An amendment to the Act on the National Cybersecurity System introduces a mechanism for formally designating so-called “high-risk suppliers”—manufacturers of hardware or software whose products may pose a threat to national security. The new regulations aim to protect critical systems and services, such as energy and water supplies, healthcare, and banking, from cyberattacks and foreign interference. The Minister for Digital Affairs will be empowered to issue a decision identifying a specific high-risk supplier in order to remove potentially dangerous equipment or software from systems crucial to the functioning of the state.
Under the draft law, entities classified as “key” or “important” will be legally required to phase out products originating from a designated high-risk supplier. They will have seven years to comply with this requirement, or four years if the equipment is used in critical functions of telecommunications networks. These timeframes reflect the lifecycle of devices and software, allowing for a gradual replacement without disrupting the continuity of services.
The goal of the new legislation is to enhance the cybersecurity of critical infrastructure and ensure that Polish regulations align with European standards. Until now, Poland lacked formal mechanisms to withdraw ICT products that pose a national security risk. The legal changes will enable preventive action—before an incident occurs—and strengthen the country’s resilience against cyber threats.
The introduction of the regulation is precautionary in nature and does not imply that decisions on high-risk suppliers will be issued immediately. In practice, the aim is to establish legal tools that allow action in the event of a potential threat. The Minister for Digital Affairs may initiate proceedings on their own initiative or upon request from the Chair of the Cybersecurity College, which will prepare an opinion on the relevant supplier.
The decision to classify a supplier as high-risk will result from a multi-stage and transparent process. The Cybersecurity College will assess, among other factors, potential threats to national security, Poland’s obligations to NATO and the European Union, as well as the ownership structure and connections of the company in question. Technical aspects such as the number and type of detected vulnerabilities, past cybersecurity incidents, product certifications, and oversight of the production and distribution process will also be analyzed.
The team preparing the opinion will include a representative from the Office of Competition and Consumer Protection to ensure principles of fair competition and equal treatment are respected. Social organizations will also be able to participate in the proceedings by presenting their views and recommendations. The supplier in question will have the right to submit evidence and explanations, and in the event of an adverse decision, to appeal to an administrative court.
It is important to note that the minister’s decision will apply to specific types of ICT products or services, not a supplier’s entire portfolio. This means that a supplier classified as high-risk will not necessarily be excluded entirely from the market if some of its products do not pose a threat. This approach is intended to balance state security with the principles of free market competition.
Entities classified as key or important may continue using the high-risk products until they are phased out. During this period, they are allowed to modernize, update, or repair them, provided such actions do not increase network or service risk. In practice, this means the withdrawal process will be phased and aligned with each organization’s investment cycle.
The new regulations also include financial penalties for entities that fail to comply with the obligation to remove high-risk products. Key entities face a minimum fine of 20,000 PLN, while important entities may be fined at least 15,000 PLN. In cases where the violation poses a direct threat to public safety or human life, fines may reach as high as 100 million PLN.
Similar regulations already exist in most EU countries, and the Polish law aims to harmonize national solutions with European standards. Many EU member states have mechanisms to identify and exclude suppliers of equipment and software that may endanger public security. The Polish regulations draw on these experiences while taking into account domestic realities and the structure of the ICT sector.
The draft Act amending the national cybersecurity system and several other laws was approved by the Council of Ministers on October 21, 2025, and will soon be submitted to parliament. The regulations will take effect one month after publication in the Journal of Laws, and their implementation is expected to strengthen the protection of Poland’s critical infrastructure and improve digital security for all citizens. With these measures, Poland joins the ranks of countries that comprehensively protect their systems from cyber threats and hostile uses of technology.
Source: https://ceo.com.pl/polska-wprowadza-przepisy-o-dostawcach-wysokiego-ryzyka-39632
