Poland’s Cybersecurity Strategy for 2026–2029

Amid the rush of day-to-day responsibilities, it is sometimes worth pausing for a moment and taking a broader perspective. History offers many examples – with King Pyrrhus among the most notable – of leaders who won individual battles only to lose the war due to the absence of a sound strategy.

We typically analyse specific aspects of cybersecurity, particularly those related to NIS2. This time, however, it is worth looking at the topic from a broader, strategic perspective.

A new cybersecurity strategy – direction for 2026–2029

The Council of Ministers has adopted a new Cybersecurity Strategy of the Republic of Poland for 2026–2029, setting the direction for the development of digital security in Poland for the coming years. This is a document of particular importance, closely linked to the development of the national cybersecurity system, whose foundations include the legislation implementing the NIS2 Directive, frequently discussed in our series.

The strategy focuses on:

• enhancing the resilience of national entities,
• increasing capabilities to detect and respond to threats,
• developing cybersecurity competencies in the public and private sectors, as well as among citizens.

Key objectives of the strategy

The document identifies the main areas of action, including:

• development and strengthening of the National Cybersecurity System,
• enhancing incident response capabilities and combating cybercrime,
• strengthening the resilience of information systems in both public and private sectors,
• developing cooperation between public administration and business,
• education and training initiatives,
• development of research, innovation and technology,
• deepening international cooperation.

Main initiatives

More effective countering of cybercrime

The strategy envisages the creation of a coherent regulatory system to improve the fight against cybercrime. This includes faster access for law enforcement authorities to data, improved securing of evidence, measures to prevent identity theft and changes to data retention rules.

In addition, mechanisms are planned for blocking websites used for criminal purposes, monitoring cryptoassets and limiting abuses such as spoofing or fraudulent SMS messages. Particular emphasis is placed on the protection of children and preventing the use of artificial intelligence for criminal activities.

Implementation of advanced cryptographic solutions

The strategy provides for the development of technologies supporting electronic identification, based on multi-source identity and the SSI concept. These include pseudonymous authentication, independent time-stamping, end-to-end encryption and mechanisms to ensure document integrity.

A national cloud for classified information

An important element of the strategy is also the establishment of a national cloud infrastructure for processing classified information.

Strengthening supply chain security

The strategy highlights the need to build domestic technological capabilities and develop a cybersecurity certification system. It also emphasises the importance of eliminating products from high-risk suppliers.

Measures include the development of tools to assess the origin and integrity of components, as well as support for domestic technologies. These actions are intended to reduce exposure to external threats and increase the stability of digital infrastructure.

What does this mean in practice?

The new strategy clearly demonstrates that cybersecurity will remain one of the key areas of national development in the coming years. In practice, this means stronger regulation, increased importance of compliance requirements and a growing role of cooperation between the public and private sectors.

For us, the conclusion is equally clear – within the CyberSec Update series, there will be no shortage of topics to analyse and discuss for at least the next five years.