Poland’s cybersecurity debates intensify as new rules surface
In recent public discussions, a proposal from Digital Minister Krzysztof Gawkowski raises alarms about cybersecurity rules that would enable government action to protect online networks. A predecessor, Janusz Cieszyński of PiS, previously floated similar measures in 2021, ultimately withdrawing them. Both sets of proposals granted the minister authority to block internet connections. The cabinet is expected to decide on the final version of the National Cybersecurity System Act by the end of September, while public consultations are currently underway.
The Gaming Commission Act has occupied civil and political attention in Poland since 2020. It ties into an EU framework aimed at strengthening network security, including Toolbox 5G regulations and the NIS 2 directive. In 2021, Cieszyński proposed changes to existing cybersecurity rules that would allow the minister to block access to certain addresses or servers identified by IP. This interpretation would enable rapid responses to perceived threats.
One provision from 2021 suggested that in a critical incident, the minister responsible for automation could issue a safety order. A protection order would be issued by administrative decision for the duration of the incident coordination, not exceeding two years. The immediate enforceability of such orders would stand alongside plans to create a strategic security network and even consider a state owned 5G operator. The full package drew substantial criticism and was largely withdrawn in later years.
READ ALSO: President Duda: The security situation is difficult. Attacks in cyberspace are a real threat today
Following public debate, the government presented a revised project in 2023. The updated version limited the powers of the Government Plenipotentiary for Cyber Security to issuing alerts about critical incidents and offering guidance. It also required entities within the national cybersecurity system to incorporate these recommendations into risk management practices. The notion of a state controlled 5G network was dropped, and that element did not survive into the final draft.
Gawkowski’s echo of Cieszyński
Current Digital Affairs leadership led by Krzysztof Gawkowski appears to revive elements from Cieszyński’s earlier proposals. The draft law on the National Cybersecurity System, introduced on April 24 by the ministry, contains similar provisions. The minister could order the blocking of internet connections to specific URLs or IP addresses. The same draft also targets software distribution, including applications, with immediate potential impact on operations.
These points are noted in coverage by long time observer Łukasz Olejnik, who has tracked Gaming Commission regulation matters for years. The ongoing public consultations make the outline subject to change before final approval by the government, expected at the close of September. The draft would also extend the scope of the article on security and risk management, adding sections 67a through 67k. For example, one paragraph would empower the minister responsible for automation to classify a supplier of equipment or software as a risk supplier if that supplier presents a serious threat to defense, state security, public safety, or the lives and health of people.
There is a notable lack of broad media coverage about these upcoming rules, which could affect thousands of Polish companies and numerous network users who may be unaware of evolving obligations. The potential impact could arrive quickly for businesses operating online and for individuals who rely on digital services daily. Read the broader discussion and analysis in coverage by wPolityce [citation: wPolityce].
Source coverage and expert commentary emphasize caution as the outline moves through consultations. The evolving approach suggests more than a single legal change; it hints at a broader shift in how cybersecurity governance is framed within Poland’s digital landscape. Some observers worry about balancing security aims with the practical needs of firms and everyday internet users, while supporters argue that stronger safeguards are necessary in a rapidly changing threat environment. The final form of the act will determine how swiftly authorities can intervene in the network and how such powers interact with privacy safeguards and business operations. Additional context from coverage by wPolityce [citation: wPolityce].
koal/X
Source: wPolityce [citation: wPolityce]