The hacker attack on the University of Warsaw is a signal that the digital infrastructure of Polish universities and research institutes has become a real arena of threats. The response is the amendment to the Act on the National Cybersecurity System, adopted on 29 January and developed in cooperation with the academic community. The new regulations are now awaiting the President’s signature.
Universities and research institutes are today an integral part of the digital infrastructure. They process personal, research and technological data, carry out international projects, and educate nearly 1.3 million students. At the same time, the level of cybersecurity in Polish science has for years remained highly uneven—ranging from very high, typical of the best technical universities, to worryingly low at some universities and vocational higher-education institutions.
Flaws of the old model
Although regulations requiring the protection of ICT systems have been in force for years—including those stemming from the National Interoperability Framework—in practice there was a lack of uniform oversight, clear standards, and effective mechanisms for enforcing obligations. Moreover, despite the growing scale of threats, cybersecurity was not treated as a top-priority task.
That now has a chance to change thanks to the amendment to the Act on the National Cybersecurity System adopted on 29 January. It aligns cybersecurity requirements with the actual level of risk. In practice, this means differentiating obligations for universities and institutes.
The strictest requirements apply to specific systems and processes related to applied research and development work. Other areas of university and institute activity are covered by less stringent—though still high—standards.
This solution makes it possible to effectively protect those elements of the research and higher-education system that are genuinely strategic, without paralysing the day-to-day functioning of universities.
A new model: responsibility and oversight
A key change concerns the clear allocation of responsibility. The amended act explicitly assigns cybersecurity duties to research entities, university rectors and institute directors. It also grants the Minister of Science and Higher Education a range of powers and obligations related to supervision and inspection. Importantly, the system is not limited to sanctions: it provides for funding for cybersecurity in science and the establishment of CSIRT Science.
“Thanks to these solutions, cybersecurity ceases to be merely a technical issue. It becomes an element of governance and institutional responsibility. Universities and institutes must know how they are expected to act in this area. The amendment to the National Cybersecurity System Act brings concrete solutions,” says Dr. habil. Dariusz Szostek, Professor at the University of Silesia, Chair of the KRASP Cybersecurity Team.
Co-creating standards instead of top-down regulation
The new approach to cybersecurity in science is the result of cooperation between public authorities and the academic community. The amended provisions of the Act on the National Cybersecurity System take into account both EU legal requirements and the realities of how Polish universities and institutes operate.
“This is an example of regulation that combines state security with respect for academic autonomy. Thanks to an open discussion during the legislative process, standards were developed that are risk-adequate, proportionate and feasible to implement,” concludes Prof. Bogumiła Kaniewska, Chair of KRASP.
“These are solutions the science and higher-education sector needs. Cybersecurity in this sector is our shared responsibility—of universities and institutes, as well as public authorities. On behalf of the entire academic community, I appeal to the President to sign the amendment to the Act on the National Cybersecurity System,” adds the Chair of KRASP.
The hacker attack on the University of Warsaw
After receiving information about an ongoing malware campaign, the University of Warsaw’s Information Security Team immediately began verifying the university’s ICT environment.
As a result of the analyses conducted, the presence of malware was confirmed. It was established that the incident took place in January 2026. A workstation from which the malware was introduced into the university’s environment was also identified.
According to the University of Warsaw, a detailed technical and legal analysis is ongoing. So far, the findings do not indicate any unauthorized access to personal data.
