Provision of Electronic Services Act (DSA) – growing cybersecurity requirements

At the beginning of the 20th century, a popular joke described how representatives of different nationalities would write an essay about an elephant. Each approached the topic from a different perspective, exploring various aspects of elephants’ lives, while a Pole, without hesitation, wrote an essay titled “The Elephant and the Polish Cause”. Just as our compatriots once related everything to the Polish cause, we – within the #CyberSecUpdate series – analyse legal acts through the lens of cybersecurity.

A new draft following the presidential veto

The Ministry of Digital Affairs has presented a new draft act amending the Act on the Provision of Electronic Services, aimed at aligning Polish regulations with Regulation (EU) 2022/2065 of the European Parliament and of the Council on a Single Market for Digital Services (DSA).

The previous version of the act was vetoed by the President in January this year.

The proposal sparked significant controversy. Supporters emphasised that the new rules would introduce clear liability principles for online platforms and make it easier to combat illegal content. Critics, however, raised concerns about the risk of excessive state interference, internet censorship, and limitations on freedom of speech.

The debate on DSA should not be considered in isolation from the growing digital security requirements introduced under NIS2.

Why did the President veto the previous act?

The President’s main concerns focused on the possibility of blocking online content by the Chair of the National Broadcasting Council (KRRiT) or the President of the Electronic Communications Office (UKE) without prior court approval. The catalogue of content subject to blocking was considered too broad, particularly in relation to general categories such as “content infringing personal rights” or “violations of intellectual property law”.

In the justification for the veto, it was stressed that assessing such violations requires judicial proceedings to determine whether the content falls within the scope of freedom of expression. As a result, the act was referred back for reconsideration.

A new governmental approach – two separate acts

The Ministry of Digital Affairs has decided to split the changes into two separate acts so that at least part of the provisions can enter into force sooner.

Division of regulatory competences

The first act aims to align the national legal framework with DSA requirements and designate authorities responsible for enforcement. According to the new proposal, the President of the Energy Regulatory Office (URE) is to act as the Digital Services Coordinator, responsible for supervising the application of the regulation, handling citizens’ complaints, and conducting proceedings against non-compliant service providers.

The Chair of KRRiT will supervise video-sharing platforms and handle requests to block illegal content. Meanwhile, the President of the Office of Competition and Consumer Protection (UOKiK) will be responsible for consumer protection, including breaches of platform obligations and unfair practices.

DSA and NIS2 – overlapping obligations

At this point, an important intersection with NIS2 emerges: entities subject to DSA – particularly large platforms, hosting service providers, and infrastructure operators – are often also classified as essential or important entities under NIS2.

This means they will need to simultaneously comply with obligations relating to:

• content moderation and algorithm transparency (DSA),
• risk management, incident handling, and infrastructure security (NIS2).

Content blocking procedures

The second draft concerns procedures for blocking illegal content – the area that raised the greatest concerns in the presidential veto.

According to the new assumptions:

• authorised authorities (prosecution, police, National Revenue Administration, and Border Guard) will be able to request fast blocking of unlawful content, including content related to child sexual abuse, identity theft, fraud, and copyright infringement;
• immediate enforcement of content blocking decisions will be possible only in cases involving the most serious offences related to sexual abuse of minors;
• parties to the proceedings will have access to an appeal mechanism, i.e. the right to lodge an objection with a court;
• the objection must be transmitted to the court within 2 days (previously 7 days).

Cybersecurity implications

From the NIS2 perspective, it is particularly important that any decision to block content may involve interference with ICT systems, which requires:

• clear procedures,
• minimisation of service disruption risks,
• ensuring business continuity,
• proper incident management.

It should also be noted that one of the obligations of the management of essential or important entities under #NIS2 / #KSC2 is to ensure organisational compliance with applicable law, including sector-specific regulations. For digital service providers, such regulations will include, among others, the DSA and its implementing provisions.

What’s next?

The draft acts were submitted to the Polish Parliament on 9 June 2026. Will the proposed changes convince the President and allow the legislation to enter into force?

One thing is certain: the implementation of DSA and NIS2 will become increasingly interconnected, and digital entities must prepare to meet parallel requirements concerning both content governance and infrastructure security. We will continue to cover these developments in future editions of CyberSecUpdate.