At the beginning of May 2025, a government bill on a national cyber security certification system was submitted to the Sejm. This is not only a reaction to European regulations (specifically – EU Regulation 2019/881), but also an opportunity to sort out a market that today tends to be opaque and based on trust in ‘logos’.
Why do we need a cyber security certification scheme?
To date, there has been no legislation in Poland that regulates cyber security certification. Yes, the market offers the possibility to obtain various types of cyber certificates, but these are private certificates, where each owner of the “certification programme” sets its own rules. Without questioning the sense and merit of such certificates, it must be remembered that the lack of uniform certification rules/criteria may – at least in some cases – raise questions as to how much reliance can be placed on such certificates. It is therefore welcome that there will soon be statutory provisions in this area.
What will change in practice?
The entry into force of the Cyber Security Certification Regulations will not mean that private certificates can no longer be issued. They will still remain and interested persons/entities will be able to continue issuing or applying for them. In addition to private certificates, however, there will be the additional possibility of certification by accredited bodies within the legal framework established by the state. Importantly, the new provisions do not impose any additional obligations on entities not interested in participating in the certification scheme.
What will the certification levels be?
Certificates can be granted under European certification schemes (we currently have the EUCC or the European Cybersecurity Scheme on Common Criteria, which can be applied to ICT products such as hardware or software; further schemes are under development for 5G and cloud services) and – in addition – national certification schemes, which will be created by means of regulations by the minister responsible for IT. At the European level, a three-tier classification will apply (according to levels of trust: basic, significant/significant and high), while at the national level the classification is to be single-tier.
European certification programmes will focus on ICT products, services and processes, and certificates issued under them will be automatically recognised throughout the European Union.
National certification will be possible not only for ICT products, services and processes, but also for the entity’s cyber-security management system (as a whole) or the personal qualifications of individuals.
What will the certification system look like?
The bill stipulates that the certification scheme will involve:
- Minister responsible for IT (responsible, inter alia, for the creation of national schemes, supervision and control),
- Polskie Centrum Akredytacji (responsible for granting accreditation to conformity assessment bodies),
- assessment bodies, i.e. certification bodies, including private companies,
- entrepreneurs and individuals who wish to undergo certification.
When will the certification regulations come into force?
Although the draft law on the national cyber-security certification system was ahead of the planned amendment to the law on the national cyber-security system (implementing the NIS2 directive) in the legislative race, we will have to wait a while longer for its enactment. It has now been referred to parliamentary committees and must then go through the entire legislative procedure in the Sejm and the Senate. Realistically, it should appear at the turn of Q2/Q3 2025.
Author: r.pr. Piotr Grzelczak, GFP_Legal Law Firm (Grzelczak Fogel and Partners sp.p.)
