Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

In the document issued by the Ministry of Digital Affairs entitled ‘Cybersecurity strategy of the Republic of Poland for 2017-2022’ constituting a national strategy in the field of cybersecurity of ICT systems (within the meaning of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union), particular attention was paid to the need to conduct regular audits and security tests to periodically assess the effectiveness of the implemented security management systems and the adequacy of the security features. The ‘Cybersecurity strategy’ also includes the announcement of legislative changes regulating the subject matter of methods and tools for carrying out such security audits, together with the announcement of the possibility of legally regulating bug-bounties (ie, a service consisting in the search for vulnerability to attacks of this software by persons not related to the manufacturer of computer software).

How does the government incentivise organisations to improve their cybersecurity?

Currently, there are no government initiatives aimed at organisations, private entities or entrepreneurs in the cybersecurity field in Poland going beyond the existing legal regulations.

The Polish Committee for Standardisation, a national budgetary body established to carry out tasks in the field of certification and standardisation, organises and conducts training, publishing, promotion and information activities in the field of standardisation and related areas - including ISO 27001 certification.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

One of the industries operating on the Polish market that has a dedicated code of conduct related to ensuring digital security is the telecommunication industry. The majority of Polish mobile operators have become signatories to the European Framework for Safer Mobile Use by Young Teenagers and Children.

The adopted code of conduct provides in particular for the promotion of safe use of mobile services by children and adolescents, access for parents and legal guardians to information on how children and adolescents can use mobile phones safely and on content dedicated to these age groups. Information about joining the European Framework for Safer Mobile Use by Young Teenagers and Children can be found on the mobile operator’s websites and under the link:

Are there generally recommended best practices and procedures for responding to breaches?

The adopted legislation imposes on operators of essential services the obligations related to incident reporting and handling, such as the obligation to identify the incident, register and classify the incident on the basis of the thresholds for recognising the incident as major and to report the major incident immediately, but no later than within 24 hours of its detection, to the relevant computer security incident response services team (CSIRT).

Incident reporting initiates further handling of the incident, in which the operator is obliged to cooperate with the relevant CSIRT and provide access to the necessary information concerning the incident.

The Act on the national cybersecurity system sanctioned functioning of previously existing entities involved in handling and responding to computer incidents at national level (according to the nomenclature adopted in Directive 2016/1148 - Computer Security Incident Response Teams). In Poland, these entities are the Computer Security Incident Response Team operating at the national level (CERT.GOV.PL) (CSIRT GOV), the Ministry of Defence Computer Emergency Response System (CSIRT MON) and the National Cybersecurity Centre (NC Cyber or CSIRT NASK).

Their task is to counter cyberthreats of a cross-sectoral and cross-border nature, to coordinate the handling of major, substantial and critical incidents, and to provide information about incidents, both within the network of government organisations related to cybersecurity and to the general public.

The Act on the national cybersecurity system also introduces two new entities involved in the coordination of activities concerning the provision of cybersecurity and ensuring the coordination of the implementation of tasks at the government level, which are the Government Plenipotentiary of Cybersecurity and Cybersecurity Court.

In addition, in accordance with the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC (General Data Protection Regulation), the Act on the national cybersecurity system sets out the rules for the processing of personal data as part of the functioning of the national cybersecurity system, including the processing of data on incidents.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

To date, there is no regulation covering the voluntary sharing of information on cybercrime. Law enforcement agencies have informed the public about the state of cybersecurity in Poland through the publication of annual reports.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The need for the government sector to cooperate with the private sector within the framework of ensuring cyberspace security was reflected in the provisions of ‘Cybersecurity strategy of the Republic of Poland for 2017-2022’. According to this document, the government is obliged to strive to build an effective system of public-private partnership, as well as to engage in existing and emerging forms of European public-private cooperation.

The above is to be implemented, inter alia, through active government support for research and development projects in the field of cybersecurity, including projects carried out in cooperation with private companies and research centres.


Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance against cyber risks (also known commercially as cyberinsurance) is becoming more and more popular on the Polish market. The addressees of offers prepared by insurance companies are entrepreneurs operating on the Polish market, collecting, processing or transmitting any data. The scope of insurance normally covers three types of costs incurred in connection with a cyberattack, that is, (i) costs related to data recovery, purchase of software, deletion of malicious software, etc; (ii) additional costs such as legal defence costs, public relations costs, costs of external consultations; and (iii) civil liability.