Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Poland
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Cybersecurity in the supply chain: what NIS2 changes in Poland

09 Apr 2026 Poland 5 min read

On 3 April 2026, Poland’s amended Act on the National Cybersecurity System (KSC Act) entered into force, which implements the EU’s NIS2 Directive. For sectors critical to the functioning of the state and the economy (e.g. energy, transport, manufacturing, and digital services) the reform marks a meaningful shift in how cybersecurity is approached. The focus is moved beyond the organisation to the broader supply chain, effectively raising expectations for suppliers and service providers and bringing them within the scope of cybersecurity accountability.

New rules, new mindset

In practice, the changes are structural. Vendor management, long treated as an operational or procurement function, is now part of the compliance framework. Entities classified as “essential” or “important” are expected not only to identify their key suppliers, but also to assess the risks associated with them and demonstrate that those risks are managed in a structured and consistent manner.

While the KSC Act sets out a broad catalogue of required elements for an information security management system, it does not prescribe a single model for managing supply chains. Instead, it establishes a risk-based and proportionate standard. This offers flexibility, but also places the burden of interpretation and implementation squarely on companies. In practical terms, this means developing internal rules governing supply chain security. This may include, for example, adopting a supply chain security policy that defines criteria for selecting suppliers, taking into account their cybersecurity maturity.

Requirements imposed on suppliers will increasingly need to be reflected in contractual arrangements. Supplier agreements are likely to become one of the primary tools for demonstrating compliance. These should address, among other things, audit rights, rules on the use of subcontractors, and incident reporting obligations. Without appropriate contractual provisions, it may be difficult to show that supply chain risks are effectively controlled. As a result, cybersecurity considerations are becoming embedded in contracting practice, not just in technical or operational processes.

Due diligence and ongoing monitoring

Risk assessment cannot be a one-off exercise limited to the onboarding stage. Initial due diligence, including the review of a supplier’s security standards or vulnerability management processes, will need to be supplemented by ongoing oversight throughout the relationship.

Mechanisms such as periodic assessments, incident reporting, and verification of compliance with agreed standards are likely to become standard practice. In other words, supplier relationships will need to be actively managed over time, rather than simply being established at the contracting stage.

Management accountability and sanctions

A notable feature of the reform is the personal responsibility of the management body of an “essential” or “important” entity for compliance with cybersecurity obligations. This responsibility remains even if specific tasks are delegated. Supply chain risk is no longer solely a matter for IT or procurement functions, but becomes a board-level issue.

Financial penalties may be significant. For essential entities, fines can reach up to EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities, the thresholds are EUR 7 million or 1.4% of turnover. In addition, individual managers may face personal fines of up to 300% of their monthly remuneration. As a general rule, penalties may not be imposed earlier than two years after the KSC Act enters into force.

Transition periods

Entities that meet the criteria for classification as essential or important have 12 months to implement an information security management system, including supply chain security policies.

They are also required to apply for inclusion in the relevant register within six months of being classified. For entities already falling within scope at the time the law entered into force, the detailed timetable for registration will be set out in a communication issued by the competent minister. Essential entities must conduct their first cybersecurity audit within 24 months of the amended provisions entering into force, and subsequently at least once every three years.

Key takeaway

Cybersecurity regulation is no longer confined to internal IT systems, but extends to the broader ecosystem in which companies operate. As a result, how businesses structure and manage their relationships with suppliers is becoming a matter of regulatory accountability and a central component of risk management.

For more information on Poland’s cybersecurity regulations, contact your CMS client partner or the CMS experts who contributed to this article.

More insights
ESG Commercial Energy & Climate Change Infrastructure & Projects Public Procurement

Explore more

Expert Guide International

Expert Guide on Human Rights and Forced Labour in Poland

5 min read
Event Poland

IP Insights webinar series 2026

28 Apr 2026
Publication Poland

Deals, Doubts & Divergences: CMS European M&A Outlook 2026

12 Sep 2025 2 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.