PL EN
Financial and Insurance Products (ABP)
Comprehensive platform for distribution and sale of, among others, Insurance. The best Time2Market on the market. Integrations with UFG, CEPIK, Eurotax. Universal API.
SMS Gateway
This two-way gateway enables free SMS messaging, allowing operators to promote services, earn from replies, and expand reach through website integration.
Utility Cost Management System (UCMS)
UCMS enables companies to efficiently analyze, monitor, and manage utility consumption.
Intranet Systems
Our intranet systems offer secure solutions with SharePoint or open-source platforms, enabling internal communications and Active Directory integration.
Distribution List and Shared Mailbox Manager (DSM)
The DSM application lets employees manage distribution lists and Exchange mailboxes, with minimal administrator involvement.
Application Test Console (ATC)
Software that enables real-time monitoring of servers, web applications, services, and databases using automated tests, with alerts for irregularities sent via SMS and email.
File Share Manager (FSM)
A web application for managing Windows network shares (permissions, quotas, statistics) in a self-service model.
Lock Screen Manager (LSM)
The system allows automatic updates to lock screen and wallpaper images across all computers in the organization.
SMS Password Manager (SPM)
Self-hosted web application that enables users to reset Active Directory passwords and unlock accounts via SMS.
Microsoft Office 365
Microsoft M365 subscriptions in the CSP model. Access to the latest office applications, innovative AI features such as Microsoft Copilot.
VMware
Number one in the field of IT system virtualization - from needs analysis, through design, to implementation and post-implementation support.
Microsoft SPLA
Sales of Microsoft licenses in a monthly subscription model SPLA (Service Provider License Agreement) for products such as Windows Server, SQL Server, Exchange.
Veeam
We are a licensed partner of Veeam, a leading provider of backup and disaster recovery solutions for virtualized environments.
MultiPortal
A multi-tenant platform for efficient management of multiple Proxmox environments located across different data centers.
Proxmox
Secure and reliable enterprise-class solutions for managing virtual servers, backing up virtual environments, and protecting email servers.
Hosted SMS
Advanced platform for sending bulk SMS messages. Email2SMS, extended API allows for full integration with company systems.
eCzasPracy.pl
System enables efficient employee work time registration, streamlining attendance tracking and workforce management.
Hosted Exchange
The Hosted Exchange platform is a complete email service using Microsoft Exchange Server and Outlook.
Share File Safe
Secure file exchange from servers, allowing password-protected sharing while maintaining full data control.
Hosted Windows
Windows Server hosting platform MS SQL/.NET which allows you to run applications and websites without incurring server infrastructure costs.
Przeglądy Budynku (Building Inspections)
Centralizes building inspections, from chimney and electrical checks to photovoltaics and elevator maintenance, ensuring efficient property management and compliance.
SMS Vote
SMS Vote is an interactive voting system that enables real-time audience engagement via SMS, ideal for events, media, and live broadcasts.
Security Operations Center (SOC) - DORA/NIS2
Security as a BOX is a turnkey on-premises security operations center for your organization (SIEM, SOAR, vCISO, Asset Management, AI Threat Hunting), enhanced with tools for assessing compliance with cybersecurity regulations such as NIS2, DORA, and ISO27001.
Exchange Migration
Migrations from MS Exchange 2003, 2010, 2013 and 2019 systems as well as from Lotus Domino systems to MS Exchange. Implementation and migration of hybrid M365 environments (Exchange Online) – On-Premises
IT Deployments
Comprehensive service including business needs analysis, planning, implementation and post-implementation support. We specialize in Microsoft solutions.
Outsourcing
Comprehensive IT service, support as an extension of the competences of your own IT department, administration of servers in the company
  1. dcs.pl
  2. Blog

11-09-2025 Dariusz Nożyński

Cybersecurity in Poland

The Act on the National Cybersecurity System (KSC) introduced fundamental regulations to strengthen the country’s cyber resilience. It was the implementation of the European NIS Directive (Network and Information Systems Directive), which imposed obligations on member states regarding the protection of networks and information systems. The rapid digital transformation in recent years made it necessary to introduce the new, expanded NIS 2 Directive, which significantly extended the list of entities subject to the regulations. The directive’s requirements will have to be met not only by public institutions and companies operating in "critical" sectors but also by thousands of entities from "important" economic sectors. Thus, new obligations arise for many institutions and entrepreneurs, whose fulfillment is difficult without specialized support. This is especially true since these requirements are linked with parallel obligations from other directives such as DORA and GDPR.

The main challenges in the context of the latest cybersecurity regulations — especially after the introduction of the GDPR, DORA, NIS2 directives and the amendment of the KSC — can be summarized in several areas:

1. Who is subject to the regulations and to what extent?

Determining whether an organization is formally subject to a particular regulation and to what degree — with many entities potentially governed by multiple regimes simultaneously (e.g., banks are subject to DORA, NIS2, and KSC) — is one of the fundamental challenges. The consequence of deciding that the regulations apply is the necessity to adjust processes to different legal requirements, which partly overlap but differ in details. Specifically:

  • GDPR (General Data Protection Regulation) applies to controllers (companies, public institutions, non-profit organizations, authorities) based in the EU that process personal data in the context of their activities, regardless of where the processing actually takes place. Any processor based in the EU processing personal data on behalf of the controller is also subject to GDPR.
  • DORA (Digital Operational Resilience Act) covers financial institutions and their ICT providers — including banks, investment firms, insurance companies, fintechs.
  • NIS2 (Network and Information Security Directive 2) — an EU directive covering energy, transport, health care, digital infrastructure, water management, public administration, and digital service providers.
  • KSC (National Cybersecurity System) — the national implementation of NIS2, extending the list of covered entities compared to NIS2, mainly in areas such as public administration (local government units, public universities, cultural institutions), pharmaceuticals (manufacturing and distribution of medicines), and education sector.

Security as a Box – implementation of a complete security solution (SIEM, SOAR + Compliance) – contact us.

2. What are the key requirements for risk management?

Integrating the requirements of various regulations into coherent, practical risk management frameworks to avoid process duplication is currently one of the most important tasks. The goal is to develop a well-thought-out and cost-optimal process that reduces the risk of financial and legal penalties. Briefly:

  • GDPR does not prescribe “how” to protect data precisely but requires entities processing data to know the risks and select measures appropriate to the risk level, documenting the process and being able to demonstrate rational decisions during audits.
  • DORA imposes detailed requirements for identifying, assessing, and monitoring ICT risk, including supply chain risk and supplier concentration risk.
  • NIS2 / KSC require the implementation of information security management systems, business continuity plans (BCP), disaster recovery plans (DRP), and periodic risk analysis.

3. When to report and how to handle incidents?

Developing effective procedures that allow rapid detection, classification, and then reporting of incidents to various supervisory bodies — often in different formats and according to different criteria — is a key subject of the new regulations.

Comparative table — incident reporting

Regulation

Reporting Authority

Initial Reporting Deadline

Scope of Report

GDPR

Data Protection Authority (DPA)

72 hours from breach detection

Incident nature, data involved, consequences, actions taken

DORA

Financial supervisory authority (e.g. Polish KNF)

Without undue delay (according to materiality thresholds)

Description of ICT incident, service impact, corrective actions

NIS2

Relevant CSIRT / national cybersecurity authority

Without undue delay (often ≤24h)

Nature, service impact, remedial measures

KSC

CSIRT NASK / CSIRT GOV / other designated

Immediately (usually ≤24h)

Incident description, impact, corrective actions

4. When to conduct cybersecurity audits and resilience testing?

Ensuring budget, resources, and expertise for systematic cybersecurity audits and tests according to required standards, and integrating the results into the security improvement process, represents a significant challenge, determining the strategy and action plan for cybersecurity.

  • GDPR mandates periodic tests, reviews, and evaluations of security measures proportional to the risk level — the higher the risk to individuals’ rights and freedoms, the more frequent the reviews, including ad hoc tests after significant changes (new systems, incidents, legal changes, etc.).
  • DORA requires regular Threat-Led Penetration Testing (TLPT) and security audits.
  • NIS2 / KSC mandate security audits at least once every three years (sometimes more frequently in specific sectors).

5. Does supply chain management apply to all entities?

All cybersecurity regulations require systematic review and adaptation of contracts, procurement processes, and subcontractor verification procedures to evolving laws and requirements. Entities subject to the regulations must monitor their subcontractors’ compliance with binding contracts and applicable regulations. Specifically:

  • GDPR — controllers may only use processors who provide sufficient guarantees of adequate technical and organizational measures, with processing governed by a written contract (including electronically). The processor cannot delegate data processing to any sub-processor without prior authorization (general or specific) from the controller.
  • DORA, NIS2, KSC emphasize the necessity of assessing and supervising ICT service and product suppliers.
  • DORA goes furthest — requiring formal agreements, risk assessments of suppliers, and contingency plans for failure or insolvency of key suppliers.

6. What are the sanctions and management responsibilities?

Avoiding sanctions and ensuring that management actively supervises cybersecurity efforts while being aware of responsibilities amid widespread staff and competency shortages is critical.

Comparative table of sanctions (maximum financial and non-financial penalties):

Regulation

Maximum Fine

Imposing Authority

Additional Non-Financial Sanctions

GDPR

€20 million / 4% of annual global turnover

DPA

Processing bans, data deletion, civil and criminal liability

DORA

1% of daily turnover per day of breach (max. 6 months)

KNF or sector authority

Ban on using ICT provider, mandatory audits, public disclosure

NIS2

€10 million / 2% turnover (critical entities) or €7 million / 1.4% (important entities)

Cybersecurity authority (Polish minister + CSIRT)

Suspension of management, mandatory additional security measures

KSC

PLN 1 million (entity) / PLN 200k (manager)

Minister / CSIRT

Orders for corrective measures, inspections, reports to prosecutor

7. Integrating requirements into a single coherent system

Combining GDPR, DORA, NIS2, and KSC requirements into unified management frameworks that work effectively in daily practice is a challenge faced by all entities subject to multiple regulations simultaneously. The vast majority of institutions covered by several regulations must build an integrated compliance model to:

  • Avoid process duplication
  • Harmonize security policies
  • Meet all deadlines and reporting formats

How SOC Factory helps meet NIS2/DORA requirements — contact us

Important to know — responsibility towards supervisory bodies

1. GDPR (General Data Protection Regulation)

Legal basis: Article 83 GDPR, Articles 102-107 of Poland’s Personal Data Protection Act
Sanctions:

  • Administrative fines:
    • Up to €20 million or 4% of total annual worldwide turnover of the preceding year — whichever is higher.
    • Lower threshold fines: up to €10 million or 2% turnover — for less serious breaches (e.g., failure to maintain records).
  • Orders and prohibitions by supervisory authority (UODO):
    • Orders to delete data or restrict processing.
    • Suspension of processing operations.
  • Civil liability:
    • Right to compensation for individuals whose data was breached.
  • Criminal liability (Polish law):
    • Fines or imprisonment for illegal processing of special categories of data.

2. DORA (Digital Operational Resilience Act — EU Regulation 2022/2554)

Legal basis: Articles 50-54 DORA + sectoral provisions (e.g., Polish financial market supervision law)
Sanctions:

  • Administrative fines imposed by authorities (e.g., Polish KNF):
    • Could be up to 1% of average daily global turnover of the institution, per day of ongoing breach, for up to 6 months.
    • Alternatively, lump sum amounts consistent with national law.
  • Supervisory measures:
    • Orders to remedy breach within a deadline.
    • Ban on using ICT provider.
    • Requirement to conduct additional tests or audits.
  • Public disclosure of breach (“naming & shaming”).

3. NIS2 (EU Directive 2022/2555 — transposed into national law)

Legal basis: Article 34 NIS2 (sanction framework) + transposition laws (in Poland: amendment to KSC)
Sanctions envisaged:

  • Financial penalties:
    • For “critical entities”: up to €10 million or 2% of total global turnover.
    • For “important entities”: up to €7 million or 1.4% of turnover.
  • Supervisory measures:
    • Orders to remedy deficiencies.
    • Temporary suspension of management’s powers.
    • Obligation to implement additional security measures.
  • Reputational: obligation to disclose incidents and breaches.

4. KSC (National Cybersecurity System Act — currently being amended under NIS2)

Legal basis: Act of 5 July 2018 on the National Cybersecurity System
Current sanctions:

  • Financial penalties:
    • Up to PLN 200,000 for unit managers.
    • Up to PLN 1 million for entities — e.g., for failure to implement security requirements, failure to report a serious or critical incident, lack of cooperation with CSIRT.
  • Supervisory measures:
    • Orders to implement specific measures within a set timeframe.
    • Possibility of inspections and audits.
  • Notification of law enforcement in suspected crimes.
  • Planned changes (post full NIS2 implementation): financial penalties in euros linked to turnover percentages and broader supervisory tools.

0 komentarze

dcs.pl - linkedin
Stay up to date Follow us on LinkedIn for updates and more information.

Contact

dcs.pl Sp. z o.o,
ul. Puławska 303,
02-785 Warszawa,
NIP: 951-20-63-362,
+48 22 5486000,
info@dcs.pl

Company

Resources

Other Services

Our Products

Our Services

dcs.pl - linkedin
Stay up to date Follow us on LinkedIn for updates and more information.

Copyright ©dcs.pl 1995-2025 Sp. z o.o. All rights reserved.