Poland Tightens Cyber Rules, Allocates €700 Million for Cyber Shield
President Nawrocki has signed an amendment to the National Cybersecurity System Act, implementing the NIS2 directive and banning suppliers from outside NATO from strategic sectors. The €700 million cyber shield program is a response to a record wave of cyberattacks attributed to Russia.
Act Signed – But With Reservations
President Karol Nawrocki signed the amendment to the National Cybersecurity System (KSC) Act on February 19, 2026, implementing the EU's NIS2 directive. Poland is one of the last European Union countries to complete this process – the implementation deadline expired in October 2024, over 15 months ago. Significantly, Nawrocki simultaneously referred the act to the Constitutional Tribunal, raising concerns about its scope.
Ban on Suppliers From Outside NATO
A key change is the introduction of the category of "high-risk suppliers" – entities that may be excluded from supplying products and services to strategic sectors. The main criterion is the supplier's connection to a country outside NATO or the European Union. In public debate, Chinese telecommunications companies, especially Huawei, are considered the main target of the regulation – hence the unofficial name Lex Huawei.
The regulations cover 18 sectors of the economy, including water and sewage management, postal services, space, and chemical and food production. Entities already using equipment from high-risk suppliers have seven years to replace it. The new regulations also impose an obligation to report incidents, conduct risk assessments, and ensure management accountability for cybersecurity.
Cyber Shield Worth €700 Million
The new regulations are part of a broader "cyber shield" program – an investment package worth €700 million, designed to strengthen Poland's resilience to digital attacks. In 2026, the cybersecurity budget increased to a record €1 billion, compared to €600 million the previous year. The program includes the modernization of protection systems, regular security audits, and the construction of sectoral incident response centers (CSIRTs).
Record Wave of Attacks Attributed to Russia
The impetus for tightening the law is the unprecedented scale of cyberattacks targeting Poland. According to Microsoft's Digital Defense Report, Poland is the most frequently cyberattacked country in the European Union. In 2024, the public sector recorded an average of over 2,000 attacks per month.
In December 2025, Poland repelled one of the most serious attacks in recent years – hackers attempted to disrupt the operation of two combined heat and power plants and wind farms, threatening heating for up to 500,000 people in the middle of winter. Prime Minister Donald Tusk praised the services for their effective defense, emphasizing that "everything indicates the involvement of groups linked to Russian security services." Deputy Prime Minister Krzysztof Gawkowski estimates that Poland repels between 20 and 50 attempts to damage critical infrastructure every day.
Business Protests, Constitutional Tribunal to Decide
The act is not without controversy. Eleven business organizations called on the president to refer the law to the Constitutional Tribunal, arguing that the mandatory replacement of equipment without compensation violates constitutional property rights and threatens the competitiveness of Polish companies. Nawrocki fulfilled this request, referring the act to the Constitutional Tribunal simultaneously with its signing.
Poland on the Digital Front Line
"Wars do not always start with a shot – sometimes they start with a click," President Nawrocki emphasized. These words reflect Warsaw's new security doctrine: cyberspace has become a full-fledged dimension of conflict. Poland, bordering Belarus and being a key ally of Ukraine, is now on the front line of the digital front in Europe – and intends to defend it at all costs.
