Cybersecurity: New Regulatory Landscape

Certification mandated by an EU regulation…

The Act on the National Cybersecurity Certification System (NCCS) responds to Regulation (EU) 2019/881 of the European Parliament and of the Council, which established the European cybersecurity certification framework and set common conditions for obtaining certificates across Member States. The Act makes it possible to obtain certification not only for ICT products, ICT services, and ICT processes but also for cybersecurity management systems and for individuals in terms of their skills in the cybersecurity domain.

…but still voluntary

Even though cybersecurity certification is now regulated by a statute, certification remains entirely voluntary. This applies both to conformity assessment bodies and to entities subjecting themselves to certification.

Private certification schemes

So far, private certification schemes have remained outside the legal framework, with the value of a given certificate determined solely by the scheme owner or initiator. The new Act does not “invalidate” private certification programs but introduces the principle that they will not have the status of national cybersecurity certification schemes. Likewise, certificates issued under such private schemes will not be recognized as national cybersecurity certificates.

An opportunity for the domestic certification market

The new regulations will give IT companies access to certificates valid throughout the EU. They will be able to certify not only their products and services but also their personnel. The role of NASK-PIB and other state research institutes also deserves recognition. NASK-PIB is currently the only certification body in Poland within the Common Criteria methodology. The expert knowledge concentrated in state research institutes, in particular NASK-PIB and the National Institute of Telecommunications, is expected to be harnessed to carry out tasks delegated by the minister responsible for digital affairs.

A factor for building competitive advantage

Although certification is voluntary, over time the market itself is likely to enforce certification in certain areas. Certification granted to a specific product or service will undoubtedly serve as a tool for gaining an edge over competitors in the same industry. Over time, certifications may also become a requirement in tendering procedures, with contracting authorities directing their requirements toward specific certificates for ICT products or services.

Work on the NIS2 transposition law continues

At the same time, work is ongoing on the law amending the Act on the National Cybersecurity System and certain other acts. We are now looking at the seventh draft, dated 12 August 2025 (UC32). It is worth recalling that the NIS2 Directive required Member States to transpose its provisions into national law by 17 October 2024.

Once adopted, the law will enter into force one month after publication, with a further six months granted to the covered entities to implement the required measures.

What’s new in the latest draft?

The latest draft introduces changes in several areas. It refines size criteria for the qualification of essential entities, ensuring consistency with NIS2 by including large enterprises. It clarifies provisions on the competence of the Polish cybersecurity authority with respect to entities in the digital infrastructure sector if they have appointed a representative with an organizational unit in Poland. It also clarifies classification in Annex 1 for entities providing services in support of maritime transport within a port, aligning with EU NACE classifications to ensure consistency with the Crisis Management Act amendment. Finally, it refines classification in Annex 1 for the road transport subsector, specifying entities as ITS service providers, aligning with the concept of ITS operators under NIS2.