Poland NIS2 transposition (UKSC amendment) in force 3 April 2026 — water-sector essential-entity status

ABW's 2025 Annual Report (published 2026-05-07) is the only annual report this week that combines new ground-truth attribution detail with explicit regulatory-coverage-gap framing. The five named municipal water facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) all sit below the NIS2 essential-entity headcount threshold. ABW formally attributes initial access and persistence to APT28 (GRU), intelligence-collection overlay at Jabłonna Lacka to APT29 (SVR), and a disinformation overlay (fabricated leak documents purporting contamination data) to UNC1151 (Belarusian, Ghostwriter-affiliated) — granular tri-attribution materially beyond the "pro-Russian hacktivist" framing in initial reporting. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount. The cross-finding pattern for Swiss / EU public-sector readers: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; expect more regulator-side movement on this gap in coming weeks (daily 2026-05-09 UPDATE).

Poland's amended National Cybersecurity System Act (UKSC) entered into force on 3 April 2026, implementing NIS2 with a full compliance deadline of 3 April 2027 and first audit deadline 3 April 2028 (Addleshaw Goddard, 2026-02-26 · SecurityWeek, 2026-05-08). "Drinking water supply and distribution" and "wastewater management" are now designated essential-entity sectors in Polish law — meaning the five municipal water treatment facilities ABW documented as breached during 2025 (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo; § 4 / § 7) would, if attacked today, fall under NIS2 incident-reporting obligations. The attack vectors ABW attributes to APT28 / APT29 / UNC1151 (default credentials, internet-exposed ICS) are addressable by NIS2 Article 21 minimum security measures. The remaining policy gap: the breached small municipal operators are precisely the sub-threshold entities whose NIS2 coverage status is borderline under size-cap rules; the EC's NIS2 amendment introduces a "small mid-cap" important-entity category but does not resolve this specific small-municipality water-supply gap (member-state discretion). What defenders need to do differently: OT environments in small Polish municipalities with recently-transposed NIS2 obligations should treat the UKSC registration deadline (3 October 2026) as the immediate action item, and the 2025 ABW-documented attack vectors as the first patch-sprint target. For Swiss / EU operators reading: the ABW recommendation to extend essential-entity coverage below headcount threshold is now backed by both a documented compromise pattern and a freshly-transposed national NIS2 framework.