Poland tightens cybersecurity rules targeting non-NATO suppliers

President Karol Nawrocki has signed into law a government bill tightening the national cybersecurity system by barring “high-risk” vendors – particularly from non-NATO countries such as China – from sectors of the economy deemed crucial to the functioning of the state.

The law, which implements a European Union directive and had cross-party backing, has sparked anger among some business groups, who say they will bear the costs of complying with the new rules.

Citing these concerns, Nawrocki referred the bill to the Constitutional Tribunal (TK) for review at the same time as signing it.

Nawrocki highlighted that digital security is now a component of a wider national defence, pointing to the “dramatically” growing number of cyberattacks Poland has faced.

“We live in an era where war does not always start with a gunshot; sometimes it starts with a click,” said the president. “This act strengthens defence mechanisms, improves institutional cooperation, and allows for the elimination of high-risk suppliers.”

Last year’s Microsoft Digital Defense Report found that Poland suffered the most cyberattacks amongst EU countries. Among recent incidents, Poland’s power grid was targeted in late December, with the government saying it left the country “very close to a blackout”.

The legislation in question was first discussed under the former national-conservative Law and Justice (PiS) government. After a new ruling coalition led by Prime Minister Donald Tusk came to power in 2023, work resumed and the bill was finally approved by parliament this year.

In a vote in the Sejm, the more powerful lower house of parliament, last month, 407 MPs voted in favour, with only ten – mostly from the far-right Confederation (Konfederacja) party – opposed.

All digital affairs ministers from the last decade, both from the current government and former PiS administration, urged the president, who is alligned with the right-wing opposition, to sign the bill, reports the Rzeczpospolita daily.

The government says the law is both a response to the rising number of cyberattacks and the need to implement the EU’s Network and Information Systems Directive 2 (NIS 2) directive, which was meant to be done by October 2024.

The main change creates a category of “high-risk” vendors who will be barred from providing goods or services to sectors considered vital to the state. One criterion for such a designation is a supplier’s origin and whether it is controlled by a country outside NATO.

In media discussion, China’s telecommunications company Huawei has often been cited as a likely target of the rules, prompting the law to be informally dubbed “Lex Huawei”.

The company has voiced its opposition to the legislation. In a letter to Tusk and his ministers for foreign affairs, defence, digital affairs and finance, it warned that it reserved the right to arbitration if its economic interests were harmed by the changes.

The new rules will cover multiple sectors, including wastewater, postal services, space, and chemical and food production. Affected companies will have to follow stringent requirements, such as reporting incidents, assessing risks, and ensuring management accountability.

Once the law takes effect, state-critical entities that already use products from high-risk suppliers will be required to remove them within seven years.

The president expressed concern about this part of the bill, saying businesses were “obliged to replace hardware and software without compensation and without securing financial resources for this purpose” and that “the system of administrative penalties provided for in the bill is restrictive.”

Nawrocki was also sceptical about the fact that the law covers 18 economic sectors, which he says goes beyond EU rules. He therefore referred it to the TK, something representatives of 11 business organisations called on him to do in a letter earlier this month.

They argue that being forced to replace equipment, sometimes with costlier alternatives, threatens the competitiveness of Polish companies and amounts to what they called “expropriation”. This, they argued, violated constitutional protections against excessive and disproportionate interference with property rights.

Laws sent by the president to the TK after being signed are reviewed with no set deadline, and the legislation comes into force in the meantime. If and when it eventually rules, the TK can leave the law in force or strike it down in whole or in part.

However, the current government does not recognise or implement TK rulings, as it regards the body as illegitimate due to the presence of judges unlawfully appointed when PiS was in power.

Last month, Nawrocki vetoed a separate government bill intended to implement the EU’s Digital Services Act in Poland, saying it threatened free speech by letting officials remove online content. The government argued the law was needed to protect users from harmful content and disinformation.

The decision to sign the latest bill was welcomed by digital affairs minister Krzysztof Gawkowski, who called it “a major step towards greater security for Poland in cyberspace” by “providing concrete tools for protecting data, public services, and critical infrastructure”.

However, he also criticised the president’s referral of the bill to the TK, suggesting it was influenced by “the instigations of foreign lobbyists”.

“For many companies and institutions, this means living in constant uncertainty, having to postpone investments, and being prepared for various legal disputes. However, the state already knows how to cope with such destruction and will quickly and efficiently implement the new solutions provided by the KSC,” he said.

Alicja Ptak

Alicja Ptak is deputy editor-in-chief of Notes from Poland and a multimedia journalist. She has written for Clean Energy Wire and The Times, and she hosts her own podcast, The Warsaw Wire, on Poland’s economy and energy sector. She previously worked for Reuters.