Poland’s National Cybersecurity Act: A Major Step Amidst Presidential Concerns

In a significant development for Poland’s digital landscape, President Karol Nawrocki has signed the National Cybersecurity System (KSC) Act. This momentous occasion marks the culmination of approximately seven years of legislative work and serves as the national implementation of the European Union’s NIS 2 directive (Directive on measures for a high common level of cybersecurity across the Union). The new act aims to bolster Poland’s resilience against an ever-growing array of cyber threats, but it has not been without controversy, as President Nawrocki has concurrently referred the legislation to the Constitutional Tribunal.

Expanding Scope and Strengthening Infrastructure

The newly signed KSC Act significantly broadens the scope of entities covered by cybersecurity regulations. This expansion goes beyond previous mandates, incorporating critical sectors vital to national functioning. According to a press release from the Chancellery of the President of the Republic of Poland (KPRP), the updated law now includes:

• Space sector
• Postal services
• Manufacturing, including the production and distribution of chemicals and food
• Wastewater management

These newly covered sectors are slated to receive their dedicated Computer Security Incident Response Teams (CSIRTs), specialized units designed to detect, analyze, and respond to cybersecurity incidents. Furthermore, the National Research Institute NASK (Państwowy Instytut Badawczy NASK), a key player in Poland’s cybersecurity ecosystem, will receive additional funding to strengthen its capabilities.

The significance of this legislative stride was echoed by Krzysztof Gawkowski, who highlighted the positive impact on Poland’s digital security:

Po 6 latach prac Polska będzie miała nowoczesny Krajowy System Cyberbezpieczeństwa👌💪 To wielki krok w stronę większego bezpieczeństwa Polski w cyberprzestrzeni. Zyskają obywatele, instytucje i firmy. Powstaną nowe sektorowe zespoły CSIRT, wzmocnimy koordynację działań na…

— Krzysztof Gawkowski (@KGawkowski) February 19, 2026

This sentiment underscores the broad anticipation that citizens, institutions, and businesses will all benefit from enhanced cybersecurity measures and improved coordination.

Tackling High-Risk Suppliers

A crucial provision of the KSC Act is its ability to identify “high-risk suppliers.” This empowerment allows the Ministry of Digitalization to prohibit the use of software and hardware components that could pose a significant security threat to public institutions. This measure is designed to protect critical infrastructure and government bodies from potentially compromised or malicious technologies, enhancing national security.

Presidential Concerns Despite Signing

While the KSC Act represents a monumental step for Poland’s cybersecurity, its journey to full implementation faces a hurdle. Despite signing the legislation, President Karol Nawrocki has referred the entire act to the Constitutional Tribunal. This move signals significant reservations, even though a particular amendment, which would have allowed the President or his representative to participate in the work on the KSC, was seemingly addressed.

Why the Referral to the Constitutional Tribunal?

The President’s doubts primarily stem from several key areas:

• Broad Scope and Economic Impact: The act extends its coverage to an extensive 18 economic sectors, grouping them into “key” and “important” entities. The President notes that this broad expansion does not originate from European regulations but is an independent initiative by the Polish government, raising questions about its necessity and justification.
• Interference with Business Autonomy: Significant concerns have been raised regarding provisions that regulate the recognition of entities as “high-risk suppliers” (DWR) and the issuance of so-called “protective orders.” These regulations are seen as interfering with the operational autonomy of businesses, potentially imposing obligations such as mandatory equipment and software replacement without compensation or guaranteed financial support for these changes.
• Flawed Decision-Making and Judicial Protection: The decision-making process by cybersecurity bodies concerning “key” and “important” entities is deemed faulty from the perspective of procedural guarantees and judicial protection. This suggests a lack of sufficient safeguards for affected organizations to appeal or contest decisions.
• Strict Administrative Penalties: The act introduces a highly restrictive system of administrative penalties, where the potential fines are so substantial that they are described as having the character of independent criminal sanctions, raising questions about proportionality.

These concerns, as detailed in an information statement from the KPRP regarding the amendment of the national security system act, highlight a tension between enhancing national cybersecurity and protecting the autonomy and financial stability of private enterprises.

What Happens Next?

The fate of the KSC Act now rests with the Constitutional Tribunal. If the Tribunal finds no objections to the legislation, the act will officially enter into force one month after its publication in the Journal of Laws. However, a ruling against the act, or parts of it, could necessitate further amendments or even a complete redrafting, prolonging the implementation of these crucial cybersecurity measures.

Source: Chancellery of the President of the Republic of Poland (KPRP)
Opening photo: Generated by Gemini

About Post Author

Sachin Mahto

Sachin is an editor for Techtiper, focusing on software, apps, and services. He writes on virtual private networks, privacy tools, cybersecurity issues, and ethics in tech. Sachin also covers news about Tech Industry. On a separate note, he plays a ton of online chess and is a fan of overly complicated sci-fi movies.

See author's posts