How Poland is shaping its NIS2 implementation and what is so special about high–risk vendor?

Poland is still implementing the NIS2 Directive.

The current ninth draft of the Draft Act on the National Cybersecurity System (PL: Projekt ustawy o krajowym systemie cyberbezpieczeństwa oraz niektórych innych ustaw, the “Act”), is still under governmental review and has yet to be submitted to the Polish Parliament. No official schedule for its adoption has been announced.

Alongside the draft of the Act, the Council of Ministers published three drafts of secondary regulations, covering: (i) criteria for classifying incidents as significant; (ii) procedures for assessing the security of information systems used by essential and important entities; and (iii) the Cybersecurity Collegium’s scope of activities and procedures.

How long do organisations have to prepare?

The Act will take effect one month after its adoption by Parliament and publication in the Official Journal. Once it comes into effect, organisations will have six months to implement the necessary cybersecurity risk management measures. Additionally, essential entities must complete their first cybersecurity audit within 24 months of the Act becoming effective.

Entities recognised as essential or important on the Act’s effective date must also register into the relevant register according to a schedule announced by the Minister of Information Technology (PL: Minister właściwy do spraw informatyzacji). Organisations that meet the criteria for recognition as essential or important after the Act enters into force must complete their registration within three months of meeting those criteria.

Entities affected by the Act should closely monitor the legislative process.

What is so special about the Polish Act?

Alongside NIS2 obligations, the Act also introduces Polish-specific procedural provisions setting up the incident reporting processes, registration obligations, cybersecurity risk-management measures, and specific management board responsibilities and liabilities. The Act also designate responsible authorities. However, in some areas, the Polish requirements go beyond what is stipulated by the NIS2 Directive.

Who qualifies as an HRV?

A notable innovation in the Act is the introduction of the concept of high-risk vendors (“HRVs”).  The Act authorises the Minister responsible for information technology to designate suppliers of ICT products, services, or specific processes - as well as their capital group members - as high-risk if they are deemed to pose a threat to State security interests. The range of entities encompassed by this mechanism is extensive.

Unlike most EU national security regulations, which mainly cover telecommunications providers, the Act applies to a wider range of sectors beyond telecommunications.

The HRV regime could apply to suppliers whose equipment or software is used by (1) essential and important entities (with the exception of those in the electronic communications sub-sector), (2) electronic communications providers with annual telecom revenues exceeding PLN 10 million (approximately EUR 2.3 million), and (3) financial sector entities, unless specifically excluded by EU Regulation 2022/2554.

Some critics believe the proposed HRV regulation is overly burdensome, especially for sectors heavily reliant on foreign ICT products. Business groups have raised concerns about trade barriers, and the impact on supply chains. However, the government side argues the regulation is necessary given the geopolitical risks and increasing cyber incidents in Poland, and justifies these powers by referencing various EU policies, recommendations, and risk assessment frameworks designed to enhance cybersecurity and protect critical infrastructure, particularly regarding 5G networks.

HRV recognition process – step by step

The Minister for information technology or the Cybersecurity Collegium (PL: Kolegium do Spraw Cyberbezpieczeństwa) can initiate HRV Recognition proceedings. The supplier is formally notified, an announcement appears on the Minister’s Public Information Bulletin website, and the Prosecutor General is informed. A brief consultation phase then follows.

Prior to making a final decision, the Minister must consult the Cybersecurity Collegium.

The criteria below are considered for HRV assessment:

• Security threats: Economic, intelligence, and terrorist risks, as well as threats to allied and EU obligations posed by the supplier, based on intelligence from EU Member States, EU bodies, or NATO.
• Foreign control: Whether the supplier is controlled by a non-EU/NATO state, considering governing law, data protection practices (especially where no EU agreements exist), ownership structure, and the state's ability to influence the supplier.
• Sanctions: Links to entities listed under Council Regulation (EU) 2019/796 on restrictive measures against cyber attacks.
• Vulnerabilities: Number and type of vulnerabilities or incidents in the supplier’s ICT products or services, and their remediation practices.
• Supply chain oversight: Supervision of production and delivery processes, and related risks.
• Regulatory compliance: Implementation of recommendations under Article 33(4) of the Act.

The Collegium also considers ICT certificates recognised by EU Member States or NATO, especially those issued under European Cyber Security Certification Programmes, and sectoral CSIRT analyses.

The supplier remains a party under Polish administrative rules, except for specific exclusions.

Decision and enforcement

If the Minister determines that a supplier is high-risk, a formal decision is issued specifying which ICT products, services, or processes have been evaluated and are subject to the decision.

This decision is published both in the official journal (Monitor Polski) and online, and it takes immediate effect.

From that moment, essential and important entities and other entities covered by the Act that are utilising the HRV's ICT products, services, or processes must refrain from introducing designated HRV products, services or processes and must withdraw existing implementations within specified transition periods (typically up to seven years; four years for major telecom operators regarding critical functions). Exceptions are allowed for essential maintenance or updates necessary for service continuity.

Failure to comply may result in fines.

For more information, please contact Izabela Kowalczuk-Pakula and Aleksandra Mizerska.