President Karol Nawrocki’s signing of the amendment to the National CyberSecurity System (KSC) Act marks the moment when theoretical considerations about state resilience give way to hard legislative reality. This signals a fundamental reorientation of strategy in Polish companies, where cyber security is becoming an integral part of corporate governance. At the same time, the parallel referral of high-risk vendor regulations to the Constitutional Court introduces an element of strategic dualism that requires business leaders to be not only technologically proficient but also legally sophisticated.
Fundamental to the new regulation is the belief that digital security cannot have party colours. The implementation of the NIS2 Directive and the Toolbox 5G assumptions brings the Polish IT ecosystem into a framework of strict discipline, extending the protective umbrella to sectors that have hitherto operated outside the mainstream of digital surveillance. Food production, water and sewage management or postal services are becoming full participants in the system, which, from a business perspective, means that supply chains and incident management procedures need to be reviewed immediately.
The most intriguing aspect of the current situation, however, is the decision-making dualism that has taken place in the Presidential Palace. The signing of the bill while at the same time challenging the High Risk Vendor (HRV) legislation creates a state of limbo that can seem paralysing to many organisations. This mechanism, often referred to as a market sieve, is designed to weed out entities from key infrastructure that may pose a threat to state interests. However, presidential concerns about interference with business freedom and the lack of compensation mechanisms for the forced dismantling of facilities provide an important fuse for the market. While the direction of change is irrevocable, the final shape of infrastructure transformation costs may yet evolve.
From an operational perspective, the key challenge becomes the seven-year timeframe provided for phasing out solutions from vendors deemed risky. On the scale of the IT lifecycle, seven years seems like an eternity, but in the context of planning multi-million dollar investments in critical infrastructure, the clock has started ticking at a high volume. Companies are faced with a dilemma: whether to continue working with existing partners, hoping for a favourable Constitutional Court ruling, or to preemptively make a turn towards suppliers with a lower political risk profile. A wait-and-see strategy, although tempting from the perspective of short-term cost optimisation, may prove risky in view of the severe penalties foreseen for non-compliance with the orders of the supervisory authorities.
It is worth noting that the KSC amendment introduces a new definition of responsibility for information security. Shifting the burden of decision-making onto the shoulders of unit managers and board members is a paradigm shift that ends the era of delegating digital risk solely to IT directors. The possibility of imposing personal liability, including financial and criminal sanctions, makes cyber security a permanent agenda item at company board meetings.
Expanding the competences of bodies such as the Minister of Digitalisation, the Financial Supervision Authority or the President of UKE, equips the state with instruments of active control. The ability to issue binding warnings, appoint monitoring officers or order audits at the entrepreneur’s expense, creates a new landscape of business-state relations. In this set-up, the S46 system and the newly established sectoral CSIRTs are intended to act as centres of support and knowledge exchange, which should in theory increase the overall resilience of the market. However, for businesses, this also implies the need to build internal structures capable of working seamlessly with these bodies on a near real-time basis.
The financial dimension of the new regulation is merciless. Penalties amounting to millions of euros or a percentage of global revenues are intended to act as a deterrent, but they also pose a real risk to the liquidity of entities that disregard the new obligations. Daily penalties for late compliance with protective orders can be particularly severe. In this context, investments in cyber security should today be interpreted as an insurance policy for continued market presence.
Summarising the current status, it should be emphasised that the signature of the KSC amendment definitively closes the time of discussion on the legitimacy of tightening digital rigour. The Polish economy is entering a phase of technological maturity, where trust in IT systems is as important as the stability of the currency or the transparency of tax law. While the referral of HRV regulations for follow-up scrutiny introduces a degree of uncertainty, it should not dull the vigilance of business leaders. True organisational resilience is not born in the courtroom, but in the process of diligently identifying vulnerabilities and building a security culture that goes beyond the minimum statutory requirements.
The current situation requires business to adopt an attitude of cyber-realism. It involves accepting that technology today is inextricably linked to geopolitics and that IT purchasing decisions are strategic state choices.
For the IT market, on the other hand, the amendment represents a powerful modernisation impulse, shifting the centre of gravity from the simple sale of technical solutions towards comprehensive strategic consultancy and advanced risk management. The sector is faced with the need to redefine existing cooperation models, in which the criterion of price is finally giving way to security approvals and full transparency of the supply chain. At the same time, the continuing uncertainty around the status of high-risk providers may paradoxically dynamise the segment of cloud services and hybrid solutions, seen as a safer alternative to rigid, physical infrastructure, whose future remains hostage to tribunal settlements. In the longer term, the bill’s signature cements the position of specialised integrators as key architects of business resilience.
