Poland tightens cybersecurity rules targeting non-NATO suppliers

Poland Tightens Cybersecurity, Raising Questions About EU Alignment and Economic Impact

Poland’s President Karol Nawrocki has signed into law a bill designed to bolster national cybersecurity, specifically targeting “high-risk” vendors – a move widely understood to include companies from non-NATO countries like China. The legislation, which implements an EU directive, has sparked debate over its potential economic consequences and its alignment with broader European policy.

A Response to Escalating Cyber Threats

The new law comes amid a dramatic increase in cyberattacks targeting Poland. Last year, the country experienced the highest number of attacks among EU member states, culminating in a near-blackout situation in late December following a significant attack on the power grid, which the government attributed to Russian sabotage. President Nawrocki emphasized that modern warfare often begins “with a click,” highlighting the need for strengthened digital defenses.

“Lex Huawei” and Concerns Over Economic Impact

While the law has cross-party support in parliament, it has drawn criticism from business groups concerned about the costs of compliance. The legislation creates a category of “high-risk” vendors, based on origin and control by non-NATO countries, who will be barred from supplying critical sectors. This has led to the informal designation of the law as “Lex Huawei,” with the Chinese telecommunications giant likely to be affected. Huawei has warned it may pursue arbitration if its economic interests are harmed.

Concerns extend beyond Huawei. Businesses argue that replacing existing equipment could be financially crippling, lacking adequate compensation or funding mechanisms. Eleven business organizations have voiced these concerns, arguing the law could violate constitutional protections regarding property rights.

Constitutional Review and Government Disagreement

President Nawrocki, despite signing the bill, has referred it to the Constitutional Tribunal (TK) for review, citing concerns about the financial burden on businesses and the scope of sectors covered – which he believes exceeds EU requirements. However, the current Polish government does not recognize rulings from the TK, deeming the body illegitimate due to past appointments. This creates a situation of legal uncertainty.

EU Directive and Broader Trends

The law is intended to implement the EU’s Network and Information Systems Directive 2 (NIS 2), which had a deadline of October 2024. This directive aims to strengthen cybersecurity across the EU, but implementation varies among member states. Poland’s approach, with its focus on excluding specific vendors, is more assertive than some other nations.

The legislation will cover sectors including wastewater, postal services, space, and chemical and food production. Companies will be required to report incidents, assess risks, and ensure management accountability. Existing users of products from high-risk vendors will have seven years to replace them.

Recent Presidential Actions

This decision follows President Nawrocki’s recent veto of a bill concerning the EU’s Digital Services Act, citing concerns about free speech. The government, however, argued that the veto jeopardized efforts to combat harmful online content.

Digital Affairs Minister Krzysztof Gawkowski welcomed the cybersecurity bill’s signing, calling it a “major step” towards greater security. He criticized the referral to the TK, suggesting it was influenced by “foreign lobbyists.”

Notes from Poland is run by a small editorial team and published by an independent, non-profit foundation that is funded through donations from our readers. We cannot do what we do without your support.