine. The sanction can be up to 300% of his monthly salary.

How does the compliance verification work?

The competent authority can use several tools, m.in:

• mandatory evaluation 24 months after entry in the list,
• cyclical audits (every 3 years),
• planned and ad hoc inspections,
• requests for information,
• incident reporting.

How does Exorigo-Upos support the implementation of NIS2/UKSC?

We support organizations at every stage of the UKSC compliance lifecycle:

• verify whether the organization is subject to the provisions of the Act and whether there is a
• the obligation to report to the list,
• conducting a preliminary audit that clearly indicates the scope of the
• responsibilities and priorities of activities,
• identification and planning of required organizational and technical activities, · implementation of tools and services (e.g. SOC, vulnerability management),
• preparation of policies, procedures and instructions,
• transfer of knowledge to the organization’s teams.

We invite you to a conversation during which we will discuss the consequences the UKSC amendment can have a good impact on your organization and how best to reach them prepare.