PL EN
Financial and Insurance Products (ABP)
Comprehensive platform for distribution and sale of, among others, Insurance. The best Time2Market on the market. Integrations with UFG, CEPIK, Eurotax. Universal API.
SMS Gateway
This two-way gateway enables free SMS messaging, allowing operators to promote services, earn from replies, and expand reach through website integration.
Utility Cost Management System (UCMS)
UCMS enables companies to efficiently analyze, monitor, and manage utility consumption.
Intranet Systems
Our intranet systems offer secure solutions with SharePoint or open-source platforms, enabling internal communications and Active Directory integration.
Distribution List and Shared Mailbox Manager (DSM)
The DSM application lets employees manage distribution lists and Exchange mailboxes, with minimal administrator involvement.
Application Test Console (ATC)
Software that enables real-time monitoring of servers, web applications, services, and databases using automated tests, with alerts for irregularities sent via SMS and email.
File Share Manager (FSM)
A web application for managing Windows network shares (permissions, quotas, statistics) in a self-service model.
Lock Screen Manager (LSM)
The system allows automatic updates to lock screen and wallpaper images across all computers in the organization.
SMS Password Manager (SPM)
Self-hosted web application that enables users to reset Active Directory passwords and unlock accounts via SMS.
Microsoft Office 365
Microsoft M365 subscriptions in the CSP model. Access to the latest office applications, innovative AI features such as Microsoft Copilot.
VMware
Number one in the field of IT system virtualization - from needs analysis, through design, to implementation and post-implementation support.
Microsoft SPLA
Sales of Microsoft licenses in a monthly subscription model SPLA (Service Provider License Agreement) for products such as Windows Server, SQL Server, Exchange.
Veeam
We are a licensed partner of Veeam, a leading provider of backup and disaster recovery solutions for virtualized environments.
MultiPortal
A multi-tenant platform for efficient management of multiple Proxmox environments located across different data centers.
Proxmox
Secure and reliable enterprise-class solutions for managing virtual servers, backing up virtual environments, and protecting email servers.
Hosted SMS
Advanced platform for sending bulk SMS messages. Email2SMS, extended API allows for full integration with company systems.
eCzasPracy.pl
System enables efficient employee work time registration, streamlining attendance tracking and workforce management.
Hosted Exchange
The Hosted Exchange platform is a complete email service using Microsoft Exchange Server and Outlook.
Share File Safe
Secure file exchange from servers, allowing password-protected sharing while maintaining full data control.
Hosted Windows
Windows Server hosting platform MS SQL/.NET which allows you to run applications and websites without incurring server infrastructure costs.
Przeglądy Budynku (Building Inspections)
Centralizes building inspections, from chimney and electrical checks to photovoltaics and elevator maintenance, ensuring efficient property management and compliance.
SMS Vote
SMS Vote is an interactive voting system that enables real-time audience engagement via SMS, ideal for events, media, and live broadcasts.
Security Operations Center (SOC) - DORA/NIS2
Security as a BOX is a turnkey on-premises security operations center for your organization (SIEM, SOAR, vCISO, Asset Management, AI Threat Hunting), enhanced with tools for assessing compliance with cybersecurity regulations such as NIS2, DORA, and ISO27001.
Exchange Migration
Migrations from MS Exchange 2003, 2010, 2013 and 2019 systems as well as from Lotus Domino systems to MS Exchange. Implementation and migration of hybrid M365 environments (Exchange Online) – On-Premises
IT Deployments
Comprehensive service including business needs analysis, planning, implementation and post-implementation support. We specialize in Microsoft solutions.
Outsourcing
Comprehensive IT service, support as an extension of the competences of your own IT department, administration of servers in the company
  1. dcs.pl
  2. Blog

11-09-2025 Dariusz Nożyński

Cybersecurity in Poland

The Act on the National Cybersecurity System (KSC) introduced fundamental regulations to strengthen the country’s cyber resilience. It was the implementation of the European NIS Directive (Network and Information Systems Directive), which imposed obligations on member states regarding the protection of networks and information systems. The rapid digital transformation in recent years made it necessary to introduce the new, expanded NIS 2 Directive, which significantly extended the list of entities subject to the regulations. The directive’s requirements will have to be met not only by public institutions and companies operating in "critical" sectors but also by thousands of entities from "important" economic sectors. Thus, new obligations arise for many institutions and entrepreneurs, whose fulfillment is difficult without specialized support. This is especially true since these requirements are linked with parallel obligations from other directives such as DORA and GDPR.

The main challenges in the context of the latest cybersecurity regulations — especially after the introduction of the GDPR, DORA, NIS2 directives and the amendment of the KSC — can be summarized in several areas:

1. Who is subject to the regulations and to what extent?

One of the core challenges organizations face is determining whether they are formally subject to specific regulations—and to what extent. This complexity is heightened by the fact that many entities, such as banks, often fall under multiple regulatory frameworks simultaneously (e.g., DORA, NIS2, KSC). Once it's established that a regulation applies, organizations must adapt their internal processes to comply with distinct legal requirements. While these frameworks may share common elements, they often diverge in critical details. The applicable frameworks include:

  • GDPR (General Data Protection Regulation) which applies to controllers (companies, public institutions, non-profit organizations, authorities) based in the EU that process personal data in the context of their activities, regardless of where the processing actually takes place. Any processor based in the EU processing personal data on behalf of the controller is also subject to GDPR.
  • DORA (Digital Operational Resilience Act) which covers financial institutions and their ICT providers — including banks, investment firms, insurance companies, fintechs.
  • NIS2 (Network and Information Security Directive 2) — an EU directive covering energy, transport, health care, digital infrastructure, water management, public administration, and digital service providers.
  • KSC (National Cybersecurity System) — Poland’s national adaptation of the NIS2 directive, which broadens the scope of regulated entities beyond those covered by NIS2. This expansion notably includes sectors such as public administration (e.g., local governments, public universities, cultural institutions), pharmaceuticals (including medicine production and distribution), and education.

Security as a Box – implementation of a complete security solution (SIEM, SOAR + Compliance) – contact us.

2. What are the key requirements for risk management?

One of today’s key challenges is aligning diverse regulatory requirements into a unified, efficient risk management framework that avoids redundant processes. The objective is to build a cost-effective, well-structured approach that minimizes exposure to financial and legal penalties.
Regulatory Highlights:

  • GDPR mandates a risk-based approach to data protection. While it doesn’t specify exact methods, organizations must assess risks, implement proportionate safeguards, document their decisions, and justify them during audits.
     
  • DORA sets out comprehensive obligations for managing ICT risks, including those related to third-party providers and supplier concentration.
     
  • NIS2 / KSC require robust cybersecurity governance, including the deployment of information security management systems, business continuity and disaster recovery plans, and regular risk assessments.
     

3. When to report and how to handle incidents?

Developing effective procedures that allow rapid detection, classification, and then reporting of incidents to various supervisory bodies — often in different formats and according to different criteria — is a key subject of the new regulations.

Comparative table — incident reporting

Regulation

Reporting Authority

Initial Reporting Deadline

Scope of Report

GDPR

Data Protection Authority (DPA)

72 hours from breach detection

Incident nature, data involved, consequences, actions taken

DORA

Financial supervisory authority (e.g. Polish KNF)

Without undue delay (according to materiality thresholds)

Description of ICT incident, service impact, corrective actions

NIS2

Relevant CSIRT / national cybersecurity authority

Without undue delay (often ≤24h)

Nature, service impact, remedial measures

KSC

CSIRT NASK / CSIRT GOV / other designated

Immediately (usually ≤24h)

Incident description, impact, corrective actions

4. When to conduct cybersecurity audits and resilience testing?

Ensuring budget, resources, and expertise for systematic cybersecurity audits and tests according to required standards, and integrating the results into the security improvement process, represents a significant challenge, determining the strategy and action plan for cybersecurity.

  • GDPR mandates periodic tests, reviews, and evaluations of security measures proportional to the risk level — the higher the risk to individuals’ rights and freedoms, the more frequent the reviews, including ad hoc tests after significant changes (new systems, incidents, legal changes, etc.).
     
  • DORA requires regular Threat-Led Penetration Testing (TLPT) and security audits.
     
  • NIS2 / KSC require security audits at least every three years, with some sectors subject to more frequent reviews.

5. Does supply chain management apply to all entities?

All cybersecurity regulations require systematic review and adaptation of contracts, procurement processes, and subcontractor verification procedures to evolving laws and requirements. Entities subject to the regulations must monitor their subcontractors’ compliance with binding contracts and applicable regulations. In particular:

  • Under the GDPR, data controllers are permitted to engage processors only if those processors offer credible assurances of implementing appropriate technical and organizational safeguards. All processing activities must be governed by a formal written agreement, which may be in electronic form. Furthermore, processors are prohibited from subcontracting any data processing tasks to sub-processors without obtaining prior authorization—either general or specific—from the controller.
     
  • DORA, NIS2, KSC emphasize the necessity of assessing and supervising ICT service and product suppliers.
     
  • DORA goes furthest — requiring formal agreements, risk assessments of suppliers, and contingency plans for failure or insolvency of key suppliers.

6. What are the sanctions and management responsibilities?

Avoiding sanctions and ensuring that management actively supervises cybersecurity efforts while being aware of responsibilities amid widespread staff and competency shortages is critical.

Comparative table of sanctions (maximum financial and non-financial penalties):

Regulation

Maximum Fine

Imposing Authority

Additional Non-Financial Sanctions

GDPR

€20 million / 4% of annual global turnover

DPA

Processing bans, data deletion, civil and criminal liability

DORA

1% of daily turnover per day of breach (max. 6 months)

KNF or sector authority

Ban on using ICT provider, mandatory audits, public disclosure

NIS2

€10 million / 2% turnover (critical entities) or €7 million / 1.4% (important entities)

Cybersecurity authority (Polish minister + CSIRT)

Suspension of management, mandatory additional security measures

KSC

PLN 1 million (entity) / PLN 200k (manager)

Minister / CSIRT

Enforcement orders for corrective steps, regulatory inspections, and referrals to the prosecutor

7. Integrating requirements into a single coherent system

Integrating GDPR, DORA, NIS2, and KSC requirements into cohesive management frameworks that function effectively in daily operations presents a challenge for all entities subject to multiple regulations. Most institutions governed by several regulatory regimes must develop a unified compliance model to:

  • Prevent process duplication
  • Harmonize security policies
  • Meet all deadlines and reporting formats

How SOC Factory helps meet NIS2/DORA requirementscontact us

Key Information: Accountability to Supervisory Authorities

1. GDPR (General Data Protection Regulation)

Legal basis: Article 83 GDPR, Articles 102-107 of Poland’s Personal Data Protection Act
Sanctions:
•    Administrative fines:
•    Up to €20 million or 4% of total annual worldwide turnover of the preceding year — whichever is higher.
•    Lower threshold fines: up to €10 million or 2% turnover — for less serious breaches (e.g., failure to maintain records).
•    Orders and prohibitions by supervisory authority (UODO):
•    Orders to delete data or restrict processing.
•    Suspension of processing operations.
•    Civil liability:
•    Right to compensation for individuals whose data was breached.
•    Criminal liability (Polish law):
•    Fines or imprisonment for illegal processing of special categories of data.
 

2. DORA (Digital Operational Resilience Act — EU Regulation 2022/2554)

Legal basis: Articles 50-54 DORA + sectoral provisions (e.g., Polish financial market supervision law)
Sanctions:

  • Administrative fines imposed by authorities (e.g., Polish KNF):
    • Could be up to 1% of average daily global turnover of the institution, per day of continuing breach, for up to 6 months.
    • Alternatively, lump sum amounts consistent with national law.
  • Supervisory measures:
    • Orders to remedy breach within a deadline.
    • Ban on using ICT provider.
    • Requirement to conduct additional tests or audits.
  • Public disclosure of breach (“naming & shaming”).

3. NIS2 (EU Directive 2022/2555 — transposed into national law)

Legal basis: Article 34 NIS2 (sanction framework) + transposition laws (in Poland: amendment to KSC)
Sanctions envisaged:

  • Financial penalties:
    • For “critical entities”: up to €10 million or 2% of total global turnover.
    • For “important entities”: up to €7 million or 1.4% of turnover.
  • Supervisory measures:
    • Orders to remedy deficiencies.
    • Temporary suspension of management’s powers.
    • Obligation to implement additional security measures.
  • Reputational: obligation to disclose incidents and breaches.

4. KSC (National Cybersecurity System Act — currently being amended under NIS2)

Legal basis: Act of 5 July 2018 on the National Cybersecurity System
Current sanctions:

  • Financial penalties:
    • Up to PLN 200,000 for unit managers.
    • Up to PLN 1 million for entities — e.g., for failure to implement security requirements, failure to report a serious or critical incident, lack of cooperation with CSIRT.
  • Supervisory measures:
    • Orders to implement specific measures within a set timeframe.
    • Possibility of inspections and audits.
  • Notification of authorities in cases of suspected criminal conduct 
  • Planned changes (post full NIS2 implementation): financial penalties in euros linked to turnover percentages and broader supervisory tools.

0 komentarze

dcs.pl - linkedin
Stay up to date Follow us on LinkedIn for updates and more information.

Contact

dcs.pl Sp. z o.o,
ul. Puławska 303,
02-785 Warszawa,
NIP: 951-20-63-362,
+48 22 5486000,
info@dcs.pl

Company

Resources

Other Services

Our Products

Our Services

dcs.pl - linkedin
Stay up to date Follow us on LinkedIn for updates and more information.

Copyright ©dcs.pl 1995-2025 Sp. z o.o. All rights reserved.