{"id":15804,"date":"2026-04-15T11:16:22","date_gmt":"2026-04-15T09:16:22","guid":{"rendered":"https:\/\/directit.pl\/?p=15804"},"modified":"2026-04-15T11:16:22","modified_gmt":"2026-04-15T09:16:22","slug":"timeline-of-obligations","status":"publish","type":"post","link":"https:\/\/directit.pl\/en\/timeline-of-obligations\/","title":{"rendered":"Timeline of Obligations under the Amendment to the National Cybersecurity System (KSC)"},"content":{"rendered":"\r\n<div id=\"rank-math-toc\" class=\"wp-block-rank-math-toc-block\">\r\n<h2>Table of Contents: Timeline of Obligations<\/h2>\r\n<nav>\r\n<ul>\r\n<li class=\"\"><a href=\"#6-months-registration-as-a-key-or-important-entity\">6 Months \u2013 Registration as a Key or Important Entity<\/a><\/li>\r\n<li class=\"\"><a href=\"#12-months-implementation-of-ksc-obligations\">12 Months \u2013 Implementation of KSC Obligations<\/a><\/li>\r\n<li class=\"\"><a href=\"#24-months-first-audit-and-inspection\">24 months \u2013 first audit and inspection<\/a><\/li>\r\n<li class=\"\"><a href=\"#the-we-have-time-myth\">The \u201cWe Have Time\u201d Myth<\/a><\/li>\r\n<li class=\"\"><a href=\"#practical-timeline\">Practical Timeline<\/a><\/li>\r\n<li class=\"\"><a href=\"#practical-tips-for-companies\">Practical Tips for Companies<\/a><\/li>\r\n<li class=\"\"><a href=\"#summary\">Summary<\/a><\/li>\r\n<li class=\"\"><a href=\"#trust-the-it-experts\">Trust the IT Experts<\/a><\/li>\r\n<li class=\"\"><a href=\"#want-to-learn-more\">Want to learn more?<\/a><\/li>\r\n<\/ul>\r\n<\/nav><\/div>\r\n\r\n\r\n\r\n<p>The amendment to the National Cybersecurity System (KSC) introduces new obligations for companies operating as key or important entities in the Polish economy. Contrary to appearances, the implementation deadlines are not \u201cdistant\u201d \u2013 although penalties may only be imposed after two years, delays can lead to serious operational and legal issues. Therefore, it is worth planning actions carefully over 6, 12, and 24 months and treating the KSC timeline as a practical tool for managing cybersecurity projects within a company.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"6-months-registration-as-a-key-or-important-entity\" class=\"wp-block-heading\"><strong>6 Months \u2013 Registration as a Key or Important Entity<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>The first obligation concerns registration in the KSC. Entities meeting the criteria of key or important entities have six months from the entry into force of the amendment to complete registration.<\/p>\r\n\r\n\r\n\r\n<p>What does this mean in practice?<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Collecting documentation confirming the entity\u2019s status in the economy.<\/li>\r\n\r\n\r\n\r\n<li>Conducting an internal audit of IT systems and security processes.<\/li>\r\n\r\n\r\n\r\n<li>Submitting an application to CSIRT GOV for registration in the KSC entities register.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Important: Failure to register does not stop the running of subsequent deadlines. Even if a company registers after six months, the countdown from the entry into force of the law still applies for the implementation of obligations and the audit.<\/p>\r\n\r\n\r\n\r\n<p>Additionally, companies should use this time for preliminary identification of cybersecurity risks that could impact their operations. Preparing documentation at this stage facilitates further implementation and reduces the risk of procedural errors.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"12-months-implementation-of-ksc-obligations\" class=\"wp-block-heading\"><strong>12 Months \u2013 Implementation of KSC Obligations<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>The next step is the full implementation of cybersecurity obligations within the company. The deadlines set in the amendment provide 12 months to meet the requirements, i.e., one year from the law\u2019s entry into force.<\/p>\r\n\r\n\r\n\r\n<p>What does implementation include?<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Establishing incident management and reporting procedures.<\/li>\r\n\r\n\r\n\r\n<li>Securing IT systems in accordance with KSC requirements.<\/li>\r\n\r\n\r\n\r\n<li>Conducting cybersecurity training for personnel.<\/li>\r\n\r\n\r\n\r\n<li>Developing an information security policy and procedures for cooperation with suppliers and external partners.<\/li>\r\n\r\n\r\n\r\n<li>Testing the resilience of systems against potential cyberattacks.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Key points:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>The 12-month deadline is not flexible \u2013 exceeding it increases the risk of sanctions after two years.<\/li>\r\n\r\n\r\n\r\n<li>Implementation should cover business processes, not just technology, to ensure real protection for the entire organization.<\/li>\r\n\r\n\r\n\r\n<li>Companies should document all activities so that compliance with the law can be easily demonstrated during the audit.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<h3 id=\"24-months-first-audit-and-inspection\" class=\"wp-block-heading\"><strong>24 months \u2013 first audit and inspection<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>The final stage is an audit conducted by external certification bodies, with the resulting reports submitted to CSIRTs. Companies have 24 months to complete this process, meaning two years from the entry into force of the act.<\/p>\r\n\r\n\r\n\r\n<p>Audit preparation includes:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Full documentation of implemented procedures and security controls<\/li>\r\n\r\n\r\n\r\n<li>Reports from system tests and incident simulations<\/li>\r\n\r\n\r\n\r\n<li>Evidence of employee training<\/li>\r\n\r\n\r\n\r\n<li>Documentation of cooperation with suppliers in the area of cybersecurity<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>The audit does not mean immediate imposition of penalties \u2013 sanctions may only be applied after 24 months. However, lack of proper preparation may lead to serious consequences, both financial and operational, and may also reduce the organization\u2019s resilience to cyber threats.<\/p>\r\n\r\n\r\n\r\n<p>It is important to remember that even if the audit deadline seems distant, preparation should be carried out systematically, and obligations should be implemented in line with the organization\u2019s risk profile and specific context, ideally with the support of specialists experienced in the KSC framework.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"the-we-have-time-myth\" class=\"wp-block-heading\"><strong>The \u201cWe Have Time\u201d Myth<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>Although penalties are deferred for 24 months, many companies mistakenly interpret the deadlines as \u201ctime to delay.\u201d This misconception can be very costly.<\/p>\r\n\r\n\r\n\r\n<p>Why?<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Delayed registration does not stop other deadlines.<\/li>\r\n\r\n\r\n\r\n<li>Implementation of procedures takes time, especially in large organizations.<\/li>\r\n\r\n\r\n\r\n<li>The earlier actions are taken, the greater the certainty that the audit will be passed without comments.<\/li>\r\n\r\n\r\n\r\n<li>Systematic implementation increases operational resilience and overall IT security.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<h3 id=\"practical-timeline\" class=\"wp-block-heading\"><strong>Practical Timeline<\/strong><\/h3>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Entry into force of the law<\/li>\r\n\r\n\r\n\r\n<li>0\u20136 months: Registration as a key\/important entity<\/li>\r\n\r\n\r\n\r\n<li>6\u201312 months: Implementation of cybersecurity obligations<\/li>\r\n\r\n\r\n\r\n<li>12\u201324 months: First audit and preparation for inspection<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Important: Although financial sanctions may only be imposed after two years, preparation must start immediately.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"practical-tips-for-companies\" class=\"wp-block-heading\"><strong>Practical Tips for Companies<\/strong><\/h3>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Plan the implementation project in stages \u2013 from registration, through implementation, to the audit.<\/li>\r\n\r\n\r\n\r\n<li>Document all activities to ensure the audit proceeds smoothly.<\/li>\r\n\r\n\r\n\r\n<li>Conduct training and testing periodically, not just once before the audit.<\/li>\r\n\r\n\r\n\r\n<li>Monitor progress within the organization and report status to management to avoid delays.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<h3 id=\"summary\" class=\"wp-block-heading\"><strong>Summary<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>The KSC amendment requires companies to systematically plan their cybersecurity actions. Key deadlines are:<\/p>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>6 months: Registration in the system.<\/li>\r\n\r\n\r\n\r\n<li>12 months: Implementation of obligations.<\/li>\r\n\r\n\r\n\r\n<li>24 months: First audit.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>Delays in registration do not stop other deadlines, and the perception of \u201cwe have time\u201d is misleading. Therefore, the best strategy is early planning, gradual implementation of requirements, and thorough documentation of all processes. This approach minimizes the risk of sanctions, ensures readiness for audits, and genuinely increases the level of cybersecurity within the organization.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"trust-the-it-experts\" class=\"wp-block-heading\"><strong>Trust the IT Experts<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>We have extensive experience in delivering comprehensive solutions for data protection and preventing information leaks for companies of all sizes. Our solutions are tailored to the individual needs of our clients, so you can focus on the core aspects of running your business.<\/p>\r\n\r\n\r\n\r\n<h3 id=\"want-to-learn-more\" class=\"wp-block-heading\"><strong>Want to learn more?<\/strong><\/h3>\r\n\r\n\r\n\r\n<p>Contact us, and we will prepare a detailed offer customized specifically for your company: <a href=\"https:\/\/directit.pl\/kontakt\/\">CONTACT<\/a><\/p>\r\n\r\n\r\n\r\n<p>Also, visit us on: <a href=\"https:\/\/www.facebook.com\/Direct.IT.poland\" target=\"_blank\" rel=\"noopener\">Facebook<\/a><\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>The amendment to the National Cybersecurity System (KSC) introduces new obligations for companies operating as key or important entities in the Polish economy. Contrary to appearances, the implementation deadlines are not \u201cdistant\u201d \u2013 although penalties may only be imposed after two years, delays can lead to serious operational and legal issues. Therefore, it is worth planning actions carefully over 6, 12, and 24 months and treating the KSC timeline as a practical tool for managing cybersecurity projects within a company.<\/p>\n","protected":false},"author":10,"featured_media":15807,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,386],"tags":[391,390,387,389],"class_list":["post-15804","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bez-kategorii","category-news","tag-acronis","tag-cybersecurity","tag-direct-it","tag-it-security"],"_links":{"self":[{"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/posts\/15804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/comments?post=15804"}],"version-history":[{"count":3,"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/posts\/15804\/revisions"}],"predecessor-version":[{"id":15808,"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/posts\/15804\/revisions\/15808"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/media\/15807"}],"wp:attachment":[{"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/media?parent=15804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/categories?post=15804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/directit.pl\/en\/wp-json\/wp\/v2\/tags?post=15804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}