UKSC Copilot
Navigate Poland's NIS 2 transposition with clarity and confidence
What the UKSC Copilot Can Do
Identify whether your organisation qualifies as a podmiot kluczowy or podmiot ważny under Art. 5 UKSC
Understand the two registration regimes and the six-month self-identification timeline under Art. 7c and Art. 34
Map your security measures against the 14-point catalogue in Art. 8 ust. 1 pkt 2 lit. a–n
Navigate the 24-hour, 72-hour, and one-month incident reporting cascade under Art. 11–12b
Track which CSIRT receives your incident notifications under Art. 26 ust. 5–7 and the Art. 44 transitional routing rules
Interpret the penalty framework for entities and their kierownicy under Art. 73–73a, including the 24-month deferral under Art. 35
About UKSC Copilot
UKSC Copilot helps organisations subject to the Ustawa o krajowym systemie cyberbezpieczeństwa (as amended by Dz.U. 2026 poz. 252) understand their obligations, map applicable requirements, and prepare for supervision. It covers entity classification, risk management obligations, incident reporting, and administrative penalties under the amended act.
Frequently Asked Questions
What is UKSC?
UKSC (Ustawa o krajowym systemie cyberbezpieczeństwa) is Poland's national cybersecurity act, originally enacted on 5 July 2018 as the NIS 1 transposition and substantially amended on 23 January 2026 (Dz.U. 2026 poz. 252) to transpose Directive (EU) 2022/2555 (NIS 2). The 2026 amendment entered into force on 3 April 2026 and restructures entity classification, risk management obligations, incident reporting, supervision, and penalties across sectors listed in Załącznik nr 1 and Załącznik nr 2 to the act.
How does the UKSC Copilot help?
UKSC Copilot helps you work through the act's requirements in plain language — from understanding the podmiot kluczowy / podmiot ważny classification criteria in Art. 5, to interpreting the security obligations in Art. 8, to identifying the correct CSIRT for incident notifications under Art. 26 and Art. 44. It also helps you draft internal summaries and gap analyses, and compare UKSC obligations with related frameworks such as DORA, RODO, and eIDAS 2.
Which CSIRT should my organisation notify when a poważny incydent occurs?
Under Art. 11 (the permanent rule), notifications go to the CSIRT sektorowy for your sector once the minister has published a communication confirming that CSIRT's operational status; before that publication, Art. 44 ust. 1–2 directs notifications to CSIRT NASK, CSIRT GOV, or CSIRT MON according to the scope allocations in Art. 26 ust. 5–7. A carveout in Art. 44 ust. 3 means that sectors whose sektorowy zespół cyberbezpieczeństwa was established before 2025 are not subject to the transitional period and report directly to that team as a CSIRT sektorowy from the outset.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.