Poland’s cybersecurity framework is essential but risks overburdening thousands with excessive measures.
Cybersecurity Risks and Current Gaps
Cyber threats have become an element of daily risk for the state, administration, and economy. The absence of coherent legal frameworks weakens the entire system’s resilience. The government’s shift from declarations to legislation is positive, but several issues undermine this progress.
NIS2 Directive Implementation Concerns
The NIS2 directive was designed as a minimal harmonization tool, based on proportionality, technological neutrality, and risk analysis. Member states can adapt regulations to national contexts, but implementation should not create systems more restrictive than necessary to achieve the goal.
Scope and Proportionality Issues
The draft amendment to the National Cybersecurity System Act exhibits goldplating—exceeding EU minimums. This applies not only to state intervention tools but also to regulatory scale. New obligations could cover tens of thousands of entities, making Poland’s project one of the broadest in the EU. In practice, the regime would encompass not only major infrastructure entities but also numerous firms across diverse sectors.
Procedural and Legal Concerns
Such broad regulation raises proportionality questions. Cybersecurity requires focus on critical points, not uniform obligations for entities with vastly different risk profiles, organizational capacities, and financial resources. For many firms, especially mid-sized ones, new requirements could mean significant costs, process reorganization, and increased regulatory risk.
Balancing Security and Regulation
The shift from evaluating technologies to assessing entities is questionable. Cybersecurity hinges on specific technical solutions: architecture, auditability, certification, and operational control. States acquire technologies, not generic frameworks, to adapt to security needs. This deviation increases decision arbitrariness and reduces legal predictability. Procedures also lack adequate safeguards, with limited judicial review, undisclosed decision grounds, and broad immediate enforceability of administrative rulings affecting 38,000 entities.