28.04.2026

CyberSec Update #17 – UKSC register

Registration in the register of essential and important entities available from 7 May 2026

It has happened. The organisation you manage is subject to the Polish National Cybersecurity System Act (UKSC), and the next mandatory step is registration in the register of essential entities and important entities.

The deadline for fulfilling this obligation is approaching rapidly. If, on the date the UKSC entered into force, i.e. 3 April 2026, your company met the criteria set out in the Act, you must submit the application for entry in the register no later than 3 October 2026.

Who will be entered in the register ex officio?

The legislator has exempted a very narrow group of entities from the obligation to submit an application independently. These entities will be entered in the register ex officio. These include only:

  • telecommunications undertakings,
  • trust service providers,
  • public entities,
  • existing operators of essential services.

All other organisations must submit an application for entry in the register independently.

S46 system – where and how to submit the application?

Applications for entry in the register are submitted via the S46 system. The system has been operating for several years, but has recently undergone significant changes related to the implementation of the UKSC.

It is true that the Act provides for the possibility of entering essential and important entities in the register ex officio also in other cases – if they fail to submit an application within 6 months from the date they are classified under the UKSC. In practice, we do not recommend relying on this solution.

Penalties for failure to register

Failure to submit an application independently within the required timeframe exposes the organisation to a financial penalty:

  • at least PLN 20,000 – in the case of an essential entity,
  • at least PLN 15,000 – in the case of an important entity.

The upper limit of sanctions is, however, significantly higher and may amount to:

  • up to EUR 10 million or 2% of revenue – for an essential entity,
  • up to EUR 7 million or 1.4% of revenue – for an important entity.

The risk is therefore real and definitely not worth taking.

Electronic signature – a key element of the procedure

Before submitting the application, it should be remembered that the S46 system requires the documents to be signed by the representative using:

  • a qualified electronic signature or
  • a trusted profile.

It is worth noting that many popular solutions (e.g. DocuSign) may not meet the requirements of a qualified electronic signature.

This is of particular importance in the case of companies with a foreign management board. In such a situation, a practical solution may be a qualified electronic seal, which can be used by any appropriately authorised employee.

What information must be provided in the application?

In addition to the basic identification data of the entity and the indication of the business sector in accordance with the annexes to the UKSC, the application must specify, among others:

  • the range of public IP addresses used by the entity on a continuous basis,
  • the range of domain names used on a continuous basis,
  • the size of the undertaking determined on the basis of turnover and employment level,
  • the EU Member States in which the entity conducts its activities,
  • whether the organisation has concluded an agreement for the provision of MSP services in the area of security for the performance of tasks related to the data security management system.

S46 is not just a register

It is worth determining already now the persons responsible for operating the S46 system and granting them appropriate permissions. The system is not used solely to submit an application for entry in the register.

It is in S46 that:

  • cybersecurity incidents will be reported,
  • information on vulnerabilities and cyber threats will be published,
  • good practices will be made available.

Therefore, there is no reason to wait – it is already worth determining who in the organisation will be responsible for managing these areas. We will soon explain what to do in the event of a cybersecurity incident.

Author

Alicja Szyrner

 alicja.szyrner@kwkr.pl

KWKR Experts

1 51 52 53 54 55 57

Newsletter

Want to stay up to date?
Subscribe to our newsletter.

By entering your e-mail address above and clicking ‘Subscribe!’ you declare that you have read and accept the Terms of Service and subscribe to the newsletter, i.e. information on legal topics, including information on important legal events, legislative changes and the Law Firm's activities, services and products, via e-mail communication.

The controller of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with its registered office in Kraków, Kącik 4 Street, 30-549 Kraków. Your data will be processed in order to provide the newsletter service and thus send commercial and marketing information to the e-mail address provided, in accordance with the Privacy Policy and the Terms of Service. For more information on the principles of personal data processing, including your rights, please see the Privacy Policy.

Please wait...

Thank you for sign up!