Publication date: September 16, 2025
Cybersecurity certifications are designed for IT professionals, including system and network administrators, security specialists, engineers, and those aspiring to these roles, to validate their knowledge and practical skills in protecting against digital threats. The certification also covers ICT products, services, and processes, and aims to inform consumers about the level of digital security and support Polish companies in European markets.
On August 28, 2025, the Act of June 25, 2025, on the national cybersecurity certification scheme entered into force, implementing Regulation (EU) 2019/881 of the European Parliament and of the Council of April 17, 2019, on ENISA (the European Union Agency for Cybersecurity) and cybersecurity certification in information and communication technologies, and repealing Regulation (EU) No 526/2013 ( Cybersecurity Act ) (OJ L 151, 7.06.2019, p. 15 and OJ L 2025/37, 15.01.2025).
The Act defines the organization of the national cybersecurity certification scheme and the tasks and responsibilities of the entities participating in it. The new regulations allow for the issuance of European and national security certificates for products, services, systems, and processes related to information and communication technologies (ICT). This will confirm that a given product, service, or process meets specific data protection and cyberattack resistance standards.
Regulation 2019/881 aims to harmonize the issuance of cybersecurity certificates by introducing the possibility of creating European certification programs and common procedures for obtaining a certificate. This will allow cybersecurity certificates to be automatically recognized throughout the European Union. This is stipulated in Article 2, point 9 of Regulation 2019/881.
The European certification system is complemented by so-called national cybersecurity certification schemes in areas not covered by European cybersecurity certification programs. Regulation 2019/881 requires all European Union Member States to establish a national cybersecurity certification authority to oversee the market and monitor the correctness of certification activities. It is worth noting that the entire certification system will continue to be based on market mechanisms, meaning that private entities will be able to issue certificates under a national cybersecurity certification scheme. The Polish Council of Ministers’ justification for the adopted law states that the solutions based on market opening were adopted, and no single national conformity assessment body was designated to issue certificates with a ‘high’ assurance level. Adopting an alternative solution could constitute a barrier to the development of private conformity assessment bodies.
The change therefore involves placing the certificate issuing process under an umbrella and creating mechanisms for its oversight. More information about the European and national cybersecurity certification system, the relationship between European and national certificates, the framework of the national cybersecurity certification system, accreditation, conformity assessment, and the role of the minister as the national cybersecurity certification authority can be found here: https://www.kg-legal.eu/info/it-new-technologies-media-and-communication-technology-law/new-provisions-on-cybersecurity-certification-in-poland/
Are cybersecurity certificates mandatory and for whom?
Regulation 2019/881 stipulates that cybersecurity certification is voluntary, unless EU or Member State law provides otherwise (Article 56, paragraph 2). By adopting the Act on the National Cybersecurity Certification System, the Polish legislator decided to maintain the voluntary nature of certification. The Council of Ministers’ justification for the adopted Act includes the information that cybersecurity certification will be a complete voluntary process and will be conducted on market principles, and customers will be able to freely choose among entities operating on the market. The Act creates a framework for certification without imposing any obligations on market entities. Anyone interested will therefore be able to both start a business in this field and obtain certification of their ICT product, ICT service, ICT process, or managed security service, without being obligated to do so.
The same justification repeatedly mentions the voluntary nature of certification, which is crucial for two categories of entities: It should be emphasized that private entities will not be forced to join this system in any way. The obligations arising therefrom will therefore apply only to those who voluntarily submit to it. This applies to both conformity assessment bodies and entities undergoing the certification process.
At the EU level, there is currently no regulation introducing a direct certification obligation, although in reality, it is somewhat more complicated. Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS2 Directive) introduces numerous requirements for cybersecurity risk management measures, which Member States must impose on so-called key and important entities. Paragraph 5 of this article refers to Commission implementing acts specifying technical requirements for, among others, DNS service providers, TLD name registries, cloud service providers, and other entities included therein. Pursuant to Article 24 of NIS2, Member States may require essential and important entities to use specific ICT products, processes, and services certified in accordance with European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation 2019/881.
The Act of 5 July 2018 on the National Cybersecurity System is responsible for implementing the provisions of the NIS1 and NIS2 Directives. Chapter 3 of the Act is devoted to the obligations of essential service operators, which include, among others, the obligation to implement security measures, report incidents, and conduct system security audits. Digital service providers must fulfill similar obligations, as regulated in Chapter 4 of the Act. These obligations do not include the requirement to hold a European cybersecurity certificate, although such a requirement could theoretically exist under the NIS2 regulations. At the same time, obtaining an appropriate cybersecurity certificate by essential service operators in particular, but also by digital service providers, may prove necessary or at least useful. The numerous and costly requirements placed on operators of essential services could be reduced by obtaining a cybersecurity certificate, for example by shortening the mandatory audit period.
The only currently adopted European cybersecurity certification program is based on the Common Criteria (ISO/IEC 15408). The requirements imposed by European and Polish legislation on essential service operators are largely based on widely used standards such as the aforementioned ISO/IEC 15408, ISO/EIC 27001, and ISO/IEC 27002. This means that developing a sufficiently secure infrastructure in accordance with the requirements of the most commonly used standards requires very similar, or even identical, measures to obtain a European cybersecurity certificate. Obtaining such a certificate, in turn, may entail benefits in the form of shortened procedures, such as security audits. The situation is similar with the previously mentioned requirements under the NIS2 Directive, such as DNS[1], which are largely based on the commonly used ISO/EIC standards.
Other EU legal acts also impose or enable the imposition of further cybersecurity requirements on various economic sectors. Such regulations include Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (DORA Regulation), which aims to increase the digital operational resilience of financial entities and regulate the provision of ICT services in the financial market. As a result of the noticeable trend of introducing further reporting requirements, resilience testing, risk management, etc., European cybersecurity certificates may prove to be a very useful way to meet all these requirements significantly more easily, although it is worth noting that there is no mechanism for automatic compliance upon obtaining a certificate.
It is worth emphasizing that obtaining cybersecurity certificates is not currently mandatory, but may prove necessary in the future in public procurement. The contracting authority has the right to specify a requirement for a specific certificate in the tender specifications (Terms of Reference). While theoretically, the requirements should be proportionate, based on non-discrimination and equal treatment, this means that an equivalent method of demonstrating compliance should be sufficient in most cases. Obtaining a certificate can therefore be useful when participating in tenders, both when the tender specifications specify a specific cybersecurity certificate or when only standards such as ISO/EIC are referenced. As mentioned earlier, cybersecurity certificates are largely based on these standards, allowing for an equivalent method of demonstrating compliance with the requirements.
[1]Detailed requirements in this respect result, among others, from Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 with regard to technical and methodological requirements for cybersecurity risk management measures and specifying the cases in which an incident is considered serious in relation to DNS service providers, TLD name registries, cloud service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking platforms, and trust service providers.