Cybersecurity in the energy sector

Attacks targeting entities in the energy sector could disrupt the continuity of energy supply, which could lead to higher prices or reduced availability. Consequently, the EU legislator has adopted new legislation to strengthen protection against cyber threats. 

These include Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity within the Union (NIS 2 Directive). It replaces the NIS 1 Directive, which laid the foundations for Community legislation on cybersecurity. 

On 3 April this year, the Act of 23 January 2026 amending the Act on the National Cybersecurity System and certain other acts, which implements the NIS 2 Directive, came into force. It should be noted that the Act has been referred to the Constitutional Tribunal for subsequent review, which means that its provisions remain in force, although their constitutionality is still under assessment.

What does it mean for the Polish energy sector? 

The NIS 2 Directive applies to public and private entities of the types listed in Annex I (‘sectors of high criticality’) and Annex II (other critical sectors) that meet the enterprise size threshold (generally medium-sized or larger) and operate within the EU. In addition, exceptions and extensions are provided for (e.g. for certain smaller entities of critical importance). Member States classify entities as essential or important.

Essential sectors include, among others, energy (sub-sectors: electricity, district heating or cooling, oil, gas and hydrogen), transport (including infrastructure managers/operators), water and wastewater, and digital infrastructure. 

The amendment to the Critical Infrastructure Act (KSC), in addition to the sub-sectors listed in the NIS 2 Directive, also expands the list of energy sector sub-sectors to include: mineral extraction, nuclear energy and the activities of public entities.

From a regulatory perspective relating to critical infrastructure, the scope of application primarily covers network and facility operators. These include, amongst others, entities involved in the generation, transmission and distribution of energy, the management of transport infrastructure, as well as the provision of services in the areas of water supply and waste water management. 

The amendment also covers a broad spectrum of participants in the electricity, gas and district heating markets. This applies to both transmission and distribution system operators (TSOs and DSOs) and operators of energy storage facilities and LNG infrastructure. 

The amendment to the KSC Act, following the NIS 2 Directive, introduces the concepts of ‘essential entities’ and ‘important entities’, replacing the previous terms ‘operators of essential services’ and ‘digital service providers’. 

Essential and important entities shall implement appropriate and proportionate technical, operational and organisational measures to ensure a level ofsecurity appropriate to the risks posed . The catalogue includes, amongst other things: risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, cryptography policies and procedures, security in the procurement, development and maintenance of systems, training, access control policies, multi-factor/continuous authentication, secure communication and emergency communications. 

Management and accountability of governing bodies

At the management level, the amendment introduces additional requirements regarding the responsibilities of the members of the management bodies. These bodies approve risk management measures, oversee their implementation and may be held liable for breaches of duties in this regard (in accordance with national law). An obligation to provide training for members of management bodies and senior management has also been introduced. 

Audit

Essential entities conduct regular cyclical security audits of the information systems used to provide services. Ministerial notices stipulate that for ‘new’ essential entities, the first audit must take place within 24 months of the conditions being met. 

Self-identification of entities

Currently, operators of essential services are designated by administrative decision, but following the introduction of the self-identification requirement, every entity will be legally obliged to determine its own status and register in the List of Critical and Important Entities maintained in the S46 system. 

Incident handling and cooperation with CSIRTs

Under the national regulations currently in force, a competent authority for cybersecurity has been established for each sector. In the energy sector, this authority is the Minister responsible for energy. 

According to the 2024 Report of the Government Plenipotentiary for Cybersecurity (Sprawozdanie Pełnomocnika Rządu do Spraw Cyberbezpieczeństwa), published by the Ministry of Digital Affairs, regarding incidents for that year, although not a single critical incident was recorded, six significant incidents were registered, five of which occurred in the energy sector. All of them resulted from failures and did not bear the hallmarks of external attacks. The year 2025, however, saw large-scale, coordinated attacks targeting the stability of energy supplies. 

The amendment to the KSC defines an incident as an event that has or may have an adverse effect on the security of information systems, and a significant incident as an incident that causes or may cause a serious reduction in the quality or interruption of the continuity of service provision by an essential or an important entity, financial losses for that entity, or affects other natural persons, legal persons, or organisational units without legal personality by causing serious material or non-material damage. 

In accordance with the amendment, an essential entity will be obliged to report such an incident to the relevant sectoral or sub-sectoral Computer Security Incident Response Team (CSIRT). There are currently three CSIRTs at national level, but the competent authority may also establish a sectoral cybersecurity team. A CSIRT for the energy sector has not yet been established. 

An essential entity will be required to report an early warning of a significant incident immediately, no later than within 24 hours of becoming aware of the significant incident, and the CSIRT will be required to provide support. Within 72 hours, the essential or important entity must report such an incident along with additional information. At the request of the sectoral CSIRT, the entity will be required to submit an interim report within one month of reporting a significant incident. A essential or important entity will also be required to inform the users of its services of a significant incident if it has an adverse effect on the provision of those services.

Key deadlines 

In the context of implementing the regulations resulting from the amendment to the KSC, a number of key deadlines have been set, which determine the obligations of individual entities.
On 7 May 2026, the self-registration process in the KSC Register will commence, whilst 3 October 2026 marks the deadline for entities required to self-register to submit their applications for inclusion in the register. Failure to meet this deadline may result in regulatory consequences, including potential administrative sanctions.

From the perspective of implementing the cybersecurity risk-management measures, the date of 3 April 2027 is of a particular importance. By this date, entities that already met the criteria for being subject to the regulation at the time the amendment came into force should have fully implemented the required organisational and technical mechanisms.

The key deadline for conducting the first audit for so-called ‘new’ essential entities is 3 April 2028. 

Summary 

In the face of a growing number of threats in cyberspace, cybersecurity challenges will intensify; therefore, it is crucial not only to comply with regulations but also to invest in innovative solutions and develop expertise in this area. Implementing the regulations requires companies not only to adapt their procedures but also to build a culture of cybersecurity at all stages of the supply chain. This will determine the stability and security of the energy sector in the coming years.