POLEGIS
KSC Form

Submit data for assessment

This is a fast intake path. Share core company and contact data, and POLEGIS will perform an initial KSC qualification and explain which actions should start immediately under the amended KSC Act and NIS2 rollout.

The clock is already running

Since 13 April 2026 the KSC Register has been operational. In-scope organizations should already be confirming their registration route, preparing data for registration, assigning S46 roles, and launching KSC/NIS2 implementation work instead of waiting for the end of the adaptation window.

Why act now?

  • Since 13 April 2026 the KSC Register has been active, and real implementation windows have started for ex officio entries, self-registration, and S46 readiness.
  • The self-registration window for entities not entered ex officio runs from 7 May to 3 October 2026, which leaves less time than most organizations assume for data gathering, qualification, and electronic-signature readiness.
  • Requirements cover not only technical controls, but also governance, risk, continuity, and evidence traceability.
  • Serious incidents are subject to short reporting windows, which requires ready processes and clear ownership.
  • Assessment also covers ICT supply chain exposure and dependencies on external providers.

Key KSC deadlines for 2026-2028

Below is a practical implementation timeline based on the amended KSC Act. These dates are operational milestones that should already shape planning and execution.

13 April 2026
KSC Register launched

The register of key and important entities is live. From this date organizations should confirm whether they will be entered ex officio or need to prepare self-registration.

13 April - 6 May 2026
Ex officio entries by the Minister for Digital Affairs

During this period the register is populated ex officio for legacy key-service operators, trust-service providers, telecom operators, and public entities. Data accuracy and readiness for follow-up become critical.

7 May - 3 October 2026
Self-registration in the KSC Register

Entities not entered ex officio must submit their own application through the dedicated KSC Register web application available at https://wykaz-ksc.gov.pl, using electronic filing and an electronic signature.

12 June 2026
S46 access starts for new entities

From this date newly in-scope entities may start using S46 for incident reporting and communication with competent authorities.

3 April 2027
End of the adaptation period

By this date entities that already met the statutory criteria when the amended law entered into force should be using S46 and should have implemented their core statutory duties, including ISMS-related controls and operational processes.

3 April 2028
First ISMS audit deadline for some key entities

This is the deadline for the first security audit for key entities that were not previously legacy key-service operators. Entities already subject to the former audit cycle keep the recurring three-year rhythm.

3 April 2028
Penalty provisions become applicable

Administrative fines may start only from this date, although prior warnings, information requests, and remediation expectations can be raised earlier.

What your company gets from this analysis

  • An initial decision whether and to what extent the company is in KSC scope.
  • A list of organizational and technical gaps to close before controls and audits.
  • Implementation priorities to reduce regulatory and operational risk quickly.
  • A practical roadmap to full readiness.

Assessment scope (KSC questionnaire)

  • Governance and management accountability
  • Cybersecurity risk management
  • Technical and operational safeguards
  • Incidents, reporting, and evidence trail
  • Business continuity and service restoration
  • ICT supply chain and vendor dependencies

What this means in practice

Organizations that may be in scope under the amended KSC Act and NIS2 should run legal, organizational, and technical preparation in parallel. The minimum launch package includes:

  • checking whether the organization meets the criteria of a key or important entity under the statutory annexes and sector-specific qualification rules,
  • determining whether the organization will be entered ex officio or must self-register during the 7 May - 3 October 2026 window,
  • preparing entity data, contact persons, electronic-signature readiness, and an internal process for register updates,
  • planning ISMS rollout, governance, asset inventory, risk analysis, business continuity, and ICT supply-chain controls,
  • assigning roles for S46, incident handling, communication with the competent authority, and evidence retention,
  • starting implementation now so that by 3 April 2027 the organization is not only registered and present in S46, but is actually operating under the amended regime.

KSC contact form

After you submit the form, our team will contact you and present the next analysis steps.

Provide one entity identifier: KRS, NIP, or REGON.

Provide at least one contact channel: e-mail or phone.

This form is used for an initial KSC qualification. After the review we will explain whether the organization is in scope and which actions should be prioritized first.
Data processing notice

The data controller is POLEGIS Sp. z o.o., Milenijna 43 / 2, 03-130 Warszawa, Polska. Contact regarding this form: biuro@polegis.pl.

  • We process the data to handle the KSC request, provide follow-up contact, and prepare an initial regulatory qualification.
  • The legal basis is taking steps at the request of the contacting person and the controller’s legitimate interest in handling business inquiries.
  • We retain the data for the duration of correspondence and then for the period necessary to defend claims and demonstrate how the request was handled.
  • You have the right to access, rectify, restrict processing, object, and file a complaint with the competent supervisory authority.