On 26 February the legal publisher printed amendments to Poland’s National Cybersecurity System Act, completing the country’s transposition of the EU’s NIS2 Directive. After a one-month vacatio legis, the new rules will apply from late March 2026. Companies meeting size or sector thresholds must register as “essential” or “important” entities and implement expanded governance, incident-reporting and supply-chain-risk controls.(addleshawgoddard.com)
Why does this matter for global mobility? Many expatriate-heavy sectors—energy, transport, healthcare, digital infrastructure—fall within NIS2’s scope. Overseas HQs often assume that Polish subsidiaries mirror home-country compliance regimes, but under NIS2 liability rests with the local legal entity and, in certain cases, with individual managers.
![Poland finalises NIS2 cybersecurity law—foreign subsidiaries must self-assess within a month]()
VisaHQ can also support organisations and their globally mobile staff by streamlining the Polish visa and residence-permit process, ensuring that assignees who will serve as on-call managers or board members obtain the correct immigration status before the Act takes effect. The company’s online platform (https://www.visahq.com/poland/) offers up-to-date requirements, document checklists and courier services, freeing HR and mobility teams to focus on NIS2 readiness while VisaHQ handles the necessary paperwork.
Assignees holding statutory-board positions or delegated director mandates could face personal fines of up to PLN 1.4 million for wilful negligence. Mobility teams should therefore coordinate with cybersecurity and legal colleagues to ensure that assignees receive director-liability briefings and that D&O insurance is extended where needed.
The Act also requires that at least one manager be reachable in Poland 24/7 to liaise with the national CSIRT (Computer Security Incident Response Team). Employers relying on regional “follow-the-sun” models may need to adjust duty-rosters or designate alternate contact points within the expatriate population.
Why does this matter for global mobility? Many expatriate-heavy sectors—energy, transport, healthcare, digital infrastructure—fall within NIS2’s scope. Overseas HQs often assume that Polish subsidiaries mirror home-country compliance regimes, but under NIS2 liability rests with the local legal entity and, in certain cases, with individual managers.
VisaHQ can also support organisations and their globally mobile staff by streamlining the Polish visa and residence-permit process, ensuring that assignees who will serve as on-call managers or board members obtain the correct immigration status before the Act takes effect. The company’s online platform (https://www.visahq.com/poland/) offers up-to-date requirements, document checklists and courier services, freeing HR and mobility teams to focus on NIS2 readiness while VisaHQ handles the necessary paperwork.
Assignees holding statutory-board positions or delegated director mandates could face personal fines of up to PLN 1.4 million for wilful negligence. Mobility teams should therefore coordinate with cybersecurity and legal colleagues to ensure that assignees receive director-liability briefings and that D&O insurance is extended where needed.
The Act also requires that at least one manager be reachable in Poland 24/7 to liaise with the national CSIRT (Computer Security Incident Response Team). Employers relying on regional “follow-the-sun” models may need to adjust duty-rosters or designate alternate contact points within the expatriate population.
