ISMS Copilot for Polish critical infrastructure operators
UKSC 2026 entity classification, the Art. 8 measures catalogue, and the right CSIRT for every incident.
The Polish UKSC stack, beyond generic NIS 2
- Run the podmiot kluczowy vs podmiot wazny test under Art. 5 UKSC against your sector in Zalacznik nr 1 / nr 2
- Track the six-month self-identification timeline under Art. 7c and Art. 34, and the 24-month penalty deferral under Art. 35
- Map your controls against the 14-point catalogue in Art. 8 ust. 1 pkt 2 lit. a-n
- Work the 24-hour / 72-hour / one-month incident cascade under Art. 11-12b
- Determine which CSIRT receives your notification under Art. 26 ust. 5-7, and the Art. 44 transitional routing
- Interpret penalties on the entity and its kierownicy under Art. 73-73a
Built for Polish CI compliance leads
UKSC Art. 8 measures catalogue mapped to ISO 27001 Annex A controls
Poland-specific incident-report drafting against the Art. 11-12b cascade
CSIRT-routing decision support: CSIRT NASK / CSIRT GOV / CSIRT MON vs CSIRT sektorowy
Gap analysis comparing the 2018 NIS 1 act to the 2026 amendment
Kierownik (senior management) liability and oversight documentation
Cross-mapping UKSC to RODO, DORA and eIDAS 2 where obligations overlap
UKSC 2026 entity classification and CSIRT routing
The 23 January 2026 amendment (Dz.U. 2026 poz. 252), in force from 3 April 2026, is where most Polish operators get the analysis wrong. First, classification: Art. 5 splits entities into podmiot kluczowy and podmiot wazny based on sector (Zalacznik nr 1 / nr 2) and size, and you must self-identify within the Art. 7c / Art. 34 window. Second, routing: a powazny incydent goes to your CSIRT sektorowy under Art. 11 once the minister confirms it is operational, but until then Art. 44 ust. 1-2 directs you to CSIRT NASK, CSIRT GOV or CSIRT MON per the Art. 26 ust. 5-7 scope. Sectors with a team established before 2025 skip the transition (Art. 44 ust. 3). ISMS Copilot walks both decisions in plain language.
Full UKSC guidance →Frequently Asked Questions
How do I know if we are a podmiot kluczowy or podmiot wazny?
Classification is set by Art. 5 UKSC: it combines your sector (listed in Zalacznik nr 1 for kluczowy-leaning sectors and nr 2 for wazny) with size thresholds. ISMS Copilot walks the test against your activity and headcount, and explains the Art. 7c / Art. 34 six-month self-identification duty so you register on time.
Which CSIRT do we notify for a serious incident?
Under the permanent Art. 11 rule, your CSIRT sektorowy — but only after the minister publishes its operational status. Before that, Art. 44 ust. 1-2 routes you to CSIRT NASK, CSIRT GOV or CSIRT MON per the Art. 26 ust. 5-7 allocation. Sectors with a team established before 2025 report to it directly from the start (Art. 44 ust. 3).
Does ISMS Copilot certify our UKSC compliance?
No. ISMS Copilot does not issue certifications or attestations. It helps your team interpret the amended act, map the Art. 8 catalogue to your controls, and prepare internal documentation — supervision and any conformity assessment remain with the competent Polish authorities.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.