Online safety & content laws in Poland (2026)

The President of Poland signed into law the amendment to the National Cybersecurity System Act implementing the EU NIS2 Directive, expanding the regulated population from a few hundred to potentially tens of thousands of entities across energy, health, transport, digital infrastructure, and other critical sectors. Poland had missed the EU's October 2024 deadline and received a European Commission reasoned opinion in May 2025 for failure to notify transposition.

The Polish Sejm passed the bill amending the Act on Providing Services by Electronic Means to implement the EU Digital Services Act, designating the President of the Office of Electronic Communications (UKE) and the President of the Office of Competition and Consumer Protection (UOKiK) as national Digital Services Coordinators. The bill came more than 21 months after Poland missed the February 2024 EU deadline and while facing CJEU infringement proceedings.

The European Commission referred Poland (alongside Czechia, Spain, Cyprus, and Portugal) to the Court of Justice of the EU for failing to designate and empower a national Digital Services Coordinator and for failing to establish a domestic penalty regime under the DSA — both obligations that were due by 17 February 2024. The referral opened the litigation phase of the infringement procedure.

Poland's Electronic Communications Law (Prawo komunikacji elektronicznej, signed 12 July 2024, published 9 August 2024) replaced the two-decade-old Telecommunications Law, transposing the EU European Electronic Communications Code. It expanded regulatory scope to interpersonal communication services beyond traditional telecoms and strengthened consumer rights online, ending the CJEU's daily fine regime.

The Court of Justice of the EU ruled that Poland had failed to transpose the European Electronic Communications Code (Directive 2018/1972) and imposed a lump-sum fine of €4 million plus a daily penalty of €50,000 per day of continued non-compliance. The financial pressure directly accelerated Poland's enactment of the Electronic Communications Law later that year.

Poland's Ministry of Justice published a controversial draft law on freedom of speech on social media, triggered by platforms suspending Donald Trump's accounts. The bill would have banned platforms from removing content not violating Polish law, created a 'Freedom of Speech Council', and imposed fines up to €11 million on platforms for unlawful takedowns. RSF and EDRi warned it would enable state-directed censorship; the bill was never enacted and was effectively superseded by DSA negotiations.

Poland's Act of 10 May 2018 on the Protection of Personal Data entered into force, implementing the EU GDPR and replacing the 1997 data-protection framework. It established the President of the Personal Data Protection Office (UODO) as the new independent supervisory authority, replacing GIODO. The Act set binding rules for online personal-data collection, processing, and enforcement relevant to all internet services operating in Poland.

Under the amended Gambling Act, Poland launched a public register of blocked gambling domains managed by the Ministry of Finance (later the Opole Customs and Fiscal Office). ISPs must block listed domains within 48 hours and payment operators must refuse transactions to them. By October 2025 the register contained over 51,000 entries — Poland's first systematic statutory website-blocking infrastructure.

Poland enacted a surveillance law establishing a direct fast lane for law enforcement and intelligence agencies to obtain data from telecommunications and internet service providers without prior judicial authorisation. Critics and civil liberties organisations warned the law lacked proportionality safeguards and enabled bulk interception of online communications.