Poland’s cybersecurity law amendment clashes with new EU regulations, risking legal contradictions and market fragmentation.
Polish KSC Project vs. EU CSA2
A document harmonizing ICT supply chain security and EU-wide certification questions the validity of Polish provisions. The new proposals make much of the pending KSC amendment not only outdated but also contradictory to upcoming EU legal frameworks. The Polish legislative process resembles a “snowball in motion,” with politically charged HRV provisions added over years for NIS2 implementation.
While Poland debates granting ministers near-absolute power to remove equipment from 18 economic sectors, the EU’s CSA2 project envisions a radically different approach. Brussels recognizes that market fragmentation—where a router is “safe” in Germany but “banned” in Poland—undermines the single digital market.
High-Risk Vendor Provisions
Poland’s KSC HRV approach is a “carpet” solution: risk assessment is dangerously politicized, with the Digital Minister making key decisions alone using vague criteria that allow significant discretion. The Cybersecurity College’s role is merely advisory, offering insufficient safeguards.
CSA2 proposes a multi-stage, EU-coordinated mechanism: coordinated risk assessment at the EU level, risk category/concern identification by the European Commission, and executive acts for specific vendors or product categories. This replaces “witch hunts” with unified European risk assessment.
Scope of Impact
Poland’s amendment extends forced infrastructure replacement to tens of thousands of entities. Combined definitions of “key” and “important” entities with HRV rules could theoretically compel water utilities, hospitals, or factories to remove equipment from risky suppliers.
CSA2 targets only “critical ICT assets” in vital supply chains. Explicitly, not every network switch in every firm threatens EU security. Restrictions apply only to infrastructure critical for trans-border significance. Measures must be “appropriate and proportional,” requiring economic impact and alternative availability analysis before any ban.
Legal Risks
The Polish project is a one-way ticket: an HRV designation is effectively a death sentence for a company, tainting all its equipment regardless of actual risk. CSA2 introduces a “request for exemption” mechanism, allowing even non-EU suppliers to prove their specific situation warrants market access.
Should CSA2 become directly applicable, HRV provisions would become obsolete and legally void upon enactment. Poland faces non-notified technical requirements risking mass compensation claims, as such unnotified rules are unenforceable by national courts.
