Cybersecurity · Poland
Cybersecurity regulation in Poland (2026)
Poland shaded by its cybersecurity status
Poland has a comprehensive horizontal cybersecurity law, the Act on the National Cybersecurity System (KSC), in force since 2018 to implement the original NIS Directive. A major amendment transposing the EU NIS2 Directive was signed by the President on 19 February 2026, published in the Journal of Laws in March 2026, and entered into force in early April 2026, expanding the regime to thousands of 'essential' and 'important' entities and adding management accountability, high-risk-vendor designation powers, and tiered breach-notification duties. EU baselines (NIS2, GDPR, DORA for finance) apply alongside the national framework.
Key points
The Act on the National Cybersecurity System of 5 July 2018 established Poland's horizontal cyber framework (operators of essential services, digital service providers, public bodies) implementing NIS1; it remains the backbone, now upgraded for NIS2. The Ministry of Digital Affairs is the lead authority.
The amendment transposing NIS2 was signed by President Nawrocki on 19 February 2026, published in the Dziennik Ustaw (Journal of Laws) in March 2026, and entered into force in early April 2026 — after Poland missed the EU's 17 October 2024 deadline and faced Commission infringement action.
The NIS2 amendment replaces the old 'operators of essential services' model with the NIS2 categories of essential and important entities, expanding coverage to tens of thousands of organisations across sectors such as energy, transport, banking, health, digital infrastructure, public administration, and (in some drafts) food and chemicals.
Entities must report significant incidents to the competent national CSIRT (CSIRT NASK, CSIRT GOV, or CSIRT MON) following the NIS2 staged model: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within one month. The original KSC Act already imposed a 24-hour incident-reporting limit on operators of essential services.
A distinctive Polish feature: the minister responsible for IT/digital affairs may designate suppliers of ICT products, services, or processes (and their corporate-group members) as 'high-risk vendors' where they pose a threat to state security, triggering restrictions on their use by regulated entities.
The law imposes ISMS obligations (referencing PN-EN ISO/IEC 27001 and ISO 22301) and direct top-management responsibility for cyber risk management. Fines reach up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% for important entities, with transitional periods before the highest fines apply.
Timeline - major decisions & events
Poland's amended Act on the National Cybersecurity System became fully operative, expanding mandatory cybersecurity obligations to an estimated 42,000 entities across 18 sectors and introducing a High-Risk Vendor (HRV) mechanism allowing the Minister of Digital Affairs to ban ICT suppliers deemed threats to national security—extended beyond telecoms to all NIS2-covered sectors.
European Commission – Digital Strategy (NIS2 Poland transposition tracker) ↗Poland's Digital Minister confirmed unauthorized access to POLSA's IT infrastructure; the agency immediately severed its network and staff were directed to use phones instead of email. Preliminary analysis pointed to capabilities consistent with state-sponsored actors, with Russia's APT28 (GRU) cited as a leading suspect—consistent with Poland's designation as the EU's most cyber-targeted member state.
The Record (Recorded Future News) ↗Poland's two national incident-response teams issued a joint technical advisory documenting a large-scale phishing campaign attributed to Russia's APT28 (GRU) that targeted Polish government institutions, deploying a multi-stage redirect chain to download a disguised executable that harvested credentials from Microsoft Exchange mailboxes.
CERT Polska (CSIRT NASK) ↗Security researchers confirmed sustained exploitation of a critical Microsoft Outlook vulnerability by Russia's APT28 against Polish government and private-sector targets, part of a broader NATO-wide campaign that began as a zero-day in April 2022; the incidents drove CERT Polska to escalate threat warnings to Polish network administrators.
Help Net Security ↗The Killnet hacktivist collective targeted Poland's Ministry of Foreign Affairs, Senate, Border Control, and Police websites with sustained DDoS attacks in retaliation for Poland's support of Ukraine, marking the onset of an enduring pattern of Russian-aligned hybrid cyber operations against Polish state institutions that CSIRT GOV has had to counter continuously since.
Security Affairs ↗The Council of Ministers approved Poland's second national cybersecurity strategy, establishing five objectives: maturing the KSC system, hardening public-administration and private-sector resilience, building national R&D capacity in cybersecurity, raising public awareness, and strengthening Poland's international cyber standing—with the Ministry of Digital Affairs as coordinator.
Ministerstwo Cyfryzacji (Ministry of Digital Affairs) – Gov.pl ↗Poland's first comprehensive cybersecurity statute entered into force, establishing three national CSIRTs (CSIRT GOV at the Internal Security Agency ABW, CSIRT MON at the Ministry of Defence, and CSIRT NASK/CERT Polska), mandatory incident-reporting obligations for operators of essential services and digital service providers, and a supervisory regime—fully transposing EU NIS Directive 2016/1148.
ISAP – Sejm of the Republic of Poland (Official Legislative Database) ↗Poland's first computer emergency response team was created within the state-owned NASK (Research and Academic Computer Network), laying the institutional foundation for national-level cyber-incident handling; CERT Polska joined FIRST in 1998 and TF-CSIRT in 2000, and was formally designated CSIRT NASK under the 2018 KSC Act.
CERT Polska – About Us ↗Poland - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →