Digital Poland. From compliance to true resilience
Is Polish law keeping pace with digital threats? Monika Maćkowska-Morytz, Robert Brodzik, Natalia Kotłowska-Wochna and Konrad Grussy, co-authors of the Polish chapter of the international publication Cybersecurity 2026, published by International Comparative Legal Guides, are seeking answers to this question.
This comprehensive guide provides an overview of cybersecurity regulations in 21 legal systems around the world and offers a detailed roadmap to help companies, management boards and general counsels navigate the ever-changing regulatory environment. In this article, we explore what our experts have to say regarding Poland and its national regulations.
Focus on the sustainable resilience of organisations
The study’s main conclusion is that we need to change the way we think about cybersecurity, moving from a compliance-driven model to a resilience-driven one that focuses on building sustainable resilience within our organisations.
Being part of the EU legal ecosystem, Poland has a rigorous system of penalties for cybercrime, and the legislature sends a clear message that attacks on information are taken seriously.
It is therefore important to be aware that liability for such offences is extensive and that penalties may affect perpetrators regardless of their physical location if the consequences occurred in Poland (e.g. an attack on a bank account held with a Polish bank).
The most serious offences include:
- Identity theft (impersonation), which involves using someone else’s details or image to cause financial losses or personal injury, punishable by up to 8 years’ imprisonment
- Disrupting the operation of a system or network (DDoS attacks), which may result in a penalty of up to 5 years’ imprisonment
- Data sabotage, which involves destroying, deleting, altering or obstructing access to data, and can result in a prison sentence of up to 5 years
- Phishing and computer fraud, i.e. manipulating data processing for financial gain, punishable by 3 months’ to 5 years’ imprisonment
- Hacking, i.e. gaining unauthorised access to information or a system, punishable by up to 2 years’ imprisonment
A regulatory revolution – NIS2, DORA and the new role of compliance
Until recently, the Polish cybersecurity framework was mainly based on the 2018 Act on the National Cybersecurity System (UKSC), but it is currently undergoing a thorough transformation due to new EU directives.
For businesses, this means implementing advanced procedures that extend beyond IT departments to encompass the core of risk management across the entire organisation.
The key changes and obligations include:
- Implementation of the NIS2 Directive: amending the UKSC will significantly expand the list of entities covered by the regulations. The new provisions will raise security standards and impose stricter incident reporting requirements
- The financial sector under the DORA umbrella: financial institutions must comply with uniform operational resilience standards, requiring them to implement detailed ICT risk management
The financial consequences can also be severe.
Administrative penalties under the GDPR can reach EUR 20 million or 4% of global turnover, and the upcoming implementation of NIS2 provides for sanctions of up to EUR 10 million or 2% of turnover.
The Personal Data Protection Office (UODO) is actively exercising its powers. In 2025, a single penalty exceeding PLN 27 million was imposed in a high-profile case.
Management Board in the spotlight – personal liability for cybersecurity
One of the report’s key findings is that responsibility is shifting towards corporate governance. This is because cybersecurity is no longer just a technical issue, but also a strategic and legal challenge.
From a management perspective, the most significant risks are:
- The need to exercise due diligence – if omissions in the area of cybersecurity result in damage or loss due to a violation of legal or corporate obligations, Management Board members may be held liable in accordance with the Commercial Companies Code
- Personal penalties – the draft amendment to the act transposing the NIS2 Directive introduces a change regarding failure to comply with cybersecurity obligations, namely the possibility of imposing financial penalties directly on Management Board members
- No exemption from the duty of supervision – the managing body approves cyber risk management measures and supervises their implementation. Delegating operational activities does not relieve the Management Board from liability. The decisive factor is the ability to demonstrate due diligence
The boundaries of active defence
Companies are increasingly asking about the possibility of using offensive or active defence measures. However, Polish law clearly defines the boundaries in this area.
Permitted technical measures include:
- Honeypots – these are legal as long as they are used for passive defence and gathering information about attacks rather than provoking offences
- Sinkholes – redirecting malicious traffic (e.g. during a DDoS attack) is a standard and permitted defensive practice
- Employee monitoring – employers may monitor work email to detect threats (e.g. phishing or data leaks), provided employees are informed in advance and the confidentiality of correspondence is respected
The future? Resilience and cooperation
Poland is moving towards a more comprehensive regulatory regime. In the digital market of 2026, the key to survival will be not only having the right certificates, but also the real ability to survive an attack and quickly resume normal operations (resilience).
It is essential to enhance the real-time exchange of threat information between the private sector, critical infrastructure and state institutions. Transparent cooperation in this area will enable an effective defence against increasingly sophisticated cybercriminal methods.
Read the full chapter on Poland in the Cybersecurity 2026 publication on the ICLG platform to find out more.
Do you have any questions about implementing NIS2 or DORA in your organisation? Contact us
